Linked GPO

Description

The Source GPO is linked to the Target linkable container, such as a Domain or Organizational Unit (OU). This means that the Source GPO can assign settings and run programs on the devices and users contained in the Target. The Source GPO also applies to objects in containers below it through "Inherit GPO" relations.

Ultimately, the GPO can compromise the devices and users on which it applies.

Exploitation

Attackers must first compromise the Source GPO through another attack relation.

From there, they employ several techniques to perform malicious actions on devices and users contained in the Target and those below it. Examples are:

  • Abusing the legitimate "immediate scheduled tasks" to execute arbitrary scripts on devices.

  • Adding a new local user with administrative rights on all devices

  • Installing an MSI program

  • Disabling the firewall or antivirus

  • Granting further rights

  • etc.

Attackers can modify a GPO by manually editing its content using administration tools such as "Group Policy Management" or dedicated hacker tools such as PowerSploit.

Remediation

In most cases, linking a GPO to a linkable container is normal and legitimate. However, this linkage increases the attack surface where it occurs as well as in the containers below it.

Therefore, in order to reduce risks, you should link GPOs to the lowest level in the organizational units hierarchy, whenever possible.

Moreover, GPOs require protection from unauthorized modifications by attackers, in order not to expose them to other attack relations.

See also