7 Minute Security15 Nov 2020

7MS #441: SharpGPOAbuse

Hello friends! Sorry to be late with this episode (again) but we've been heads-down in a lot of cool security work, coming up for air when we can! Today's episode features:

A little welcome music that is not the usual scatting of gibberish I torture you with
Some cool tools I'm playing with in the lab that we'll do future episodes on in the future:
- DetectionLab to practice detecting all the bad things!
- BadBlood to dirty up your AD (your test AD with groups, computers, permissions, etc.). I wish the user import script would let you choose a list of bad passwords to assign the users, but you can also run it manually if you want.
- Cobalt Strike - we're doing a demo right now!

Most of today's episode focuses on SharpGPOAbuse, a tool that can be used to abuse "generic write" access to GPOs (which you might identify after running BloodHound). Here's a sample syntax you could run:

SharpGPOAbuse.exe --AddUserTask --TaskName "Totes Safe Windoze Updatez" --Author SAMPLECO\ADMINISTRATOR --Command "cmd.exe" --Arguments "/c net group \"Domain Admins\" SomeLowPrivUser /ADD DOMAIN" --GPOName "Name of GPO with Generic Write Access"

This will push a ScheduledTasks.xml file to \\sample.company\Policies\LONG-STRING-REPRESENTING-THE-GPO-ID\User\Preferences\ScheduledTasks

Now if you find that the task is not pushing correctly, it may be that SharpGPOAbuse.exe hasn't been able to update either the GPT.INI file (in the root of the GPO path) and/or the versionNumber value assigned to the GPO itself.
If you need to adjust the versionNumber and GPT.INI value manually, definitely read this Microsoft article so you know how the number is generated and how to increment it properly. This flippin' sweet RastaMouse blog article also helped this click for me.

If you can't seem to update versionNumber using the PowerShell in Rasta's article, you can also open up ADSI Edit and navigate to Default naming context > DC=your,DC=com > CN=System > CN=Policies > CN=LONG-STRING-REPRESENTING-THE-GPO-ID then get the properties of the folder, scroll down and manually adjust the value for versionNumber.

Upptäck Premium

Prova 14 dagar kostnadsfritt

Skaffa Premium

Avsnitt(689)

7MS #57: How to Review a Firewall (audio)

In this episode I talk about a few different ways to approach firewall reviews/audits. This document was very helpful in getting my template started. Also check out Nipper if you’re looking for a firewall review/audit tool. 7MS #57: How to Review a Firewall (audio)

30 Apr 20158min

7MS #56: OFFTOPIC – Catching Up and Blowing Noses (audio)

A few offtopic things: What you can expect as far as a podcast release schedule going forward Two suspicious charges that showed up on my credit card while out of town! 7MS #56: OFFTOPIC – Catching Up and Blowing Noses (audio)

28 Apr 20158min

7MS #55: OFFTOPIC – What’s in Brian’s Murse? (video)

Ok I don’t really have a murse, but I wanted to do a short video(!) podcast to show you some sorta-security-related gadgets that I’ve been nerding out on the last few weeks. 7MS #55: OFFTOPIC – What’s in Brian’s Murse? (video)

22 Apr 20156min

7MS #54: Traveling with a Red Giant (audio)

If you’re concerned about your credit/debit card security, you might want to give Red Giant a try. It’s a service that provides a debit card you can unlock *only* when buying something. It’s cool. Oh, and Red Giant is NOT sponsoring this episode. If I ever get sponsors, I’ll disclose them clearly. :-) 7MS #54:…

16 Apr 20157min

7MS #53: Are You Ready to Get Robbed? (audio)

Business DR plans are a hugely important – and often overlooked – piece of the infosec puzzle. But what about at home? If you got run over by a bus tomorrow, would you have good plans in place to help your partner/spouse take over the tech side of your household? That’s what we’re talkin’ about…

14 Apr 20157min

7MS #52: OFFTOPIC – My Son is Really Loyal (audio)

It’s another off-topic episode today. This one’s about how my eight-year-old son is fiercely loyal, and wants to settle a 25-year-old score for me. 7MS #52: OFFTOPIC – My Son is Really Loyal (audio)

9 Apr 20158min

7MS #51: CEH vs. OSCP (audio)

A few people have written in asking whether to pursue the CEH or OSCP (or both). This episode discusses my experience with each cert and hopefully points you in the right direction on which one might be right for you. Here’s the article on CEH I mention during the episode – it has much more…

7 Apr 20157min

7MS #50: OSCP – The Final Chapter – part 2! (audio)

At last, the epic conclusion of the maddening, redeeming OSCP journey. 7MS #50: OSCP – The Final Chapter – part 2! (audio)

2 Apr 20157min

Allt en och samma app

Lyssna på dina favoritpoddar och ljudböcker på ett och samma ställe.

Noga utvalt innehåll

Njut av handplockade tips som passar din smak – utan ändlöst scrollande.

Fortsätt när du vill

Fortsätt lyssna där du slutade – även offline.

Premium

99 kr/mån

Tillgång till alla Premium-poddar
Lyssna utan reklam
Avsluta när du vill

Prova 14 dagar gratis

Premium

129 kr/mån

Tillgång till alla Premium-poddar
Lyssna utan reklam
Avsluta när du vill
Ett extra konto

Prova 14 dagar gratis

Populärt inom Politik & nyheter

Berättelserna och rösterna du älskar att lyssna på

Obegränsad lyssning på alla dina favoritpoddar och ljudböcker

Upptäck Premium