GPO Abuse โ From Windows
Quick Reference Technique Tool Requirement Effect Immediate Scheduled Task SharpGPOAbuse Write on GPO Code exec as SYSTEM on all linked machines Restricted Groups SharpGPOAbuse Write on GPO Add attacker to local Admins User Rights Assignment SharpGPOAbuse Write on GPO Grant SeDebugPrivilege / SeImpersonatePrivilege Manual XML task PowerShell / SYSVOL write Write on GPO or SYSVOL Arbitrary command as SYSTEM New GPO + Link PowerView / RSAT CreateGPO right + link permission Full control over target OU GPO Delegation read PowerView / BloodHound Any domain user Map attack surface GPO Fundamentals Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (ยฑ 30-minute random offset), or immediately on gpupdate /force. ...