Skip to main content
Support

GPO Abuse for Lateral Movement

Weaponizing Writable Group Policy Objects

Discover GPOs you can edit, inject a malicious scheduled task using SharpGPOAbuse, and wait for Group Policy to push your payload to every machine in the target OU.

Intermediate~5 minT1484.001
Prerequisites:Write access to a Group Policy ObjectSharpGPOAbuse or similar toolNetwork access to domain-joined targets
1

Enumerate GPO Write Permissions with BloodHound

GPO Abuse for Lateral Movement — Step 1/4
PS C:\Tools>

Click or press Enter to skip

Step 1: Find Writable GPOs

Use BloodHound/SharpHound to enumerate ACLs on all GPO objects. We are looking for non-admin users who have write access to GPOs — this lets them modify Group Policy and push changes to target machines.

We are scanning Active Directory for Group Policies that our compromised user can edit. Group Policies are like instructions that computers follow automatically. If we can edit these instructions, we can tell target computers to run our commands.

Detection Events
5136Directory object modified (GPO)
Attack Flow
Enum GPO ACLs
Attacker(jsmith)
DC01(SYSVOL)
Servers OU(4 hosts)
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org