Nov 15, 2020
Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features:
A little welcome music that is not the usual scatting of gibberish I torture you with
Some cool tools I'm playing with in the lab that we'll do future episodes on in the future:
Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run:
SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD DOMAIN" --GPOName "Name of GPO with Generic Write Access"
This will push a ScheduledTasks.xml file
to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks
Now if you find that the task is not pushing correctly, it may
be that SharpGPOAbuse.exe hasn't been able to update either
the GPT.INI file (in the root of the GPO
path) and/or the versionNumber value
assigned to the GPO itself.
If you need to adjust
the versionNumber and GPT.INI value
manually, definitely read this
Microsoft article so you know how the number is generated
and how to increment it properly. This flippin' sweet RastaMouse blog
article also helped this click for me.
If you can't seem to
update versionNumber using the PowerShell in
Rasta's article, you can also open up ADSI Edit and navigate
to Default naming context > DC=your,DC=com >
CN=System > CN=Policies >
CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the
properties of the folder, scroll down and manually adjust the value
for versionNumber.