Group Policy Modification(T1484)
What is a Group Policy Object (GPO)?
A Group Policy Object (GPO) is a group of settings that can be used as a resource in a Microsoft operating system to control user accounts and user activity. The Group Policy Object is implemented in an Active Directory system and can be associated with a single or numerous Active Directory containers, including sites, domains, or organizational units (OUs). The Group Policy Management Console (GPMC) allows users to create GPOs that define,
• General lockdown of systems
• Security Hardening
• Configuration of Internet Explorer
• Logon and logoff script changes
• Drive and printer mappings
• Setting local administrators – Local group membership
What is Group Policy Management Console?
The Group Policy Management Console (GPMC) is a built-in tool for windows administration. As the name states it is used as a central resource for managing groups of Group Policy Objects (GPOs). GPMC combines tools like Active Directory users and computers, and Active Directory sites and services, and also Resulting Set of Policies. GPMC has an additional feature which helps programmers to manage GPOs with C or C+.
What is an Active Directory system?
Active Directory is a technology developed by Microsoft to effectively manage computers and other devices in the network. It provides network administrators with a whole lot of functionality like creating and managing domains, users, and objects within a network. For example, an admin can create a group of users and set privileges and access to certain directories and locations on the server.
Abusing Group Policy
A GPO is a place that has a lot of valuable information that an attacker can get. An additional feature that favors an attacker is that any valid user in an active directory can query the information in the active directory and can get a valid response (i.e. see who has access to what). Moreover, there are even a few tools that can help the attacker map a GPO environment like Powerview, Bloodhound, Grouper2. The most common activity carried out by attackers in such situations is to change the settings to make execute a malicious payload instead of a legitimate one.
Not limited to this once the attacker has gained the access to modify the settings there are ample things that he can do, such as, create or automate malicious actions, can also provide admin access to a system by creating a local admin account, or can also run services based on his preference. With so many possibilities in hand, an attacker can even elevate privilege or may increase the attack surface for even more persistence and access.
We will be exploiting a vulnerability in Group Policy Caching. With this vulnerability, a normal domain user can perform arbitrary file overwrite with administrative privilege by altering Group Policy Caching. For this, we have set up the active directory on windows server 2012. A domain user and default domain policy with no special configuration or settings is all that we need. The “Group Policy caching files” are stored under subfolders: C:\users\\AppData\Local\GroupPolicy\datastore\0
Whenever a gpupdate /force command is executed the directory is created if not available and then filled depending on the group policy.
So, starting we will check the access for a domain user in these folders.
So, as we see in above screenshot a domain user has fill access in the DataStore folder. And we will check the access for the sub folder 0.
As we seen in above screenshot it is clear that the domain user has only read access in the subfolder 0. So, in order to overcome this, we rename the DataStore folder to different name and create a new folder in the same name and a subfolder in the name 0.
And now we have full access to the subfolder 0. Now let’s create a file in the subfolder as shown in the bellow screenshot.
Now as the task is done, lets run gpupdate /force command and capture the background process using procmon.
Procmon: It is a free process monitor tool from windows Sysinternals which can be used to monitor and display real-time system activity in operating systems like MS Windows and Unix-like operating system.
As we can observe from the above screenshot, it is clear that the file is opened without any interference from the system, and also 2 SetSecurityFile calls are made. This has eventually affected our rights in the file created in the subfolder as seen in the below screenshot.
Now we are again pushed back to read-only permission. So not stopping with this we will try to create a junction under the subfolder 0 pointing to a protected directory which only admin has access to, i.e. in this case I have chosen “c:\users\administrator\documents”.
Now let’s run gpupdate /force command again and capture the background process using procmon.
As we can see in the above screen shot the first SetSecurityFile call is made on desktop.ini and the it is stopped due to access denied on MyMusic folder. As everything went as planed let’s check the permission on the desktop.ini file.
As expected, we got full access to a system protected file. This is because the first SetSecurity will always give full access to the current user and then the second SetSecurity call will give only read-only access.
The best way to prevent such attacks is by actively capturing and monitoring the system logs. As all unauthorized logins, users, system activities, events, etc. can be captured, monitoring those logs regularly will pave way for finding such malicious activities easily. These data not only help detect the presence of attackers in the network but also will help the administrator or the forensic person understand the activities they have performed within their period of presence.