Visit official github page
Certified Red Team Professional (CRTP) - Notes

5.1.3 - GPO Abuse

Group Policy Object

GPO Abuse

There're multiple attacks that can be abused Group Policy Object such as:

  • EvilGPOs (Immediate Schedule Task)

  • Add Local Admin

  • Modify Group Policy

  • Grant Rights (Generic All)

  • Grant Ownership

A GPO with overly permissive ACL can be abused for multiple attacks (attacks flagged are present into course):

In this case we're focusing on: Add Local Admin and Modify Group Policy.

GPOddity

GPOddity combines NTLM relaying and modification of Group Policy Container.

By relaying credentials of a user who has WriteDACL on GPO, we can modify the path (gPCFileSysPath) of the Group Policy Template (default is SYSVOL).

Using this, we can load malicious template from a location controller by attacker.

Lab

Refers to Learning Object 6 lab

Previous5.1.2 - RelayingNext5.1.4 - Unquoted Service Path

Last updated