Turning your Active Directory into the attacker’s C2: modern Group Policy Objects enumeration and exploitation

Presented at DEF CON 33 (2025), Aug. 10, 2025, noon (45 minutes).

The implementation of Active Directory environments is, by essence, not unlike a command-and-control infrastructure allowing to centrally coordinate and control network assets. As an attacker, why not make it your own ? As far as the C2 capabilities of Active Directory go, Group Policy Objects (GPOs) are a key functionality that can be leveraged by attackers for a surprisingly wide range of offensive actions. From enumeration, to persistence, to impactful privilege escalation in mature segmented environments, abusing GPOs amounts to abusing the C2 capabilities of Active Directory itself – a powerful attack primitive. And yet, GPOs received comparatively little attention by the pentesting and research community. GPOs exploitation knowledge and tooling is scarce, whether because implementation may seem kind of obscure, or since exploitation can be seen as risky. Concerns that well-equipped attackers may not have to worry about. This presentation aims at demonstrating the full extent of possibilities offered by Group Policy Objects. It will dive deep into GPOs implementation, enumeration potential and advanced exploitation techniques introduced or implemented by the speakers these last few years. It will also be accompanied by the release of two enumeration and exploitation tools developed by the speakers. References: - [link](https://markgamache.blogspot.com/2020/07/exploiting-ad-gplink-for-good-or-evil.html) - [link](https://labs.withsecure.com/publications/ou-having-a-laugh) - [link](https://www.synacktiv.com/publications/gpoddity-exploiting-active-directory-gpos-through-ntlm-relaying-and-more) - [link](https://www.synacktiv.com/publications/ounedpy-exploiting-hidden-organizational-units-acl-attack-vectors-in-active-directory)

Presenters:

  • Quentin "croco_byte" Roland
    Quentin Roland is a 28-year-old pentester working for a bit more than 3 years for Synacktiv, a French firm dedicated to offensive information security. He enjoys working on Active Directory, releasing open-source exploitation tools or enhancing existing tooling. He worked on known, trendy Active Directory exploitation primitives as well as on more obscure research topics. A fun fact about him: he actually studied law and used to work as a lawyer, before turning to penetration testing.
  • Wilfried "tiyeuse" Bécard
    Wilfried Bécard is a hacker and researcher working at Synacktiv. With a particular interest in Active Directory and Azure exploitation, his passion lies in uncovering new techniques to enhance cybersecurity in these areas. Constantly experimenting, testing, and collaborating with the security community, he aims at continuously improve his knowledge in these fields.

Similar Presentations: