%0 Journal Article %1 mjs:Willi:GPO %A Willi, Immanuel %A Kraft, Yves %D 2017 %K Group_Policy_Objects active_domain ad ds17 gpo microsoft mjsarticle server %N 1 %P 772-778 %T BadGPO %U http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_052_Willi_GPO.pdf %V 13 %X Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application and user settings. Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. In a proof of concept, inspired by Phineas Fishers\' article about pwning HackingTeam, we will show how persistence and lateral movement in a compromised company network can be achieved, and demonstrate some PowershellEmpire Framework modules which we created. PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. There are already functionalities built-in regarding GPOs. We tried to further evolve the miss-use of GPOs in additional scenarios. Furthermore, we will discuss some countermeasures including detection and prevention mechanisms.

@article{mjs:Willi:GPO, abstract = {Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application and user settings. Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. In a proof of concept, inspired by Phineas Fishers\' article about pwning HackingTeam, we will show how persistence and lateral movement in a compromised company network can be achieved, and demonstrate some PowershellEmpire Framework modules which we created. PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. There are already functionalities built-in regarding GPOs. We tried to further evolve the miss-use of GPOs in additional scenarios. Furthermore, we will discuss some countermeasures including detection and prevention mechanisms.}, added-at = {2021-09-19T18:42:17.000+0200}, author = {Willi, Immanuel and Kraft, Yves}, biburl = {https://www.bibsonomy.org/bibtex/2f9b3dfe0e7dc9e907e2b06bd32b1e159/steschum}, interhash = {e4be446d1ab30fec67798a8fa6d347a3}, intrahash = {f9b3dfe0e7dc9e907e2b06bd32b1e159}, issn = {2192-4260}, journaltitle = {Magdeburger Journal zur Sicherheitsforschung}, keywords = {Group_Policy_Objects active_domain ad ds17 gpo microsoft mjsarticle server}, language = {DE}, number = 1, pages = {772-778}, subtitle = {Using Group Policy Objects for Persistence and Lateral Movement}, timestamp = {2021-10-22T17:15:30.000+0200}, title = {BadGPO}, url = {http://www.sicherheitsforschung-magdeburg.de/uploads/journal/MJS_052_Willi_GPO.pdf}, urldate = {2017-06-28}, volume = 13, year = 2017 }