"Identifying and Abusing Vulnerable Configurations in MS AD Group Policy" - Mike Loss

fruit policy and the trash was and it is sold all right well we can rent a full supply for Tracy information security and put many permanently FAMAS to users based on camera we have my health and I might add 30 SEC's we're sorry talk about policy we're gonna cover one of these why I think you might care a few different ways of looking at it the fun things my fine that's doing it you can have a look at it and in the script socket like scribbles I'm not going to be broken Zico today or really showing you techniques I'm not gonna be going to all that much they telling me it is so stuff because it's not that kind of talk

personally I think that if I go to weigh in to the weight I'm taking some stuff you want to remember it and you could just google that stuff what the time comes for it to be useful so it's gonna be more about what you can do and then when the time comes so what is group policy so it's basically to complain of Active Directory that back to the kind of configuration management system it's largely constructed with these things called group policy objects each of which contains a bunch of settings these do is get assignments here we use the misty I think of all this but instead anything it applies to all users or computers even that are you and they

apply to the first logon and then every 90 minutes they're off those manage it up for every positive control comedy's included allowing that one control freaks this I've been force a bunch of pointless cosmetic changes on everyone in the company and applying horrible vulnerabilities fine use well it's a decent you system for deploying home fixed windows especially given all this like thing with so why should you care well every time any doings I make that thing over wood and like any powerful toll booth policy provides an extraordinary number of opportunities side means to make really horrible mistakes the tens around and because people we like it when other people make horrible mistakes so mistake made by we does that mean to assume

they're the only ones that can see for policy one of the most straightforward rolls and pepper policies applied and then all healthy to apply to you you have to be able to read as a result but evoke all the main users can read all the clothes the objects you can probably read my statement all over coffee okay fine so if you want to even going to straight to the source aiding of the special fall technical it's it's all that's for storing among other things promotion first seems like a great idea because in theory you just don't meet our directory and wait stop strike and if you realize that it's Coppola's on anybody's do all these

descriptive and the falls inside range in legibility between yeah fine illegible XML and proprietary binary not man depending on which studies of a to find the value go away there is also giving up their policy management console but to me that's 2019 so the earth policy multiple networks are provided super handy and it has a get GPO report Martha there's a couple of quick ones and I'll be putting this slide don't give up after which so don't worry about writing things down but basically it can be easily used to have a whole point of every policy okay in the domain that you can read in your soy sauce not very nice HTML or equally unpleasant

Hector now you familiar with Tom droids it's very useful come on was working for policy and it's particularly handy figuring out we choosing and in fact the newest bloodhound update one five panel just to cut way back how does it punch it you stop you know figuring out which policy supply that sir I have spent a lot of time when engagements strolling through as you know thoughts so big the browsers would just crash sorry Krupa in things that I went to filter out all of the noise the airport because there tends to be a little stuff like I said you know I'd be once his mother Bernie our compact or well you know so many corporate decided that they were

gonna have to have the exact same style of noise it's pretty simple years to just tell if the pop of the XML file and then depending on which the falsity let me in charge it'll change the settings that some way would like to security or in limited to just the stuff that Kurt is fairly confident in a straight up and in off the lake by default doesn't trust the network at all it just causes the robotic to no but there's a switch that will turn on some additional checks to see some settings in the context of the current visa

so now I'm going to begin to thumps up and talk about each of the bosses of security-related settings you can find a group policy the way they get screwed up and how you can exploit them DDC these little fella appear in the Kalon that's the Sheldon if you see the shell bell he's frequently straightforward to use the thing when looking at the fall shell

sorry like many other things in Windows Land GPO is on a securable object I mean if I have I see elves like whole things in all operating systems okay you can basically earn every user or computer plus the easiest way to do this is the new - GPO immediate tops and it literally just creates a kid rooftops as easier or computer and they run run automatically immediately and then I did see residents mentioned on Twitter the other day that he's working on pouch on module 2 abused a bunch of these sort of stuff in ways other than GNU GPL be a toast so keep it on his Twitter account yes right these dudes comes most

flexible parts of settings and it's where that means you can set up any cost of registry issues they pay 50 bit but you find a fun - really fun stuff in here the most of the thing useful examples to stop like begin state passwords which are trivially decrypted using defendants ability collie to do it very shady looking Chinese website that'll do it another favorite is credentials so they literally just said in the registry and right there in plain text they often pretty rubbish stuff like Lloyd Craig accounts or kills machines but sometimes you get something great like the encounter for the beep TV the network admins learn that has access to all the monitoring systems and the

easiest way to set that up is just to make it at the main that bin and yeah these country does can be very very noisy especially Ian Schultz with really old-school attitude they know exactly which registry entries I didn't qualify and I just go by Hannah just [ __ ] someone named this is not the same thing these categories pull up like we noticed configuration option set in the registry the third policy provides a nice QE advice revenues set them rather than do it manually there's some fun potentially of the usable bits in here but there's also an enormous amount of grenades he is crud one of the less tedious ones which we look up make sure that he is always is

so elevated funnel changing drafts which fund prevents basically lets you run w my installers that mean and will output a WM r12 uses as will power up this second also tells you for example where Windows operating from so you could maybe try out that if you was also attacked by a strange car as presented last year school and all your office setting is live in here as well they're mostly pretty boring but it will show you nice stuff like where the default template location is so you can look at that figure out you can write to it and you drop some macros this time we're going to follow settings it's a good example where take the time to read

foreign policy it's not gonna get your cell on time but it can provide a lot of really useful information sorry push baseball settings which are you like what kind of surface of your mind expected a within our machine without having to do anything standing people that helps a lot in on certain questions like why isn't my reverse shell working yeah do users this is where old old brains fruit policy preferences possible even though these are such a problem that Microsoft actually pushed out a patch to stop a be creating new ones in 2014 but basically when I've been use this thing to the set the local breads on a host you can just bring them there even corrected but they

use a single universal k that you published on TechNet peripherals are different for you but for the quaintness i found itself recently should probably still be used house boys get TVB pops good because there's like really weird edge case with seven times replication hair off a long time ago and create bertrand policy folders that get to your boat can't see and so really a section so you can depend information like they change the administrator accounts name to since that beginner or they created a local service account on this machine with a note the description field same username password definitely never happened all right similarly we can see users getting audited to remove from local groups most

often from the desktop users birthdays don't forget that there are other groups that I keep tracing over the administrators like backup operators Microsoft fateful leap right access

these policy also goes a long way we fall within your account you'll over to come how do you pay access because it's plenty I don't always have the one to do that you let me tell you what you've got Batman Swan

Paulo pretty much television limited it modifies the places we use I talked to a system it's most commonly used things like updating your local home big files in our applications via tax for engines rather and concrete problem and it's often also used for like installing simple executables and strips from a network drive we've really really what we call visions group a house I've got online sweetie you can turn on that will actually go out and check the file permissions but those source files and it'll also tell you if the current so I've been pending on the type of files bank push you might need to get kind of creative to help shell with it but you

can stitch the script or an ACCI and it actually gets run at any time you just sell it out for something because something fun right again this one between the types of human Stockwell and the installs it on the time machine you can replace yeah yeah so we have a sitting posture set some schedule tossed on the hoist there's a whole bunch of different fun ways to spring these up they often run that wire in strict austerity expert publication multiplied they'll often be configured to write in service accounts and then the credit Authority immigrant Policy object using the same encryption method and desktop or you can a jamming on macro in someone's office stuff yeah

this one is kind of the mist and I category for security settings there's a lot of kind of interesting as a target in here like which named pipes can be active synonymously with ministry posture dances locally whether it's possible for an account with a blank pass with a lock on way to run off a heist stole is also there's things that can be screwed over really really badly totally let your top shelf but honestly so it's worth having a look at when you [Music]

simulate useful but not immediately Michelle the account settings areas we've been finding with password policy stuff bulk out policy complexity policy where the passwords would be stored in the Clio it useful knowing you from popular spray or something like that but yeah super exciting again we go to stop scripts shutdown script blogger all scripts are all defined in here if you're really lucky you once upon credit pop oh you straight in the scripts they're mostly going to be stories this ball which pretty rad for the fall means we screwed up this bowl and again tell you if your question and again also be used network shares it's definitely worth checking out that one in 20 chump

that all the devastating backups of the pro mssql thought of aces on faucet on the workstation know why they do it and eat files basically in a comp all the windows I've done the same group policy actually used which they use in real life but given the sometimes again environment variables of menacingly set by current policy but it can't be done and variables so you don't want to miss the winners bucks shortcuts will stop telling cake balls but they really raises one isn't often like to set up the helpdesk we a nice premium piece of shortcuts for web applications I have come on injection built into is just like for pilot JavaScript the preset several cost would definitely real-life

all things like provision EMF 8 seconds super useful if you without making a bunch of noise on the network the second thing that's useful is that they often point to binary the script so lately Paul says we tend but we have a non-stop GPA you survive so we knows likes to separate out the groups of rights from emissions and coming from winning plans we like everything as a bottle and some thoughts pretty mundane some of them are insanely powerful thank you doing things like they pay with always take our nation file debugging process or act as part of the operating system but most of the best ones boil down to let you run baby cats

per clock will salt the way from the top for you in this category we chose the ones to have meaningful experimentation the most common of things that you'll see and see the chain account privilege get excited until you realize what it does which is adding machines the point is this mysterious show will be run

sorry regret my next step anyone recognize those face sorry that one of the lessons I learned in running verify is that I should have taken the time so we're even trying to learn how using spot queries in PowerShell the nice guy I met on the play on slightly so how long can you tell me me raging group I use them very consume use a lot of tweaking music Hansel rejigging way expanding the ability to purpose or to tell the difference between just include be bad and this thing is definitely bad also custom lots of third party a template for the group policy templates for stuff like stitch purchasing normal things your environment we've got stuff you can

find a way to soundside be up with your fourth so useful also if anyone has any ideas for a routing the dependency upon microsoft's policy module and policy parts useful but myself and today my going to the doctor is a loss those people listed by name this off post for Sean Tuohy Lisa what happened and black and or ducks I will start with a bit of a thank you for what is it was important I agree palsy Santa Claus

and do we have any questions see just might three of all the green policy so we didn't have to basically guess thank you yeah it was painful

[Applause]