WriteGPLink

This article applies to BHCE and BHE

The WriteGPLink edge indicates that the principal has the permissions to modify the gPLink attribute of the targeted OU/domain node.

The ability to alter the gPLink attribute may allow an attacker to apply a malicious Group Policy Object (GPO) to all child user and computer objects (including the ones located in nested OUs). This can be exploited to make said child objects execute arbitrary commands through an immediate scheduled task, thus compromising them.

Successful exploitation will require the possibility to add non-existing DNS records to the domain and to create machine accounts. Alternatively, an already compromised domain-joined machine may be used to perform the attack. Note that the attack vector implementation is not trivial and will require some setup.

Alternatively, the ability to modify the gPLink attribute can be exploited in conjunction with write permissions on a GPO. In such a situation, an attacker could first inject a malicious scheduled task in the controlled GPO, and then link the GPO to the target through its gPLink attribute, making all child users and computers apply the malicious GPO and execute arbitrary commands.

Abuse Info

Windows abuse

From a domain-joined compromised Windows machine, the WriteGPLink permission may be abused through Powermad, PowerView and native Windows functionalities. For a detailed outline of exploit requirements and implementation, you can refer to this article: OU having a laugh?

Be mindful of the number of users and computers that are in the given domain as they all will attempt to fetch and apply the malicious GPO.

Linux abuse

From a Linux machine, the WriteGPLink permission may be abused using the OUned.py exploitation tool. For a detailed outline of exploit requirements and implementation, you can refer to the article associated to the OUned.py tool.

Be mindful of the number of users and computers that are in the given domain as they all will attempt to fetch and apply the malicious GPO.

Opsec Considerations

The present attack vector relies on the execution of a malicious Group Policy Object. In case some objects in the target Organizational Unit are unable to apply said Group Policy Object (for instance, because these objects cannot reach the attacker's machine in the internal network), events related to failed GPO application will be created. Furthermore, the execution of this attack will result in the modification of the gPLink property of the target Organizational Unit. The property should be reset to its original value after attack execution to avoid detection and ensure the OU child items can apply their legitimate Group Policy Objects again.

References

This edge is related to the following MITRE ATT&CK technique:

Abuse info references

Updated