Sneaky Active Directory Persistence #17: Group Policy

[Nytro]

Sneaky Active Directory Persistence #17: Group Policy

by Sean Metcalf

 

The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes.

 

Complete list of Sneaky Active Directory Persistence Tricks posts

 

This post explores how an attacker could leverage the built-in Active Directory management capability called Group Policy and how to mitigate potential security issues.

Group Policy Overview

One of the key benefits to Active Directory is its management capability and core to this capability is Group Policy. Group Policy has several parts to it and can be challenging to manage in a large enterprise without third-party tools.

Group Policy enables administrators to manage computers and users in Active Directory.  Group Policies are saved as Group Policy Objects (GPOs) which are then associated with Active Directory objects such as sites, domains, or organizational units (OUs). Group Policies can include security options, registry keys, software installation, and scripts for startup and shutdown and domain members refresh group policy settings every 90 minutes by default (5 minutes for Domain Controllers). This means that Group Policy enforces configured settings on the targeted computer.

In most Active Directory implementations, there is at least one GPO configured on the domain defining mandated password, Kerberos, and domain-wide policies; at least one GPO configured for the Domain Controllers OU; and at least one GPO configured for a servers  and workstations OU. These GPOs define security settings specific to the environment and often configure administrative groups, include startup/shutdown scripts, etc.. GPOs can be configured to set organization-defined security requirements at each level, and can be used for installing software and setting file and registry permissions. GPOs only apply to users and computers and can be filtered with groups or more specifically targeted using the Preferences component.  The “No Override” option ensures that the settings in a Group Policy are applied even if a GPO closer to the resource has contradicting settings.

There are two Group Policy components:

 

1. The “Group Policy Container” is stored in Active Directory (<DOMAIN>, System, Policies)

 

 

2. The files that actually contain the policy settings (collectively referred to as the “Group Policy Template“) are stored in SYSVOL.
All domain Group Policies are stored in the following domain share: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\

 

Each Group Policy Object in Active Directory has the following attributes (on the policy object in AD):

 

• displayName: This is the name given to the GPO by the creator.
• gPCFileSysPath: This points to the location in SYSVOL where the associated GPO files (aka “Group Policy Template”) are located.
• gPCMachineExtensionNames: This attribute lists the GPO client side extensions (CSEs) required to by the client process the machine specific Group Policy settings.
• gPCUserExtensionNames: This attribute lists the GPO client side extensions (CSEs) required to by the client process the user specific Group Policy settings.

 

Articol complet: https://adsecurity.org/?p=2716