Unveiling The Offensive Potential Of Group Policy Objects In Active Directory: Old – And New GPO ACLS Attack Vectors

Group Policy Objects (GPOs) are a fundamental Active Directory mechanism, responsible for domain objects management and the conditional deployment of specific configurations. Despite the central role played by GPOs in any Active Directory environment, exploitation paths relying on permissions related to GPOs received comparatively little attention. This presentation aims at demonstrating the potential of Group Policy Objects from an offensive standpoint by describing standard / known attack vectors targeting GPO ACLs, but also a new, more versatile exploitation technique recently published by the speaker. The research behind the talk stem from a pentest performed on an Active Directory environment, during which permissive ACLs on sensitive Group Policy Objects were discovered. An overview of the standard, existing attack vectors available when targeting GPOs permissions was performed - which however also highlighted some of their limits. More specifically, it was observed that such existing attack vectors were not applicable in NTLM relaying scenarios, which was precisely the position of the auditor during the tests. As a result, an alternative attack vector relying on the manipulation of the gPCFileSysPath LDAP attribute was developed, allowing a safer and stealthier exploitation of GPO ACLs that is also applicable in NTLM relaying scenarios.