Exploiting Windows Group Policy for Reconnaissance and Attack

Presented at BSidesLV 2019, Aug. 7, 2019, 3 p.m. (55 minutes).

In this talk, Group Policy expert Darren Mar-Elia (a.k.a. the GPOGUY) looks at Active Directory Group Policy from an attacker's perspective, illustrating techniques that can be leveraged to gain insight into an organization's Windows security posture, privileged use and opportunities for compromise. He'll start by explaining how GP works under the covers, then dig into tools and techniques you can use to take advantage of GP's "readability" to map out how an organized has deployed security hardening and privileged access, including how you can specifically identify admin tiering and work around it. Then Darren will dig deep into the bowels of GP to show several approaches to exploiting Group Policy, including linking exploits, write-permission/settings abuse, GPT redirection, external paths abuse and some newly documented ideas for abusing GP processing at the client to run arbitrary code. He'll finish up by presenting some defensive techniques that can be used to harden GP against this kind of abuse.


Presenters:

  • Darren Mar-Elia
    A 14-year Cloud and Datacenter Microsoft MVP, Darren has a wealth of experience in Identity and Access Management and was the CTO and founder of SDM software, a provider of Microsoft systems management solutions. Prior to launching SDM, Darren held senior infrastructure architecture roles in Fortune 500 companies and was also the CTO of Quest Software. As a Microsoft MVP, Darren has contributed to numerous publications on Windows networks, Active Directory and Group Policy, and was a Contributing Editor for Windows IT Pro Magazine for 20 years. As a thought leader, Darren has over 20K subscribers to his blog (gpoguy.com) and an extremely active twitter following @grouppolicyguy.

Links:

Similar Presentations: