All It Takes is One Account: Using Insecure Group Policy Objects to Demonstrate Real Attack Paths in AD

Webinar Registration

When you analyze major breaches, it invariably comes down to a single vulnerability that was the major break the attacker needed in order to really bring off the attack. Often that break is about obtaining access to a single account and then elevating access to an account with more access. In a typical AD environment that has accreted objects, accounts, entitlements, and other complexity over decades it turns out that many accounts have been delegated privileged access in Active Directory and attackers can take advantage of those permissions.

This opens up an abundance of attack paths in AD, but in this real training for free event we are going to zero in on one example: edit permissions on a group policy object. If that doesn’t sound like a powerful sort of privileged access you need to understand this: having edit access to a GPO effectively gives you administrator authority to all the computers that apply that GPO. I will demonstrate more than one way to prove that claim. 

Then I will show you the security controls available in Windows and Active Directory that control who can make changes to group policy objects as well as group policy related attributes on other objects like Organizational Units and Domain roots. The latter is an important point because changing the gpLink or gpOptions attribution on an OU can be just as disruptive as editing an actual GPO.

So, it’s important to carefully manage the security of:

  • Group Policy Creator Owners group
  • The GPO itself
  • The System/Policies folder in AD
  • The sysvol folder on domain controllers
  • The gpLink and gpOptions attributes on the domain root and organizational units

After I introduce you to group policy access control and why it’s so important, Quest’s Bryan Patton returns to UWS to demonstrate a very realistic attack path involving one account that was delegated access to group policy and how practically the whole domain can be taken over by compromising that one account. 

Then I’ll introduce Andy Robbins. If you aren’t familiar with Andy, his background is in red teaming, where he performed numerous red team operations and penetration tests against banks, credit unions, health-care providers, defense companies, and other Fortune 500 companies across the world. He has presented at DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory and Azure security. And is also co-creator of SpecterOps BloodHound and he will briefly show you how his Attack Path Management technology continuously maps and quantifies Active Directory Attack Paths – millions of them. 

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources