Applies to BloodHound Enterprise and CE The ability to alter the gPLink attribute may allow an attacker to apply a malicious Group Policy Object (GPO) to all child user and computer objects (including the ones located in nested OUs). This can be exploited to make said child objects execute arbitrary commands through an immediate scheduled task, thus compromising them.

Abuse Info

An attacker with permission to modify the gPLink attribute can link GPOs to the object, affecting all contained users and computers. The GPO can be weaponized by injecting a malicious configuration, such as a scheduled task executing a malicious script. The GPO can be linked as enforced to bypass blocked GPO inheritance. WMI or security filtering can be used to limit the impact to specific accounts, which is important in environments with many users or computers under the affected scope. Refer to A Red Teamer’s Guide to GPOs and OUs for details about the abuse technique, and check out the following tools for practical exploitation:

Without control over a GPO

An attacker can still execute the attack without control over a GPO by setting up a fake LDAP server to host a GPO. This approach requires the ability to add non-existent DNS records and create machine accounts, or access to a compromised domain-joined machine. However, this method is complex and requires significant setup. From a domain-joined compromised Windows machine, the write access to the gPLink attribute may be abused through Powermad, PowerView and native Windows functionalities. For a detailed outline of exploit requirements and implementation, you can refer to this article: OU having a laugh? From a Linux machine, the write access to the gPLink attribute may be abused using the OUned.py exploitation tool. For a detailed outline of exploit requirements and implementation, you can refer to the article associated to the OUned.py tool.

Opsec Considerations

There is no opsec information for this edge.

References

This edge is related to the following MITRE ATT&CK technique:

Abuse info references