Abusing Group Policy Objects for Full Domain Compromise

TLDR: Active Directory Group Policy Objects (GPOs) are often overlooked during internal assessments, yet they provide a powerful, native mechanism for command and control. By abusing GPO access control lists (ACLs), performing NTLM relaying to LDAP, and poisoning GPO links, attackers can achieve full domain compromise. This post details four new tools—gpoParser.py, GroupPolicyBackdoor.py, GPOddity.py, and OUned—that automate these techniques for red team engagements.

Active Directory environments are rarely as secure as they appear on paper. While most security teams focus on patching high-profile vulnerabilities, the underlying configuration of the domain often contains massive, unexploited attack surfaces. Group Policy Objects (GPOs) are the perfect example. They are the backbone of enterprise identity and device management, yet they are frequently misconfigured, leaving them wide open for abuse. If you have even low-level write access to a GPO, you effectively have a native command-and-control channel that is difficult for traditional EDR solutions to flag as malicious.

The Mechanics of GPO Abuse

GPOs are not just simple configuration files; they are complex objects consisting of two distinct parts: the Group Policy Container (GPC), which is an LDAP object storing metadata, and the Group Policy Template (GPT), which is an SMB share containing the actual configuration files. Attackers can manipulate these components to execute arbitrary commands, add users to privileged groups, or modify registry keys on target machines.

The most common attack vector involves gaining write access to a GPO that applies to a target organizational unit (OU). Once you have this access, you can inject malicious configurations. For example, you can use a scheduled task to add a user to the Domain Admins group. Because this configuration is pushed natively by the domain controller, it often bypasses standard detection mechanisms that look for suspicious process execution or lateral movement patterns.

Automating Reconnaissance and Exploitation

Manual enumeration of GPO configurations is tedious and error-prone. The research presented at DEF CON 33 introduces gpoParser.py, a tool designed to parse GPO configurations and reveal hidden privilege relationships. It supports both online and offline analysis, making it invaluable for stealthy reconnaissance. By identifying which GPOs apply to which OUs and checking for inheritance, you can pinpoint exactly where your efforts will yield the highest impact.

For those looking to weaponize these findings, GroupPolicyBackdoor.py allows you to inject custom configurations into GPOs. It supports item-level targeting, meaning you can restrict your payload to specific computers or users, minimizing the risk of detection or accidental disruption.

Advanced Techniques: NTLM Relaying and Link Poisoning

When you lack direct write access to a GPO, you can still leverage NTLM relaying. By relaying authentication to the LDAP service, you can modify the GPC to point to a malicious SMB share under your control. This is where GPOddity.py comes into play. It simulates a domain-joined SMB server that serves malicious GPT files, effectively tricking the target machine into applying your payload.

Even more dangerous is GPO link poisoning. If you have write access to an OU, you can modify the gPLink attribute to point to a malicious GPO. This technique is particularly effective because it works even against "protected" objects where standard ACL inheritance is disabled. The OUned tool automates this process, allowing you to inject a link to a malicious GPO and then clean up your tracks afterward.

Real-World Applicability

During a red team engagement, these techniques are game-changers. Imagine you have compromised a low-privileged workstation in a network-isolated segment. You cannot pivot directly to the domain controller, but you discover that your user has write access to a GPO that applies to a jump server used by domain administrators. By injecting a scheduled task that adds your user to the Domain Admins group, you turn that jump server into your primary staging point for full domain compromise.

The impact is absolute. Once you have domain admin rights, you can dump credentials, exfiltrate sensitive data, or establish persistent backdoors that are nearly impossible to remove without a complete rebuild of the domain.

Defensive Hardening

Defending against GPO abuse requires a rigorous approach to least privilege. Audit your GPO permissions regularly. Use tools like BloodHound to visualize the attack paths that lead to GPO write access and ensure that only the absolute minimum number of users have the ability to modify GPOs. Furthermore, implement Tiered Administration to prevent high-privileged accounts from logging into lower-security workstations, which significantly limits the effectiveness of these attacks.

GPOs are a goldmine for attackers who know where to look. They offer a level of persistence and control that is hard to match with traditional malware. As a researcher or pentester, your goal should be to understand these mechanisms better than the defenders do. Start by auditing your own environment or your next client's domain for these misconfigurations. You will likely be surprised by what you find.