Applies to BloodHound Enterprise and CE

The CanApplyGPO relationship connects an AD principal to an AD account (user or computer) that the principal can apply a Group Policy Object (GPO) to.

This edge is created when the principal has write access to the gPLink attribute of the domain or organizational unit (OU) containing the account, allowing them to link a GPO that will affect the target.

Click the Composition accordion to view where the principal has write access to gPLink.

Abuse Info

An attacker with permission to modify the gPLink attribute can link GPOs to the object, affecting all contained users and computers. The GPO can be weaponized by injecting a malicious configuration, such as a scheduled task executing a malicious script.

The GPO can be linked as enforced to bypass blocked GPO inheritance. WMI or security filtering can be used to limit the impact to specific accounts, which is important in environments with many users or computers under the affected scope.

Refer to A Red Teamer’s Guide to GPOs and OUs for details about the abuse technique, and check out the following tools for practical exploitation:

Without control over a GPO

An attacker can still execute the attack without control over a GPO by setting up a fake LDAP server to host a GPO. This approach requires the ability to add non-existent DNS records and create machine accounts, or access to a compromised domain-joined machine. However, this method is complex and requires significant setup.

From a domain-joined compromised Windows machine, the write access to the gPLink attribute may be abused through Powermad, PowerView and native Windows functionalities. For a detailed outline of exploit requirements and implementation, you can refer to this article: OU having a laugh?

From a Linux machine, the write access to the gPLink attribute may be abused using the OUned.py exploitation tool. For a detailed outline of exploit requirements and implementation, you can refer to the article associated to the OUned.py tool.

Opsec Considerations

There is no opsec information for this edge.

References

This edge is related to the following MITRE ATT&CK technique:

Abuse info references