A Red Teamer’s Guide to GPOs and OUs

Intro

active Directory is a huge, complicate landscape comprised of users, computers, and groups, and the complex, intertwining permissions and privileges that connect them. The initial let go of of BloodHound focused on the concept of derivative instrument local admin, then BloodHound 1.3 introduced ACL-based attack paths. immediately, with the release of BloodHound 1.5, pentesters and red-teamers can well find assail paths that include abusing restraint of Group Policy, and the objects that those Group Policies effectively apply to .
In this blog station, I ’ ll recapitulation how GPO ( Group Policy Object ) enforcement works, how to use BloodHound to find GPO-control based approach paths, and explain a few ways to execute those attacks .

Prior Work

Lucas Bouillot and Emmanuel Gras included GPO control and OU structure in their germinal work, “ Chemins de contrôle en environnement Active Directory ”. They used an attack graph to map which principals could take control of GPOs, and which OUs those GPOs applied to, then chased that down to the objects affected by those GPOs. We learned a lot from Lucas and Emannuel ’ s white paper ( in French ), and I ’ d highly recommend you read it deoxyadenosine monophosphate well .
There are respective important authors and resources we leaned on when figuring out how GPO works, in no especial rate : the Microsoft Group Policy team ’ mho posts on TechNet, Sean Metcalf ’ second solve at adsecurity.org, 14-time Microsoft MVP “ GPO Guy ” Darren Mar-Elia, Microsoft ’ s Group Policy functional stipulation, and last but surely not least, Will Schroeder ’ s germinal web log post on Abusing GPO Permissions. special extra thanks to Darren Mar-Elia for answering a draw of my questions about Group Policy. Thanks, Darren ! other resources and references are linked at the bottomland of this web log post .

The Moving Parts of Group Policy

There ’ s no two ways about it : GPO enforcement is a complicate animal with a lot of moving parts. With that said, let ’ s start at the very basics with the vocabulary used in the rest of the post, and build up to explaining how those moving parts interact with one another :
GPO: A Group Policy Object. When an Active Directory knowledge domain is first created, two GPOs are created as well : “ Default Domain Policy ” and “ Default Domain Controllers ”. GPOs control sets of policies that affect computers and users. For model, you can use a united states government printing office policy to control the Windows background setting on computers. GPOs are visible in the Group Policy Management GUI here :

Above: The list of GPOs in our test domain.
technically, “ Default Domain Controllers Policy ” is the display name of the GPO, while the name of the GPO is a GPO curly braced “ GUID ”. I put “ GUID ” in citation marks because this identifier is not actually globally alone. The “ Default Domain Controllers Policy ” in every Active Directory world will have the same “ mention ” ( read : curly braced GUID ) : { 6AC1786C-016F-11D2-945F-00C04fB984F9 }. For this reason, GPOs have an extra parameter called objectguid, which actually is globally unique. The policy files for any given GPO occupy in the domain SYSVOL at the policy ’ randomness gpcfilesyspath ( ex-husband : \\contoso.local\sysvol\contoso.local\Policies\ { 6AC1786C-016F-11D2-945F-00C04fB984F9 } ) .

Above: The relevant properties of the “Default Domain Controllers Policy” GPO, and that GPO’s policy files location in the SYSVOL.
OU: An Organizational Unit. According to Microsoft ’ south TechNet, OUs are “ general-purpose container [ sulfur ] that can be used to group most early object classes together for administrative purposes ”. Basically, OUs are containers that you place principals ( users, groups, and computers ) into. Organizations will normally use OUs to organize principals based on department and/or geographic placement. additionally, OUs can of course by nested within other OUs. This normally results in a relatively complex OU tree structure within a world, which can be difficult to navigate without foremost being very familiar with the tree. You can see OUs in the ADUC ( Active Directory Users and Computers ) GUI. In the downstairs screenshot, “ ContosoUsers ” is a child OU of the CONTOSO.LOCAL domain, “ Helpdesk ” is a child OU within the “ ContosoUsers ” OU, and “ Alice Admin ” is a child drug user of the “ Helpdesk ” OU :

Above: The Alice Admin user within the OU tree.
GpLink: A G roup P olicy L ink. GPOs can be “ linked ” to domains, sites, and OUs. By default option, a GPO that is linked to an OU will apply to the child objects of that OU. For model, the “ Default Domain Policy ” GPO is linked, by nonpayment, to the domain object, while the “ Default Domain Controllers Policy ” is linked, by nonpayment, to the Domain Controllers OU. In the under screenshot, you can see that if we expand the “ contoso.local ” sphere and the “ Domain Controllers ” OU, the GPOs linked to those objects appear below them :

Above: The “Default Domain Policy” is linked to the domain “contoso.local”. The “Default Domain Controllers” policy is linked to the “Domain Controllers” OU.
GpLinks are stored on the objects the GPO is linked to, on the attribute called “ gplink ”. The format of the “ gplink ” attribute value is [ ;<0 if the link is not enforced, 1 if the link is enforced>]. You can easily enumerate those links with PowerView as in the example below:

Above: The “Default Domain Controllers Policy” GPO is linked to the “Domain Controllers” OU, and is not enforced.
Those three pieces — GPOs, OUs, and GpLinks — comprise the major moving parts we ’ ra working with. It ’ south authoritative to know those three pieces well before understanding GPO enforcement logic and how to use BloodHound to find attack paths, so construct sure you feel convinced with those before continuing on. One last note : united states government printing office can besides be linked to sites, but at this time we ’ rhenium not including that due to complications web site memberships and collection challenges .

GPO Enforcement Logic

now that you know the basic move parts, let ’ s look more closely at how they connect. GPO enforcement logic, identical concisely, works like this :

  • GpLinks can be enforced, or not .
  • OUs can stop inheritance, or not .
  • If a GpLink is enforced, the associated GPO will apply to the linked OU and all child objects, careless of whether any OU in that tree blocks inheritance .
  • If a GpLink isnot enforced, the associated GPO will apply to the linked OU and all child objects ,unless any OU within that tree blocks inheritance .

There are further complications on top of this, which we ’ ll get down to by and by on. First though, let ’ s visualize the above rules regarding GpLink enforcement and OUs blocking inheritance. Recall earlier I had a user called Alice Admin within a HelpDesk OU. alternatively of looking at that in ADUC, though, let ’ s beginning to think about this as a graph :

Above: Alice Admin within the domain/OU tree.
The domain object, Contoso.Local, is a container object. It contains the OU called ContosoUsers. The OU ContosoUsers contains the OU HelpDesk. ultimately, the OU HelpDesk contains the exploiter Alice Admin .
now, let ’ s add our Default Domain Policy GPO into the mix. recall from earlier that in my test domain, that GPO is linked to the world aim :

Above: The “Default Domain Policy” GPO is linked to the domain object.
now, in nonpayment circumstances, you can merely read from left to right to figure out that the Default Domain Policy will apply to the drug user Alice Admin. The “ default context ” here is that the GpLink relationship is not enforced, and that none of the containers in this way block inheritance. Let ’ s add that information to the above graph :

In this circumstance, it doesn ’ thyroxine topic that the GpLink edge is not enforced, as none of the OUs block inheritance. In our test domain, we have another OU under ContosoUsers called “ Accounting ”, with one drug user in that OU : Bob User. For case ’ second sake, we ’ ll say that the Accounting OU does block inheritance. Let ’ s add that to our existing graph :

again, we can see that the Default Domain Policy GPO is linked to the domain object, and Bob User is contained within the OU tree under the domain object ; however, because the OU “ Accounting ” blocks inheritance, and because the GpLink edge is not enforced, the Default Domain Policy will not apply to Bob User .
still with me ? You ’ d be forgiven for being slenderly confused at this compass point, but don ’ deoxythymidine monophosphate worry, it gets worse !
Let ’ s add another GPO to the mix and link it to the sphere object as well, except this time we will enforce the GpLink :

Our new GPO called “ Custom Password Policy ” is linked to the domain object, which again contains the entire OU tree under it. now, because the GPLink is enforced, this policy will apply to all child objects in the OU corner, regardless of whether any of those OUs block inheritance. This means that the “ Custom Password Policy ” GPO will apply to both “ Alice Admin ” and “ Bob User ”, despite the “ Accounting ” OU blocking inheritance .
In our experience, this data is going to cover 95 % + of situations you ’ ll move into in real enterprise networks ; however, there are three more things to know about, which may impact you when abusing GPO control paths during your pentests and bolshevik team assessments : WMI trickle, security percolate, and Group Policy liaison order and precedence .

  • WMI trickle allows administrators to far specify which computers and users a GPO will apply to, based on whether a certain WMI question returns True or False. For exercise, when a computer is processing group policy, it may run a WMI question that checks if the operate system is Windows 7, and only apply the group policy if that question returns true. See Darren Mar-Elia ’ s excellent web log post for further details .
  • security filter allows administrators to further restrict which principals a GPO will apply to. Administrators can limit the GPO to apply to specific computers, users, or the members of a specific security group. By default, every GPO applies to the “ Authenticated Users ” principal, which includes any star that successfully authenticates to the knowledge domain. For more details, see this post on the TechGenix site .
  • Group Policy link order dictates which Group Policy “ wins ” in the event of conflicting, non-merging policies. Imagine you have two “ Password Policy ” GPOs : one that requires users to change their password every 30 days, and one that requires users to change their password every 60 days. Whichever policy is higher in the precession arrange is the policy that will “ win ”. The group policy customer enforces this “ gain ” condition by processing policies inreverse order of precedence, so thehighest precession policy is processedlast, and “ wins ”. fortunately, you don ’ t need to worry about this for about every mistreat archaic. For more information, check out this web log post .

Like I said above, our have has been that in real enterprise networks, you won ’ t need to worry about WMI trickle, security trickle, or GpLink order in 95 % or more of the situations you run into, but I mention them sol you know where to start troubleshooting if your abuse actions aren ’ thymine working. We may try to roll those three items into the BloodHound interface in the future. In the meanwhile, make sure your prey calculator and user objects won ’ t be filtered out by WMI or security filters, or undertake to push an evil group policy that will be overruled by a higher precession policy .

Analysis with BloodHound

first, make sure you are running at least BloodHound 1.5.1. Second, do your standard SharpHound collection like you always have, but this time either do the “ All ” or “ Containers ” and “ ACL ” solicitation methods, which will collect GPO ACLs and OU structure for you :

 C : \ > SharpHound.exe -c All

then, import the resulting acls.csv, container_gplinks.csv, and container_structure.csv through the BloodHound interface like convention. now you ’ re fix to start analyzing outbound and inbound GPO control against objects .
For exemplar, let ’ s take a expect at our “ Alice Admin ” user. If we search for this drug user, then click on the drug user node, you ’ ll see some new information in the user tab key, including “ Effective Inbound GPOs ” :

Above: Two GPOs apply to Alice Admin .
The Cypher question that generates this number does the GpLink enforcement and OU blocking inheritance logic for you, so you don ’ t need to worry about working that out yourself. Simply click on the act “ 2 ”, in this case, to visualize the GPOs that apply to “ Alice Admin ” :

Above: How the two GPOs apply to Alice Admin .
Notice the edge connecting “ Default Domain Policy ” to the “ Contoso.Local ” domain is dotted. This means that this GPO is not enforced ; however, all of the “ Contains ” edges are solid, meaning that none of those containers block inheritance. recall from earlier that unenforced GpLinks will merely be affected by OUs that blockage inheritance, therefore in this lawsuit, the Default Domain Policy still applies to Alice Admin .
besides note that the edge connecting “ Customer Password Policy ” to the “ Contoso.Local ” knowledge domain is solid. This means that this GPO is enforced, and will therefore apply to all children objects regardless of whether any subsequent containers block inheritance .
We can besides see the flip english of this — what objects does any given GPO efficaciously apply to ? First, let ’ s check out the Custom Password Policy GPO :

Above: The Custom Password Policy GPO applies to 3 computers and 5 users.
Reminder: GPOs can only apply to users and computers, not security groups.
By clicking on the numbers, you can render the objects affected by this GPO, and how the GPO applies to those objects. If we click the “ 5 ” future to “ User Objects ”, we get this graph :

Above: How the Customer Password Policy GPO applies to user objects.
There are two important things to point out hera : again, the edge connecting the “ Custom Password Policy ” GPO to the “ Contoso.Local ” domain object is upstanding, meaning this GPO is enforced. Second, notice the border connecting the “ Accounting ” OU to the “ Bob User ” user is dotted, indicating the “ Accounting ” OU blocks inheritance. But, because the “ Custom Password Policy ” GPO is enforced, the OU blocking inheritance doesn’t matter, and will be applied to the “ Bob User ” user anyhow .
Compare the above graph to the graph we get if we do the lapp for the “ Default Domain Policy ” :

Above: The users affected by the “Default Domain Policy” GPO.
Notice how the “ Bob User ” user is no longer there ? That ’ sulfur because the “ Default Domain Policy ” GPO is not enforced. Because the “ Accounting ” OU blocks inheritance, that GPO will not apply to the “ Bob User ” user .
Alright, let ’ s put it all together and see if we can find an attack way from “ Bob User ” to “ Alice Admin ”. In the BloodHound search bar, click the path finding icon, then select your source node and target node. Hit insert, and BloodHound will find and render an attack path, if one exists :

Above: The attack path from “Bob User” to “Alice Admin”.
Reading this graph from left to right, we can see that “ Bob User ” is in a group called “ Accounting ”, which is part of a group called “ Group Policy Admins ” ( believe me when I say crazier things have happened in the wild, and remember this is a artificial exemplar : ). The “ Group Policy Admins ” group has, as you would imagine, full control of the “ Custom Password Policy ” GPO. That GPO is then linked to the “ Contoso.Local ” knowledge domain. From here we have a pair options – push an evil policy down to the “ Administrator ” user and take over “ Alice Admin ” with an ACL based attack or precisely push an evil policy down immediately to the “ Alice Admin ” user .

Abusing GPO Control

finally, the most important part of this entire topic : how to actually take over computers and users with restraint over the GPOs that affect those users. For a bit of background and inhalation, read Will ’ s excellent blog post on abusing GPO rights, which contains information about the beginning proof-of-concept GPO abuse cmdlet that I ’ thousand mindful of, New-GPOImmediateTask .
When people say “ you can do anything with GPO ”, they very mean it : you can do anything with GPO. Will and I put together this tilt of abuses against computers, including the policy placement and abuse, just to give you a few ideas :

  • policy location : Computer Configuration\Preferences\Control Panel Settings\Folder Options
  • maltreatment : Create/alter charge type associations, register DDE actions with those associations .
  • policy location : Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups
  • misuse : Add new local admin bill .
  • policy placement : Computer Configuration\Preferences\Control Panel Settings\Scheduled Tasks
  • abuse : Deploy a newfangled evil scheduled tax ( i : PowerShell download birthplace ) .
  • policy location : Computer Configuration\Preferences\Control Panel Settings\Services
  • pervert : Create and configure newfangled evil services .
  • policy location : Computer Configuration\Preferences\Windows Settings\Files
  • maltreatment : involve computers will download a charge from the domain accountant .
  • policy location : Computer Configuration\Preferences\Windows Settings\INI Files
  • misuse : Update existing INI files .
  • policy localization : Computer Configuration\Preferences\Windows Settings\Registry
  • abuse : Update specific register keys. very utilitarian for disabling security mechanisms, or triggering code performance in any act of ways .
  • policy placement : Computer Configuration\Preferences\Windows Settings\Shortcuts
  • abuse : Deploy a newfangled evil shortcut .
  • policy placement : Computer Configuration\Policies\Software Settings\Software installation
  • abuse : Deploy an evil MSI. The MSI must be available to the GP customer via a network share .
  • policy location : Computer Configuration\Policies\Windows Settings\Scripts ( startup/shutdown )
  • maltreatment : configure and deploy evil inauguration scripts. Can run scripts out of GPO directory, can besides run PowerShell commands with arguments
  • policy location : Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy
  • misuse : Modify local audited account settings. Useful for evading detection .
  • policy location : Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
  • mistreat : Grant a user the right to logon via RDP, grant a exploiter SeDebugPrivilege, grant a user the correct to load device drivers, grant a exploiter seTakeOwnershipPrivilege. Basically, take over the distant computer without ever being an administrator on it .
  • policy location : Computer Configuration\Policies\Windows Settings\Security Settings\Registry
  • abuse : Alter DACLs on register keys, grant yourself an highly hard to find back door on the system .
  • policy localization : Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall
  • misuse : Manage the Windows firewall. Open up ports if they ’ ra blocked .
  • policy location : Computer Configuration\Preferences\Windows Settings\Environment
  • abuse : Add UNC path for DLL slope loading .
  • policy placement : Computer Configuration\Preferences\Windows Settings\Files
  • mistreat : Copy a file from a distant UNC path .

so, that ’ randomness all well and good, but how do we actually take these actions ? presently, you ’ ve got two options : download and install the Group Policy Management Console and use the GPMC GUI to modify the relevant GPO or manually craft the relevant policy file and correctly modify the GPO and gpt.ini charge .
As an example, let ’ s say you want to push a new contiguous scheduled undertaking to a computer or user. My current understanding ( which is decidedly capable to correction ), based on testing and the Microsoft Group Policy Preferences running specification, follows :
Whenever a group policy node ( user or computer ) checks for update group policy, they will go through several steps to collect and apply Group Policy to themselves. The node will check whether the distant interpretation of the GPO is greater than the locally hoard version of that GPO ( unless gpupdate /force is used ). The distant version of the GPO is stored in two locations :

  1. As an integer value for the versionNumber assign on the Group Policy Object itself .
  2. As the lapp integer in the GPT.INI file, located at \\ \Policies\\GPT.ini. Note that the “name” of the GPO is not the display name. For exemplify, the “ list ” for the Default Domain Policy is { 6AC1786C-016F-11D2-945F-00C04fB984F9 } .

If the distant GPO translation issue is greater than the locally cached translation, the group policy client will continue, analyzing which policies and/or preferences it needs to search for in the relevant SYSVOL directory. For Group Policy preferences ( which scheduled tasks fall under ), the group policy customer will check to see which Client-Side Extensions ( CSEs ) exist as separate of the “ gPCMachineExtensionNames ” and “ gPCUserExtensionNames ” attributes. According to the Microsoft Group Policy Preferences functional specification, CSE GUIDs “ enable a specific client-side extension on the Group Policy client to be associated with policy data that is stored in the logical and physical components of a Group Policy Object ( GPO ) on the Group Policy server, for that particular extension. ” The CSE GUIDs for Immediate Scheduled tasks, as they would be stored in the “ gPCMachineExtensionNames ” property, are :

 [ { 00000000-0000-0000-0000-000000000000 } { 79F92669-4224-476C-9C5C-6EFB4D87DF4A } { CAB54552-DEEA-4691-817E-ED4A4D1AFC72 } ] [ { AADCED64-746C-4633-A97C-D61349046527 } { CAB54552-DEEA-4691-817E-ED4A4D1AFC72 } ]

And in a slenderly more clear format :

 [
 { 00000000-0000-0000-0000-000000000000 } { 79F92669-4224-476C-9C5C-6EFB4D87DF4A } { CAB54552-DEEA-4691-817E-ED4A4D1AFC72 }
 ]
 [
 { AADCED64-746C-4633-A97C-D61349046527 } { CAB54552-DEEA-4691-817E-ED4A4D1AFC72 }
 ]

This translates to the following :

 [
 { kernel GPO Engine }
 { preference Tool CSE GUID Local users and groups }
 { preference Tool CSE GUID Scheduled Tasks }
 ]
 [
 { preference CSE GUID Scheduled Tasks }
 { preference Tool CSE GUID Scheduled Tasks }
 ]

once the group policy client understands that there are some scheduled tasks that apply to it, it will search for a file in the GP directory called ScheduledTasks.xml. That file exists in a predictable placement :

 \\ \sysvol\\Policies\\Machine\Preferences\ScheduledTasks.xml

finally, the group policy customer will parse the ScheduledTasks.xml and register the task locally .
That ’ s how the serve works, as I understand it. There is still a lot of work to be done on crafting scripts to automate the GPO misuse process, as installing GPMC is rarely a great choice while on a bolshevik team appraisal. If ever there were a call to arms, this is it : we ’ ll continue working on creating scripts that faithfully automate GPO command abuse, but are equally adenine stimulate to see what people in the residential district can come up with equally well .

Conclusion

As Rohan mentioned in his mail, BloodHound 1.5 represents a pretty boastful milestone for the BloodHound project. By adding in GPOs and OU structure, we ’ rhenium greatly increasing the oscilloscope of Active Directory attack open you can easily map out with BloodHound. In a future blog post, I ’ ll concenter more on the defensive side of things, showing how defenders can use BloodHound to analyze and reduce the attack surface in AD now that we ’ re tracking GPOs and OU structure.

BloodHound is available loose and open generator on GitHub at hypertext transfer protocol : //github.com/BloodHoundAD/BloodHound
You can join us on Slack at the official BloodHound Gang Slack here : hypertext transfer protocol : //bloodhoundgang.herokuapp.com/
besides published on Medium .

beginning : https://youkuki.com
Category : Dogs and Cats