📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • What are OUs?
  • Enumerate GPO locally
  • Logging
  • Event Viewer (default config?)
  • Investigate
  • Registry
  • ADMX Files:
  • Hijacking ADMX:
  • Example:
  • ADMX Central Store Locations:
  • Attack:
  • Defense:
  1. Windows
  2. Forensics
  3. Event Logs

GPOs and OUs

PreviousExchangeNextAnti Forensics

Last updated 9 months ago

What are OUs?

In Windows 2000 and AD, groups have the same function that they have in Windows NT or other OSs: You put a user in a group to control that user's access to resources. You put a user in an OU to control who has administrative authority over that user.

To understand the difference between groups and OUs, consider this: Objects with SIDs (i.e., users, groups, and computers) can act on objects and be granted authority. Groups have a SID, and OUs don't.

Enumerate GPO locally

gpresult /v
gpresult /r

Output:

PS C:\Users\Administrator> gpresult /v

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2018 Microsoft Corporation. All rights reserved.

Created on ‎12/‎3/‎2023 at 10:31:35 PM


RSOP data for MIKO\Administrator on WIN-9ITB345Q7UU : Logging Mode
-------------------------------------------------------------------

OS Configuration:            Primary Domain Controller
OS Version:                  10.0.17763
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=WIN-9ITB345Q7UU,OU=Domain Controllers,DC=miko,DC=local
    Last time Group Policy was applied: 12/3/2023 at 10:29:56 PM
    Group Policy was applied from:      WIN-9ITB345Q7UU.miko.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MIKO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Disable Defender
        DodMozilla Firefox Computer v6r5
        Default Domain Controllers Policy
        Default Domain Policy

GPO Location

  • \\DOMAIN.COM\SysVol\dev-studio.com\Policies{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol

Contents of .pol file:

KeyName     : Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51
ValueName   : Value
ValueType   : REG_SZ
ValueLength : 700
ValueData   : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the
              Windows folder" Description="Allows members of the Everyone group to run applications that are located
              in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
              Path="%WINDIR%\*"/></Conditions></FilePathRule>

Reading contents of registry key:

PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"

    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2

Name                           Property
----                           --------
Appx                           EnforcementMode : 1
                               AllowWindows    : 0
Dll                            AllowWindows : 0
Exe                            EnforcementMode : 1
                               AllowWindows    : 0
Msi                            EnforcementMode : 1
                               AllowWindows    : 0
Script                         EnforcementMode : 1
                               AllowWindows    : 0
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe"

    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe

Name                           Property
----                           --------
921cc481-6e17-4653-8f75-050b80 Value : <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows
acca20                         members of the Everyone group to
                                       run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
                                       Path="%PROGRAMFILES%\*"/></Conditions></FilePathRule>
a61c8b2c-a319-4cd0-9690-d2177c Value : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members
ad7b51                         of the Everyone group to run
                                       applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
                               Path="%WINDIR%\*"/></Conditions></FilePathRule>

Logging

Requires advanced auditing configs to be enable. Found in security.evtx

Event ID
Description

5136

A directory service object was successfully modified

5136

A directory service object was successfully created

5138

A directory service object was successfully undeleted

5139

A directory service object was successfully moved

5141

A directory service object was successfully deleted

Event Viewer (default config?)

Microsoft-Windows-GroupPolicy/Operational

Investigate

When a scheduled task or file execution is seen on multiple machines, it indicates remote execution or the use of Group Policy. When system logs indicating the use of software deployment tools or Windows Management Instrumentation are not present, it serves as an indication that Group Policy was likely compromised.

Look for last modified in GPO policies:

  • C:\Windows\sysvol\miko.local\Policies\

PowerShell query to get last modified/created GPOs.

#GetGPO by modified time
Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime 

Output:

PS C:\Users\Administrator> Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime

DisplayName                                         ModificationTime      CreationTime
-----------                                         ----------------      ------------
DoD Windows Defender Firewall Computer v2r2         12/3/2023 11:41:08 PM 12/3/2023 8:03:36 PM
DoD Google Chrome Computer v2r8                     12/3/2023 10:58:42 PM 12/3/2023 8:04:16 PM
DoD Windows 10 Computers v2r8                       12/3/2023 10:50:04 PM 12/3/2023 8:04:00 PM
DoD WinSvr 2019 DC Computers v2r8                   12/3/2023 9:29:10 PM  12/3/2023 8:19:36 PM
DoD WinSvr 2019 MS Computers v2r8                   12/3/2023 9:26:48 PM  12/3/2023 8:19:09 PM
DoD Microsoft Defender Antivirus STIG Computer v2r4 12/3/2023 9:01:48 PM  12/3/2023 8:03:22 PM
DodMozilla Firefox Computer v6r5                    12/3/2023 9:01:26 PM  12/3/2023 5:13:59 PM
Enable LocalAccountTokenFilterPolicy                12/3/2023 8:57:26 PM  4/30/2023 8:57:50 PM
DoD Windows 10 Users v2r8                           12/3/2023 8:24:54 PM  12/3/2023 8:08:41 PM
DoD WinSvr 2019 DC Users v2r8                       12/3/2023 8:24:20 PM  12/3/2023 8:03:48 PM
DoD WinSvr 2019 MS Users v2r8                       12/3/2023 8:24:12 PM  12/3/2023 8:19:01 PM
Disable Defender                                    12/3/2023 8:05:52 PM  4/30/2023 8:58:40 PM
Default Domain Controllers Policy                   11/22/2023 1:44:32 AM 3/5/2023 10:58:28 PM
Default Domain Policy                               3/5/2023 11:04:48 PM  3/5/2023 10:58:28 PM

Get .pol file and parse locally.

  • C:\Windows\SysVol\DOMAIN.com\Policies{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol

Output report and download/parse locally. Look for startup scripts.

#create HTLM report
Get-GPOReport -All -ReportType Html -Path "C:\Windows\Temp\GPOReport.html”

Startup scripts:

  • Computers|Users\Policies\Windows Settings\Scripts\Startup

Scheduled Task:

  • Computers|Users\Preferences\Control Panel Settings\Scheduled Tasks

Registry

GPO History:

  • HKLMSoftware\Microsoft\Windows\CurrentVersion\Group Policy\History

To list child OUs, you can run this command:

Get-ADObject -Filter 'objectClass -eq "organizationalUnit"' -SearchBase "distinguishedName of parent OU"

get GPO linked to OU and its child OU

Get-Module ActiveDirectory,GroupPolicy
$OU = “OU=test,DC=example,DC=local”
Get-ADOrganizationalUnit $OU
$LinkedGPOs = Get-ADOrganizationalUnit $OU | Select-object -ExpandProperty LinkedGroupPolicyObjects
$LinkedGPOGUIDs = $LinkedGPOs | ForEach-object{$_.Substring(4,36)}
$LinkedGPOGUIDs | ForEach-object {Get-GPO -Guid $_ | Select-object Displayname | Export-CSV C:\Users\Desktop\test4.txt -Append}

ADMX Files:

ADMX (and their associated, language-specific ADML files) are XML files that allow Group Policy to render UI within the Group Policy Editor, in the Administrative Templates namespace.

Hijacking ADMX:

Changing the location of the of the registry key will essentially hijack a registry key. If one were to change the location of the below "SyncForegroundPolicy" key to another location like "EnableLUA", then whenever the "SyncForegroundPolicy" key is disabled, then it would actual disable the "EnableLUA" key instead.

Gotcha's:

  • If one were to replace the ADMX files, you would need to manually modify the status of the GPO for it to take affect.

  • Once an ADMX file is hijacked there is no visual notification of it for the administrator who’s in GP Editor

Example:

<policy name="SyncForegroundPolicy" class="Machine" displayName="$(string.SyncForegroundPolicy)" explainText="$(string.SyncForegroundPolicy_Help)" key="Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" valueName="SyncForegroundPolicy">
<parentCategory ref="Logon" />
<supportedOn ref="windows:SUPPORTED_WindowsXP" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
  • key="Software\Microsoft\Windows\CurrentVersion\Policies\System" valueName="EnableLUA">

<policy name="SyncForegroundPolicy" class="Machine" displayName="$(string.SyncForegroundPolicy)" explainText="$(string.SyncForegroundPolicy_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\System" valueName="EnableLUA">
<parentCategory ref="Logon" />
<supportedOn ref="windows:SUPPORTED_WindowsXP" />
<enabledValue>
<decimal value="0" />
</enabledValue>
<disabledValue>
<decimal value="1" />
</disabledValue>
</policy>

ADMX Central Store Locations:

  • Workstations:

    • C:\Windows\PolicyDefinitions

  • Domain Controllers:

    • C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions

    • \\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions

Attack:

  • If the attacker only has permissions to edit the ADMX file, modify the ADMX file and registry location of a key that is constantly switched.

  • If the attacker has permissions to edit ADMX files and modify the GPO, modify the file and then enable/disable for it to take affect.

Defense:

  • User's who can edit the ADMX Central Store should be Tier 0.

  • Monitor changes to the files and folders in the ADMX Central Store.

key="Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" valueName="SyncForegroundPolicy">

Security baselines guide - Windows SecurityMicrosoftLearn
Logo
Creating an Organizational Unit DesignMicrosoftLearn
Logo
Access Denied: Understand the Difference Between AD OUs and GroupsITPro Today: IT News, How-Tos, Trends, Case Studies, Career Tips, More
An Overview of Chef InSpec
Logo
Weaponizing Group Policy Objects AccessTrustedSec
Ryuk and GPOs and Powershell, Oh My!The Binary Hick
Case Study
Group Policy as an Attack PathwayPractical 365
Group Policy Objects – DoD Cyber Exchange
Identifying Group Policy attacksSophos News
Get-GPOReport (GroupPolicy)MicrosoftLearn
Logo
Group Policy for Script KiddiesTrustedSec
Hijacking Administrative Templates - SDM SoftwareSDM Software
Logo
Tracking Group Policy Changes: Part 1 | LogRhythmLogRhythm
Logo
HTML File Example
What is rendered:
Logo
Logo
Logo
Logo
Logo
Logo
Logo