# GPOs and OUs

{% embed url="<https://www.youtube.com/watch?v=pE-oOJAnllk&ab_channel=DavidSartin>" %}

{% embed url="<https://public.cyber.mil/stigs/gpo/>" %}

{% embed url="<https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines>" %}

{% embed url="<https://docs.chef.io/inspec/>" %}

{% embed url="<https://www.itprotoday.com/security/access-denied-understand-difference-between-ad-ous-and-groups>" %}

{% embed url="<https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/creating-an-organizational-unit-design>" %}

{% embed url="<https://trustedsec.com/blog/weaponizing-group-policy-objects-access>" %}

{% embed url="<https://practical365.com/group-policy-as-an-attack-pathway/>" %}

### What are OUs?

In Windows 2000 and AD, groups have the same function that they have in Windows NT or other OSs: You put a user in a group to control that user's access to resources. You put a user in an OU to control who has administrative authority over that user.&#x20;

To understand the difference between groups and OUs, consider this: Objects with SIDs (i.e., users, groups, and computers) can act on objects and be granted authority. Groups have a SID, and OUs don't.

### Enumerate GPO locally

<pre><code><strong>gpresult /v
</strong>gpresult /r
</code></pre>

Output:

```
PS C:\Users\Administrator> gpresult /v

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2018 Microsoft Corporation. All rights reserved.

Created on ‎12/‎3/‎2023 at 10:31:35 PM


RSOP data for MIKO\Administrator on WIN-9ITB345Q7UU : Logging Mode
-------------------------------------------------------------------

OS Configuration:            Primary Domain Controller
OS Version:                  10.0.17763
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=WIN-9ITB345Q7UU,OU=Domain Controllers,DC=miko,DC=local
    Last time Group Policy was applied: 12/3/2023 at 10:29:56 PM
    Group Policy was applied from:      WIN-9ITB345Q7UU.miko.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        MIKO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Disable Defender
        DodMozilla Firefox Computer v6r5
        Default Domain Controllers Policy
        Default Domain Policy
```

GPO Location

* \\\DOMAIN.COM\SysVol\dev-studio.com\Policies{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol

Contents of .pol file:

```
KeyName     : Software\Policies\Microsoft\Windows\SrpV2\Exe\a61c8b2c-a319-4cd0-9690-d2177cad7b51
ValueName   : Value
ValueType   : REG_SZ
ValueLength : 700
ValueData   : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the
              Windows folder" Description="Allows members of the Everyone group to run applications that are located
              in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
              Path="%WINDIR%\*"/></Conditions></FilePathRule>
```

Reading contents of registry key:

```
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2"

    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2

Name                           Property
----                           --------
Appx                           EnforcementMode : 1
                               AllowWindows    : 0
Dll                            AllowWindows : 0
Exe                            EnforcementMode : 1
                               AllowWindows    : 0
Msi                            EnforcementMode : 1
                               AllowWindows    : 0
Script                         EnforcementMode : 1
                               AllowWindows    : 0
```

```
PS C:\Users\Administrator> Get-ChildItem "HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe"

    Hive: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe

Name                           Property
----                           --------
921cc481-6e17-4653-8f75-050b80 Value : <FilePathRule Id="921cc481-6e17-4653-8f75-050b80acca20" Name="(Default Rule) All files located in the Program Files folder" Description="Allows
acca20                         members of the Everyone group to
                                       run applications that are located in the Program Files folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
                                       Path="%PROGRAMFILES%\*"/></Conditions></FilePathRule>
a61c8b2c-a319-4cd0-9690-d2177c Value : <FilePathRule Id="a61c8b2c-a319-4cd0-9690-d2177cad7b51" Name="(Default Rule) All files located in the Windows folder" Description="Allows members
ad7b51                         of the Everyone group to run
                                       applications that are located in the Windows folder." UserOrGroupSid="S-1-1-0" Action="Allow"><Conditions><FilePathCondition
                               Path="%WINDIR%\*"/></Conditions></FilePathRule>
```

## Logging

Requires advanced auditing configs to be enable. Found in security.evtx

{% embed url="<https://logrhythm.com/blog/tracking-group-policy-changes-pt-1/>" %}

| Event ID | Description                                           |
| -------- | ----------------------------------------------------- |
| 5136     | A directory service object was successfully modified  |
| 5136     | A directory service object was successfully created   |
| 5138     | A directory service object was successfully undeleted |
| 5139     | A directory service object was successfully moved     |
| 5141     | A directory service object was successfully deleted   |

### Event Viewer (default config?)

Microsoft-Windows-GroupPolicy/Operational

### Investigate

When a scheduled task or file execution is seen on multiple machines, it indicates remote execution or the use of Group Policy. When system logs indicating the use of software deployment tools or Windows Management Instrumentation are not present, it serves as an indication that Group Policy was likely compromised.

{% embed url="<https://thebinaryhick.blog/2019/12/22/ryuk-and-gpos-and-powershell-oh-my/>" %}
Case Study
{% endembed %}

{% embed url="<https://news.sophos.com/en-us/2023/11/08/identifying-group-policy-attacks/>" %}

Look for last modified in GPO policies:

* C:\Windows\sysvol\miko.local\Policies\\&#x20;

PowerShell query to get last modified/created GPOs.

<pre><code><strong>#GetGPO by modified time
</strong><strong>Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime 
</strong></code></pre>

**Output:**

```
PS C:\Users\Administrator> Get-GPO -All | Sort-Object ModificationTime -Descending | Format-Table DisplayName, ModificationTime, CreationTime

DisplayName                                         ModificationTime      CreationTime
-----------                                         ----------------      ------------
DoD Windows Defender Firewall Computer v2r2         12/3/2023 11:41:08 PM 12/3/2023 8:03:36 PM
DoD Google Chrome Computer v2r8                     12/3/2023 10:58:42 PM 12/3/2023 8:04:16 PM
DoD Windows 10 Computers v2r8                       12/3/2023 10:50:04 PM 12/3/2023 8:04:00 PM
DoD WinSvr 2019 DC Computers v2r8                   12/3/2023 9:29:10 PM  12/3/2023 8:19:36 PM
DoD WinSvr 2019 MS Computers v2r8                   12/3/2023 9:26:48 PM  12/3/2023 8:19:09 PM
DoD Microsoft Defender Antivirus STIG Computer v2r4 12/3/2023 9:01:48 PM  12/3/2023 8:03:22 PM
DodMozilla Firefox Computer v6r5                    12/3/2023 9:01:26 PM  12/3/2023 5:13:59 PM
Enable LocalAccountTokenFilterPolicy                12/3/2023 8:57:26 PM  4/30/2023 8:57:50 PM
DoD Windows 10 Users v2r8                           12/3/2023 8:24:54 PM  12/3/2023 8:08:41 PM
DoD WinSvr 2019 DC Users v2r8                       12/3/2023 8:24:20 PM  12/3/2023 8:03:48 PM
DoD WinSvr 2019 MS Users v2r8                       12/3/2023 8:24:12 PM  12/3/2023 8:19:01 PM
Disable Defender                                    12/3/2023 8:05:52 PM  4/30/2023 8:58:40 PM
Default Domain Controllers Policy                   11/22/2023 1:44:32 AM 3/5/2023 10:58:28 PM
Default Domain Policy                               3/5/2023 11:04:48 PM  3/5/2023 10:58:28 PM
```

Get .pol file and parse locally.

* C:\Windows\SysVol\DOMAIN.com\Policies{7E1E1636-1A59-4C35-895B-3AEB1CA8CFC2}\Machine\Registry.pol

Output report and download/parse locally. Look for startup scripts.

{% embed url="<https://learn.microsoft.com/en-us/powershell/module/grouppolicy/get-gporeport?view=windowsserver2022-ps>" %}

```
#create HTLM report
Get-GPOReport -All -ReportType Html -Path "C:\Windows\Temp\GPOReport.html”
```

<figure><img src="/files/HvdqEg9uh1X9nUIEV6Hd" alt=""><figcaption><p>HTML File Example</p></figcaption></figure>

Startup scripts:&#x20;

* Computers|Users\Policies\Windows Settings\Scripts\Startup

Scheduled Task:

* Computers|Users\Preferences\Control Panel Settings\Scheduled Tasks

### Registry

{% embed url="<https://trustedsec.com/blog/group-policy-for-script-kiddies>" %}

GPO History:

* HKLMSoftware\Microsoft\Windows\CurrentVersion\Group Policy\History

#### To list child OUs, you can run this command:

{% code overflow="wrap" %}

```powershell
Get-ADObject -Filter 'objectClass -eq "organizationalUnit"' -SearchBase "distinguishedName of parent OU"
```

{% endcode %}

#### get GPO linked to OU and its child OU

```powershell
Get-Module ActiveDirectory,GroupPolicy
$OU = “OU=test,DC=example,DC=local”
Get-ADOrganizationalUnit $OU
$LinkedGPOs = Get-ADOrganizationalUnit $OU | Select-object -ExpandProperty LinkedGroupPolicyObjects
$LinkedGPOGUIDs = $LinkedGPOs | ForEach-object{$_.Substring(4,36)}
$LinkedGPOGUIDs | ForEach-object {Get-GPO -Guid $_ | Select-object Displayname | Export-CSV C:\Users\Desktop\test4.txt -Append}
```

## ADMX Files:

{% embed url="<https://sdmsoftware.com/security-related/hijacking-administrative-templates/>" %}

ADMX (and their associated, language-specific ADML files) are XML files that allow Group Policy to render UI within the Group Policy Editor, in the Administrative Templates namespace.

<figure><img src="/files/f6yGUW30gCFXzpYiIakZ" alt=""><figcaption><p>What is rendered:</p></figcaption></figure>

### Hijacking ADMX:

Changing the location of the of the registry key will essentially hijack a registry key. If one were to change the location of the below "SyncForegroundPolicy" key to another location like "EnableLUA", then whenever the "SyncForegroundPolicy" key is disabled, then it would actual disable the "EnableLUA" key instead.

#### Gotcha's:

* If one were to replace the ADMX files, you would need to manually modify the status of the GPO for it to take affect.
* Once an ADMX file is hijacked there is no visual notification of it for the administrator who’s in GP Editor

<figure><img src="/files/ntTFK1pzyEN1VRMMMIth" alt=""><figcaption></figcaption></figure>

### Example:

* key="Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" valueName="SyncForegroundPolicy">[<br>](https://community.spiceworks.com/login?referer=%2Ftopic%2F2197327-powershell-script-to-get-gpo-linked-to-ou-and-its-child-ou%23entry-8260116)

```xml
<policy name="SyncForegroundPolicy" class="Machine" displayName="$(string.SyncForegroundPolicy)" explainText="$(string.SyncForegroundPolicy_Help)" key="Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" valueName="SyncForegroundPolicy">
<parentCategory ref="Logon" />
<supportedOn ref="windows:SUPPORTED_WindowsXP" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
```

* key="Software\Microsoft\Windows\CurrentVersion\Policies\System" valueName="EnableLUA">

```xml
<policy name="SyncForegroundPolicy" class="Machine" displayName="$(string.SyncForegroundPolicy)" explainText="$(string.SyncForegroundPolicy_Help)" key="Software\Microsoft\Windows\CurrentVersion\Policies\System" valueName="EnableLUA">
<parentCategory ref="Logon" />
<supportedOn ref="windows:SUPPORTED_WindowsXP" />
<enabledValue>
<decimal value="0" />
</enabledValue>
<disabledValue>
<decimal value="1" />
</disabledValue>
</policy>
```

### ADMX Central Store Locations:

* **Workstations:**
  * C:\Windows\PolicyDefinitions
* **Domain Controllers:**
  * C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
  * \\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions

### Attack:

* If the attacker only has permissions to edit the ADMX file, modify the ADMX file and registry location of a key that is constantly switched.
* If the attacker has permissions to edit ADMX files and modify the GPO, modify the file and then enable/disable for it to take affect.

### Defense:

* User's who can edit the ADMX Central Store should be Tier 0.
* Monitor changes to the files and folders in the ADMX Central Store.

<br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nk0.gitbook.io/dfir/windows/forensics/event-logs/gpos-and-ous.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.