BadGPO Using Group Policy Objects for Persistence and Lateral Movement
BadGPO Using Group Policy Objects for Persistence and Lateral Movement
Immanuel Willi and Yves Kraft
published in Magdeburger Journal zur Sicherheitsforschung (2017, #13, p. 772-778)
Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application and user settings. Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. In a proof of concept, inspired by Phineas Fishers' article about pwning HackingTeam, we will show how persistence and lateral movement in a compromised company network can be achieved, and demonstrate some PowershellEmpire Framework modules which we created. PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. There are already functionalities built-in regarding GPOs. We tried to further evolve the miss-use of GPOs in additional scenarios. Furthermore, we will discuss some countermeasures including detection and prevention mechanisms.
BibTeX-Entry für mjs:Willi:GPO
1@article{mjs:Willi:GPO,
2 author = {Immanuel Willi and Yves Kraft},
3 title = {BadGPO},
4 subtitle = {Using Group Policy Objects for Persistence and Lateral Movement},
5 year = {2017},
6 pages = {772-778},
7 journaltitle = {Magdeburger Journal zur Sicherheitsforschung},
8 issn = {2192-4260},
9 url = {https://d-nb.info/1137360836/34},
10 codeberg = {https://codeberg.org/0xKaishakunin/Publikationen/src/branch/main/MagdeburgerJournalSicherheitsforschung/MJS_052_Willi_GPO.pdf},
11 language = {DE},
12 issue = {1},
13 volume = {13},
14 urldate = {2017-06-28},
15 keywords = {mjsarticle,ds17,Group Policy Objects,gpo,microsoft,server,active domain,ad},
16 abstract = {Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application and user settings. Group Policy is simply the easiest way to reach out and configure computer and user settings on networks based on Active Directory Domain Services (AD DS). Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation and maintenance, just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. In a proof of concept, inspired by Phineas Fishers\' article about pwning HackingTeam, we will show how persistence and lateral movement in a compromised company network can be achieved, and demonstrate some PowershellEmpire Framework modules which we created. PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. There are already functionalities built-in regarding GPOs. We tried to further evolve the miss-use of GPOs in additional scenarios. Furthermore, we will discuss some countermeasures including detection and prevention mechanisms.},
17}AsciiDoc citation commands
1. citenp:[mjs:Willi:GPO]
2. cite:[mjs:Willi:GPO]
3. bibitem[mjs:Willi:GPO]LaTeX citation commands
1. \textcite{mjs:Willi:GPO}
2. \parencite{mjs:Willi:GPO}
3. \cite{mjs:Willi:GPO}generated at Mon May 12 10:48:34 2025