https://az0th.it/tags/group-policy/ Recent content in Group-Policy on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/windows/gpo-abuse/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/windows/gpo-abuse/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Technique</th> <th>Tool</th> <th>Requirement</th> <th>Effect</th> </tr> </thead> <tbody> <tr> <td>Immediate Scheduled Task</td> <td>SharpGPOAbuse</td> <td>Write on GPO</td> <td>Code exec as SYSTEM on all linked machines</td> </tr> <tr> <td>Restricted Groups</td> <td>SharpGPOAbuse</td> <td>Write on GPO</td> <td>Add attacker to local Admins</td> </tr> <tr> <td>User Rights Assignment</td> <td>SharpGPOAbuse</td> <td>Write on GPO</td> <td>Grant SeDebugPrivilege / SeImpersonatePrivilege</td> </tr> <tr> <td>Manual XML task</td> <td>PowerShell / SYSVOL write</td> <td>Write on GPO or SYSVOL</td> <td>Arbitrary command as SYSTEM</td> </tr> <tr> <td>New GPO + Link</td> <td>PowerView / RSAT</td> <td>CreateGPO right + link permission</td> <td>Full control over target OU</td> </tr> <tr> <td>GPO Delegation read</td> <td>PowerView / BloodHound</td> <td>Any domain user</td> <td>Map attack surface</td> </tr> </tbody> </table> <hr> <h2 id="gpo-fundamentals">GPO Fundamentals</h2> <p>Group Policy Objects (GPOs) are containers of policy settings applied to users and computers. They are linked to Organizational Units (OUs), Sites, or the Domain. When a machine or user logs in, the domain controller delivers applicable GPOs via SYSVOL (a shared folder replicated to all DCs). The machine then applies them every 90 minutes by default (± 30-minute random offset), or immediately on <code>gpupdate /force</code>.</p>