GPOs and OUs

LogoGroup Policy Objects – DoD Cyber Exchange
LogoSecurity baselines guide - Windows SecurityMicrosoftLearn
LogoAn Overview of Chef InSpec
LogoAccess Denied: Understand the Difference Between AD OUs and GroupsITPro Today: IT News, How-Tos, Trends, Case Studies, Career Tips, More
LogoCreating an Organizational Unit DesignMicrosoftLearn
LogoWeaponizing Group Policy Objects AccessTrustedSec
LogoGroup Policy as an Attack PathwayPractical 365

What are OUs?

In Windows 2000 and AD, groups have the same function that they have in Windows NT or other OSs: You put a user in a group to control that user's access to resources. You put a user in an OU to control who has administrative authority over that user.

To understand the difference between groups and OUs, consider this: Objects with SIDs (i.e., users, groups, and computers) can act on objects and be granted authority. Groups have a SID, and OUs don't.

Enumerate GPO locally

gpresult /v
gpresult /r

Output:

PS C:\Users\Administrator> gpresult /v

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2018 Microsoft Corporation. All rights reserved.

Created on ‎12/‎3/‎2023 at 10:31:35 PM


RSOP data for MIKO\Administrator on WIN-9ITB345Q7UU : Logging Mode
-------------------------------------------------------------------

OS Configuration:            Primary Domain Controller
OS Version:                  10.0.17763
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=WIN-9ITB345Q7UU,OU=Domain Controllers,DC=miko,DC=local
    Last time Group Policy was applied: 12/3/2023 at 10:29:56 PM
    Group Policy was applied from:      WIN-9ITB345Q7UU.miko.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MIKO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Disable Defender
        DodMozilla Firefox Computer v6r5
        Default Domain Controllers Policy
        Default Domain Policy

GPO Location

  • \\DOMAIN.COM\SysVol\dev-studio.com\Policies{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol

Contents of .pol file:

KeyName     : Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51
ValueName   : Value
ValueType   : REG_SZ
ValueLength : 700
ValueData   : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the
              Windows folder" Description="Allows members of the Everyone group to run applications that are located
              in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
              Path="%WINDIR%\*"/></Conditions></FilePathRule>

Reading contents of registry key:

PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"

    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2

Name                           Property
----                           --------
Appx                           EnforcementMode : 1
                               AllowWindows    : 0
Dll                            AllowWindows : 0
Exe                            EnforcementMode : 1
                               AllowWindows    : 0
Msi                            EnforcementMode : 1
                               AllowWindows    : 0
Script                         EnforcementMode : 1
                               AllowWindows    : 0
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe"

    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe

Name                           Property
----                           --------
921cc481-6e17-4653-8f75-050b80 Value : <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows
acca20                         members of the Everyone group to
                                       run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
                                       Path="%PROGRAMFILES%\*"/></Conditions></FilePathRule>
a61c8b2c-a319-4cd0-9690-d2177c Value : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members
ad7b51                         of the Everyone group to run
                                       applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
                               Path="%WINDIR%\*"/></Conditions></FilePathRule>

Logging

Requires advanced auditing configs to be enable. Found in security.evtx

LogoTracking Group Policy Changes: Part 1 | LogRhythmLogRhythm
Event ID
Description

5136

A directory service object was successfully modified

5136

A directory service object was successfully created

5138

A directory service object was successfully undeleted

5139

A directory service object was successfully moved

5141

A directory service object was successfully deleted

Event Viewer (default config?)

Microsoft-Windows-GroupPolicy/Operational

Investigate

When a scheduled task or file execution is seen on multiple machines, it indicates remote execution or the use of Group Policy. When system logs indicating the use of software deployment tools or Windows Management Instrumentation are not present, it serves as an indication that Group Policy was likely compromised.

LogoRyuk and GPOs and Powershell, Oh My!The Binary Hick
Case Study
LogoIdentifying Group Policy attacksSophos News

Look for last modified in GPO policies:

  • C:\Windows\sysvol\miko.local\Policies\

PowerShell query to get last modified/created GPOs.

#GetGPO by modified time
Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime 

Output:

PS C:\Users\Administrator> Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime

DisplayName                                         ModificationTime      CreationTime
-----------                                         ----------------      ------------
DoD Windows Defender Firewall Computer v2r2         12/3/2023 11:41:08 PM 12/3/2023 8:03:36 PM
DoD Google Chrome Computer v2r8                     12/3/2023 10:58:42 PM 12/3/2023 8:04:16 PM
DoD Windows 10 Computers v2r8                       12/3/2023 10:50:04 PM 12/3/2023 8:04:00 PM
DoD WinSvr 2019 DC Computers v2r8                   12/3/2023 9:29:10 PM  12/3/2023 8:19:36 PM
DoD WinSvr 2019 MS Computers v2r8                   12/3/2023 9:26:48 PM  12/3/2023 8:19:09 PM
DoD Microsoft Defender Antivirus STIG Computer v2r4 12/3/2023 9:01:48 PM  12/3/2023 8:03:22 PM
DodMozilla Firefox Computer v6r5                    12/3/2023 9:01:26 PM  12/3/2023 5:13:59 PM
Enable LocalAccountTokenFilterPolicy                12/3/2023 8:57:26 PM  4/30/2023 8:57:50 PM
DoD Windows 10 Users v2r8                           12/3/2023 8:24:54 PM  12/3/2023 8:08:41 PM
DoD WinSvr 2019 DC Users v2r8                       12/3/2023 8:24:20 PM  12/3/2023 8:03:48 PM
DoD WinSvr 2019 MS Users v2r8                       12/3/2023 8:24:12 PM  12/3/2023 8:19:01 PM
Disable Defender                                    12/3/2023 8:05:52 PM  4/30/2023 8:58:40 PM
Default Domain Controllers Policy                   11/22/2023 1:44:32 AM 3/5/2023 10:58:28 PM
Default Domain Policy                               3/5/2023 11:04:48 PM  3/5/2023 10:58:28 PM

Get .pol file and parse locally.

  • C:\Windows\SysVol\DOMAIN.com\Policies{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol

Output report and download/parse locally. Look for startup scripts.

LogoGet-GPOReport (GroupPolicy)MicrosoftLearn
#create HTLM report
Get-GPOReport -All -ReportType Html -Path "C:\Windows\Temp\GPOReport.html”
HTML File Example

Startup scripts:

  • Computers|Users\Policies\Windows Settings\Scripts\Startup

Scheduled Task:

  • Computers|Users\Preferences\Control Panel Settings\Scheduled Tasks

Registry

LogoGroup Policy for Script KiddiesTrustedSec

GPO History:

  • HKLMSoftware\Microsoft\Windows\CurrentVersion\Group Policy\History

To list child OUs, you can run this command:

Get-ADObject -Filter 'objectClass -eq "organizationalUnit"' -SearchBase "distinguishedName of parent OU"

get GPO linked to OU and its child OU

Get-Module ActiveDirectory,GroupPolicy
$OU = “OU=test,DC=example,DC=local”
Get-ADOrganizationalUnit $OU
$LinkedGPOs = Get-ADOrganizationalUnit $OU | Select-object -ExpandProperty LinkedGroupPolicyObjects
$LinkedGPOGUIDs = $LinkedGPOs | ForEach-object{$_.Substring(4,36)}
$LinkedGPOGUIDs | ForEach-object {Get-GPO -Guid $_ | Select-object Displayname | Export-CSV C:\Users\Desktop\test4.txt -Append}

ADMX Files:

LogoHijacking Administrative Templates - SDM SoftwareSDM Software

ADMX (and their associated, language-specific ADML files) are XML files that allow Group Policy to render UI within the Group Policy Editor, in the Administrative Templates namespace.

What is rendered:

Hijacking ADMX:

Changing the location of the of the registry key will essentially hijack a registry key. If one were to change the location of the below "SyncForegroundPolicy" key to another location like "EnableLUA", then whenever the "SyncForegroundPolicy" key is disabled, then it would actual disable the "EnableLUA" key instead.

Gotcha's:

  • If one were to replace the ADMX files, you would need to manually modify the status of the GPO for it to take affect.

  • Once an ADMX file is hijacked there is no visual notification of it for the administrator who’s in GP Editor

Example:

  • key="Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" valueName="SyncForegroundPolicy"> 

<policy name="SyncForegroundPolicy" class="Machine" displayName="$(string.SyncForegroundPolicy)" explainText="$(string.SyncForegroundPolicy_Help)" key="Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" valueName="SyncForegroundPolicy">
<parentCategory ref="Logon" />
<supportedOn ref="windows:SUPPORTED_WindowsXP" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>

  • key="Software\Microsoft\Windows\CurrentVersion\Policies\System" valueName="EnableLUA">

<policy name="SyncForegroundPolicy" class="Machine" displayName="$(string.SyncForegroundPolicy)" explainText="$(string.SyncForegroundPolicy_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\System" valueName="EnableLUA">
<parentCategory ref="Logon" />
<supportedOn ref="windows:SUPPORTED_WindowsXP" />
<enabledValue>
<decimal value="0" />
</enabledValue>
<disabledValue>
<decimal value="1" />
</disabledValue>
</policy>

ADMX Central Store Locations:

  • Workstations:

    • C:\Windows\PolicyDefinitions

  • Domain Controllers:

    • C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions

    • \\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions

Attack:

  • If the attacker only has permissions to edit the ADMX file, modify the ADMX file and registry location of a key that is constantly switched.

  • If the attacker has permissions to edit ADMX files and modify the GPO, modify the file and then enable/disable for it to take affect.

Defense:

  • User's who can edit the ADMX Central Store should be Tier 0.

  • Monitor changes to the files and folders in the ADMX Central Store.

PreviousExchangeNextAnti Forensics

Last updated