BIPI
BIPI

GPO Abuse and Group Policy Persistence in AD Environments

Cybersecurity

Group Policy is the most powerful unmanaged configuration channel in Windows. A pentester guide to GPO write abuse, scheduled task injection, and durable persistence.

By Arjun Raghavan, Security & Systems Lead, BIPI · December 1, 2024 · 9 min read

#group-policy#active-directory#persistence#red-team

Group Policy is the most powerful configuration channel in Windows. It runs as SYSTEM on every joined machine, fetches its payload from SYSVOL, and applies it on a 90-minute cycle. Anything you can write into a linked GPO becomes code execution across the scope of the link. That makes GPO write rights one of the highest-value privileges in AD.

Finding GPO write paths

BloodHound edges to look for: GenericAll, GenericWrite, WriteDacl, WriteOwner, AddSelf, AllExtendedRights on GPO objects. Also look for users with write rights on SYSVOL GPO folders directly, which can happen when an admin manually changed NTFS ACLs.

  • Custom Cypher: MATCH p=(u:User)-[:GenericAll|GenericWrite|WriteDacl|WriteOwner]->(g:GPO) RETURN p
  • PowerView: Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs
  • Get-NetGPO with -ComputerName to enumerate which OUs each GPO is linked to

Editing the GPO

Once you have write rights, SharpGPOAbuse or pyGPOAbuse will inject a payload. The reliable primitives are scheduled tasks, immediate tasks, startup scripts, and local groups membership changes.

  1. Immediate Scheduled Task: runs at next gpupdate, executes as SYSTEM, leaves a Tasks XML in SYSVOL
  2. User Logon Script: cheaper to spot, runs as the user, useful for credential harvest
  3. Restricted Groups: add your account to local Administrators on every machine the GPO applies to
  4. Files preference with replace action: drop a binary into a startup path

Targeting

The blast radius is the OU link. A GPO linked to the Domain Controllers OU plus write rights equals DA in 90 minutes. A GPO linked to a workstation OU equals SYSTEM on every workstation in scope. Pick targets that match the engagement objective rather than the largest scope, both for OPSEC and for client impact.

GenericWrite on a GPO linked to the Domain Controllers OU is functionally equivalent to Domain Admin, on a 90-minute clock.

OPSEC notes

Every change you make appears in SYSVOL with a version increment, replicates to every DC, and is visible to anyone running a diff. Use gpupdate /force from a target machine to force a fast apply for proof. Roll back immediately after capture, including the gpt.ini version, to minimise audit visibility. The Group Policy Container objects in AD will also retain a versionNumber change that defenders can correlate to your edit.

Detection

  • Event 5136 on GPO container objects with attribute changes outside the standard admin baseline
  • SYSVOL file integrity monitoring for new XML or PS1 files in Policies subdirectories
  • Event 4624 type 5 service logons from gpscript or new scheduled tasks at gpupdate apply time

Remediation

  1. Audit ACLs on every GPO and the GPO container, restrict write to Tier 0 admins only.
  2. Restrict who can link GPOs at the OU level via delegated permissions on the OU itself, not just the GPO.
  3. Monitor SYSVOL via FIM or Defender for Identity for unusual modifications.
  4. Tier the GPMC admin role. Most enterprises grant it too widely.
  5. Use AGPM or a change-control workflow for any production GPO modification.

GPO is a backdoor that ships with the operating system, configured by default, and rarely audited. Treat it as Tier 0 surface and the rest follows.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.