Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 04. Techniques / GPO / Techniques

Registry and Preferences

Registry policy and preference items let a GPO write configuration onto scoped systems. The same mechanism that deploys legitimate settings can also create autoruns, weaken controls, point software at attacker infrastructure, or leave secrets in XML.

Inspect registry policy files

Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include Registry.pol,Registry.xml |
  Select-Object FullName,LastWriteTime

Search registry preference XML

Get-ChildItem "\\ootw.local\SYSVOL\ootw.local\Policies" -Recurse -Include Registry.xml |
  Select-String -Pattern "Run","RunOnce","password","secret","token","cpassword"

Set a registry value with native cmdlets

Set-GPRegistryValue -Name "Misconfigured Policy" `
  -Key "HKLM\Software\OOTW" `
  -ValueName "Marker" `
  -Type String `
  -Value "GPO applied"

Deploy a Run key for lab validation

Set-GPRegistryValue -Name "Misconfigured Policy" `
  -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" `
  -ValueName "OOTWUpdater" `
  -Type String `
  -Value "cmd.exe /c whoami > C:\Windows\Temp\gpo-run.txt"

Check target registry

reg query HKLM\Software\OOTW
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Remove registry value

Remove-GPRegistryValue -Name "Misconfigured Policy" -Key "HKLM\Software\OOTW" -ValueName "Marker"
Remove-GPRegistryValue -Name "Misconfigured Policy" -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "OOTWUpdater"

Notes

Registry.pol is not plain text. Use GPMC, Get-GPRegistryValue, or dedicated parsers when reviewing it.

Preferences XML can be plain enough to review directly, and legacy preference items may contain cpassword.