组策略修改

攻击者可能会修改组策略对象（GPO），以颠覆域的预期的自由访问控制，通常是为了提升域的特权。

组策略允许集中管理Active Directory（AD）中的用户和计算机设置。GPO是用于组策略设置的容器，该组策略设置由存储在可预测网络路径中的文件组成\\SYSVOL\\Policies\。

像AD中的其他对象一样，GPO具有与其关联的访问控制。默认情况下，域中的所有用户帐户都具有读取GPO的权限。可以将GPO访问控制权限（例如写访问权限）委派给域中的特定用户或组。

恶意GPO修改可用于实施计划任务(T1053)，禁用安全工具(T1089)，远程文件复制(T1105)，创建帐户(T1136)，服务执行(T1035)等。由于GPO可以控制AD环境中的众多用户和计算机设置，因此，这种GPO滥用可能会导致大量潜在的攻击。可通过修改GPO设置（在本例中为修改）New-GPOImmediateTask来利用公开可用的脚本（例如）来自动执行恶意的计划任务(T1053)\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml。在某些情况下，对手可能会修改特定的用户权限，例如SeEnableDelegationPrivilege（在中设置）\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf，以实现对域的完全控制的微妙的AD后门，因为在对手的控制下的用户帐户便可以修改GPO。

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain.

Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\SYSVOL\\Policies\.

Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.

Malicious GPO modifications can be used to implement Scheduled Task, Disabling Security Tools, Remote File Copy, Create Account, Service Execution and more Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse. Publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious Scheduled Task(1053) by modifying GPO settings, in this case modifying \Machine\Preferences\ScheduledTasks\ScheduledTasks.xml. In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in \MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs

ID（标识号）： T1484

策略： 防御闪避

平台： Windows

所需权限： 管理员，用户

数据源： Windows事件日志

绕过防御： 系统访问控制，文件系统访问控制

程序示例

名称	描述
Empire(S0363)	Empire(S0363)可以New-GPOImmediateTask用来修改GPO，该GPO将安装并执行恶意的Scheduled Task(T1053)

Name	Description
Empire(S0363)	Empire(S0363) can use New-GPOImmediateTask to modify a GPO that will install and execute a maliciouScheduled Task(T1053)

缓解措施

缓解	描述
审计(M1047)	使用诸如Bloodhound（1.5.1版及更高版本）之类的审核工具来识别和纠正GPO权限滥用机会（例如：GPO修改特权）。
用户帐号管理(M1018)	考虑实施WMI和安全筛选，以进一步调整GPO将应用于哪些用户和计算机。

Mitigation	Description
Audit(M1047)	Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as Bloodhound (version 1.5.1 and later).
User Account Management(M1018)	Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply

检测

通过使用Windows事件日志监视目录服务更改，可以检测GPO修改。此类GPO修改可能会记录多个事件，包括：

• 事件ID 5136-目录服务对象已被修改
• 事件ID 5137-目录服务对象已创建
• 事件ID 5138-未删除目录服务对象
• 事件ID 5139-目录服务对象已移动
• 事件ID 5141-目录服务对象已删除

GPO滥用通常会伴随一些其他行为，例如“ 计划任务”(T1053)，该行为将与之关联的事件得以检测。也可以在与分配给新登录的特权（事件ID 4672）和用户权限的分配（事件ID 4704）相关的事件中搜索与SeEnableDelegationPrivilege相同的后续许可权值修改。

It is possible to detect GPO modifications by monitoring directory service changes using Windows event logs. Several events may be logged for such GPO modifications, including:

• Event ID 5136 - A directory service object was modified
• Event ID 5137 - A directory service object was created
• Event ID 5138 - A directory service object was undeleted
• Event ID 5139 - A directory service object was moved
• Event ID 5141 - A directory service object was deleted

GPO abuse will often be accompanied by some other behavior such as Scheduled Task(T1053), which will have events associated with it to detect. Subsequent permission value modifications, like those to SeEnableDelegationPrivilege, can also be searched for in events associated with privileges assigned to new logons (Event ID 4672) and assignment of user rights (Event ID 4704).