Identity Security: GPO Architecture, Forensics & Abuse

Danger

Executive Summary: Group Policy Objects (GPOs) serve as the nervous system of an Active Directory domain, allowing administrators to enforce configurations, deploy software, and apply security baselines across thousands of machines instantaneously. However, this centralized management capability makes GPOs a highly prized target for threat actors. By exploiting misconfigured permissions or leveraging NTLM relay attacks against LDAP, adversaries can weaponize GPOs to deploy ransomware, establish domain-wide persistence, and create hidden backdoor accounts at an unprecedented scale.

1. The Architecture of a GPO

To forensically analyze or defend against GPO abuse, analysts must understand that a GPO is not a single file. It is a virtual object split into two distinct components stored in different locations across the Domain Controllers.

Group Policy Container (GPC)

Stored within the Active Directory LDAP database (ntds.dit). It holds the logical properties of the GPO, including its version, status, and the Access Control Lists (ACLs) that dictate who can modify it.

Group Policy Template (GPT)

Stored on the file system within the SYSVOL share (\\<domain>\SYSVOL\<domain>\Policies\{GUID}). This folder contains the actual physical configuration files, registry policy files (Registry.pol), and scripts that the client machines download and execute.

The LSDOU Execution Order

Client machines process and apply GPOs hierarchically. If conflicts arise, the last policy applied wins. The order is: Local → Site → Domain → Organizational Unit (OU).

2. Forensic Baseline: Auditing the Environment

During incident response, distinguishing between legitimate IT configurations and an attacker’s malicious modifications requires establishing a baseline.

• The Theoretical Baseline (GPMC): Request an HTML report from the Group Policy Management Console (GPMC). This shows the intended configuration across the domain.
• The Ground Truth (Client-Side): Execute gpresult /h report.html on a compromised endpoint. This reveals the actual Resultant Set of Policy (RSoP) applied to the machine. A discrepancy between the GPMC report and the gpresult output is a critical forensic finding.

Legacy Threat: The cPassword Flaw (CVE-2014-1812)

Historically, administrators used Group Policy Preferences (GPP) to push local administrator passwords to workstations. These passwords were stored in the SYSVOL share inside a Groups.xml file, encrypted with an AES key that Microsoft accidentally published on MSDN. Threat actors routinely scan SYSVOL for these files to achieve immediate privilege escalation.

3. Offensive GPO Weaponization (TTPs)

Adversaries abuse GPOs through two primary vectors: directly modifying the GPO via misconfigured permissions, or bypassing permissions via authentication relaying.

A. Direct GPO Abuse (SharpGPOAbuse)

Using tools like BloodHound, attackers map the domain to find GPOs where a compromised low-privileged user or group has GenericWrite, GenericAll, or WriteDacl permissions.

Using tools like SharpGPOAbuse, the attacker modifies the GPO to establish persistence across all machines in the OU:

• Scheduled Tasks: Injecting an immediate scheduled task to download and execute a Cobalt Strike beacon.
• Local Admin Rights: Pushing a Restricted Groups policy to add the attacker’s domain account to the local Administrators group of every machine.

B. The “GPOddity” Attack (NTLM Relay to LDAP)

As researched by Synacktiv, GPOddity represents a highly sophisticated attack path exploiting the very nature of GPC and GPT synchronization. If an attacker coerces a machine (e.g., using PetitPotam) to authenticate to an attacker-controlled machine via NTLM, the attacker can Relay the NTLM authentication to the Domain Controller’s LDAP service.

Over LDAP, the attacker modifies the gPCMachineExtensionNames attribute of a GPO applied to the victim machine, instructing it to pull a malicious Group Policy Template (GPT) hosted on a rogue SMB server controlled by the attacker, leading to instantaneous Remote Code Execution (RCE).

4. Detection & Threat Hunting

Because GPOs are modified legitimately by IT staff, behavioral anomalies are key. The primary artifact for tracking GPO modification on a Domain Controller is Event ID 5136 (A directory service object was modified).

KQL (Defender for Identity)

hunt_gpo_modifications.kql

// Detects modifications to Group Policy Objects in Active Directory
IdentityDirectoryEvents
| where ActionType == "Directory Service Object Modified"
| where ObjectType == "Group Policy Object"
// Extract the exact property modified
| extend ModifiedAttribute = tostring(AdditionalFields.ModifiedAttribute)
| extend PreviousValue = tostring(AdditionalFields.PreviousValue)
| extend NewValue = tostring(AdditionalFields.NewValue)
// Filter out expected administrative accounts
| where AccountUpn !in~ ("domain_admin1@corp.local", "svc_gpo_mgmt@corp.local")
| project TimeGenerated, TargetDeviceName, AccountUpn, ObjectName, ModifiedAttribute, NewValue
| sort by TimeGenerated desc

Sigma (Event 5136)

sigma_ad_gpo_tampering.yaml

title: Suspicious Group Policy Modification (Event 5136)
id: 8d9e0f1a-2b3c-4d5e-6f7a-8b9c0d1e2f3a
status: experimental
description: Detects unauthorized or suspicious modifications to Group Policy Objects within the Active Directory LDAP container.
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5136
        ObjectClass: 'groupPolicyContainer'
    filter_legit:
        # Exclude known management servers or admin accounts
        SubjectUserName|contains: 'admin_'
    condition: selection and not filter_legit
level: high
tags:
    - attack.persistence
    - attack.privilege_escalation
    - attack.t1484.001

5. Mitigation and Hardening

1. Tiered Administration: GPOs that apply to Tier 0 assets (Domain Controllers) must only be editable by Tier 0 accounts. Ensure that no standard users or helpdesk groups hold GenericWrite permissions over critical GPOs.
2. Require SMB Signing & LDAP Channel Binding: To neutralize the GPOddity and other NTLM relay attacks against LDAP, enforce LDAP Channel Binding and require SMB signing across the entire domain.
3. Monitor SYSVOL Integrity: Implement File Integrity Monitoring (FIM) or specialized Sysmon rules on the Domain Controllers to alert on unauthorized file writes inside the \\SYSVOL\...\Policies\ directories.

---

Sources & References

• RedFoxSec: How Attackers Weaponize Group Policy to Own Your AD
• Hacking Articles: GPO Abuse - Exploiting Vulnerable Group Policy Objects
• Synacktiv: GPOddity: Exploiting AD GPOs through NTLM Relaying
• Decoder.cloud: Group Policy Security Nightmares
• Related Analysis: NTLM Authentication Flaws & Relaying
• Related Action: Hunting for Persistence via Scheduled Tasks