GPO Stealth: Turn Active Directory Into Your C2 With the New GroupPolicyBackdoor Framework
GroupPolicyBackdoor is a python utility for Group Policy Objects (GPOs) manipulation and exploitation. GPO attack vectors can very often lead to impactful privilege escalation scenarios in Active Directory environments. And yet, offensive security professionals may be reluctant to leverage them, partly due to the perceived risks associated with GPO manipulation.
GroupPolicyBackdoor aims at providing a modular, stable and stealthy exploitation framework for GPO attack vectors, all in python. The tool was presented at DEFCON 33.
Main features
Here is an overview of GroupPolicyBackdoor main features:
- Python implementation using
ldap3andsmbprotocol(no impacket) - GPO creation, deletion, backup and injections
- Various injectable configurations, with, for each, customizable options (see list in the wiki)
- Possibility to only apply injected configurations to specific objects with filters that can be combined (hostname, security group, WMI query – see wiki)
- Possibility to remove injected configurations from the target GPO
- Possibility to revert the actions performed on client devices
- GPO links manipulation
- GPO enumeration / user privileges enumeration on GPOs
The configurations injected into target Group Policy Objects are called modules. Here is the list of the currently supported modules:
- Scheduled Tasks (add/remove a Scheduled Task or execute an immediate task).
- Groups (add/remove a user from a local group).
- Registry (set a registry key value).
- Files (create/remove files).
- Folders (create/remove folders).
Install & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
