7MS #441: SharpGPOAbuse
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features:
-
A little welcome music that is not the usual scatting of gibberish I torture you with
-
Some cool tools I'm playing with in the lab that we'll do future episodes on in the future:
- DetectionLab to practice detecting all the bad things!
- BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want.
- Cobalt Strike - we're doing a demo right now!
Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run:
SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD /DOMAIN" --GPOName "Name of GPO with Generic Write Access"
This will push a ScheduledTasks.xml
file to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks
Now if you find that the task is not pushing correctly, it may be that SharpGPOAbuse.exe hasn't been able to update either the GPT.INI
file (in the root of the GPO path) and/or the versionNumber
value assigned to the GPO itself.
If you need to adjust the versionNumber
and GPT.INI
value manually, definitely read this Microsoft article so you know how the number is generated and how to increment it properly. This flippin' sweet RastaMouse blog article also helped this click for me.
If you can't seem to update versionNumber
using the PowerShell in Rasta's article, you can also open up ADSI Edit and navigate to Default naming context > DC=your,DC=com > CN=System > CN=Policies > CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the properties of the folder, scroll down and manually adjust the value for versionNumber
.