DeepSec2016 Talk: badGPO – Using GPOs for Persistence and Lateral Movement – Yves Kraft & Immanuel Willi
System administration has evolved a lot during the past decades. Instead of enjoying long walks through the forests of servers and clients, the modern sysadmin controls the whole infrastructure by policies. Most operating systems can take advantage of this technology. As with software upgrades, these tools can make your life easier – or help an intruder to get a firm hold onto your infrastructure. Malicious activity can exploit your management networks/systems. Once this happens, you are in deep trouble. We have invited two security experts who created a demonstration. They used the Microsoft® Windows platform in combination with native tools:
Group Policy is a feature which provides centralized management and configuration functions for the Microsoft operating system, application, and user settings. Group Policy is simply the easiest way to reach out and configure computer or user settings on networks based on Active Directory Domain Services (AD DS). Such policies are widely used in enterprise environments to control settings of clients and servers: registry settings, security options, scripts, folders, software installation, and maintenance; just to name a few. Settings are contained in so-called Group Policy Objects (GPOs) and can be misused in a sneaky way to distribute malware and gain persistence in an automated manner in a post exploitation scenario of an already compromised domain. In a proof of concept inspired by Phineas Fishers’ article about pwning HackingTeam, we will show how persistence and lateral movement in a compromised company network can be achieved and demonstrate some PowershellEmpire Framework modules which we created. PowershellEmpire is basically a post-exploitation framework that utilises the widely-deployed PowerShell tool for all your system-smashing needs. There are already functionalities built-in regarding GPOs. We tried to further evolve the misuse of GPOs in additional scenarios. Furthermore, we will discuss some countermeasures including detection and prevention mechanisms.
The presentation is a prime example that off-the-self tools pose a security risk, depending on how they are used. Policies and code of any kind will do nicely. The advantage for the attacker is the presence of the tools. There is no need to install extra applications. Everything necessary to gain wider access is already at the target site. We recommend this talk for everyone dealing with system administration and infrastructure. If you can automate stuff, so can your adversaries.
Yves and Immanuel are both penetration testers at Oneconsult AG. Their daily business is to build and deconstruct things. Yves works as a security consultant at Oneconsult, focusing on penetration tests, security consulting and training. He was promoted to team leader and branch manager Bern a year ago. As a former system and network engineer he managed several servers, applications and networks including systems at a large Swiss university, financial services and public administration among other industries.
Immanuel worked several years as a system administrator at a university. When moving to another higher education institution he was appointed head of the internal IT services department. His work at Oneconsult is focused on penetration tests and security consulting.