How hackers exploit Group Policy Objects (‘GPOs’) to attack your Active Directory

/in /by

Hackers have quickly realized that the easiest and most optimal way to spread ransomware across “all” corporate networks is to find and use compromised GPOs. When you also consider that GPOs are contained within Active Directory, which is itself the number #1 ransomware and lateral movement environment (think about it – AD doesn’t provide visibility, designed to hide complexity, vastly mismanaged, connected to everything, has more places to hide than anywhere else and most organizations suffer from an Active Directory expertise shortage), then you start to understand the mouth-watering proposition that compromised GPOs present to bad actors.

Additionally, compromising organization GPOs is one of the most effective ways to cripple enterprise defenses, steal data and assets while having optimal visibility of useful accounts and privileges to hijack within an enterprise. In fact, using GPOs anyone can gain complete control over the entire enterprise domain-controlled infrastructure including servers, clients, fileshares, printers, applications and many other devices.

Hackers are already all over this, check out BlackMatter, Lockbit and Ryuk GPO specific ransomware for instance (and many others) that have been actively exploiting the powerful features of Active Directory to steal data, plant malware, infiltrate networks while slowly working down ransomware kill-chains (at their own pace) and plenty of other ways to undermine IT security for years. FireEye’s 2016 M-Trends report describes an attacker attempting to distribute ransomware through GPOs as early as 2010, and there is every reason to think similar (albeit fairly primitive) attacks were happening well before then too.

Before we get ahead of ourselves let’s touch on the basics: what are Group Policy Objects (GPOs)?
GPOs allow users and/or administrators to implement specific configurations for users and computers across the entire enterprise. Group Policy settings are contained in Group Policy objects (GPOs), which are typically linked to the following Active Directory service containers: sites, domains, or organizational units (OUs). The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature of Active Directory. By using GPOs, users can define the state of someone’s work environment, and rely on Windows Server (all versions) to continually force the Group Policy settings applied across an entire organization or to specific groups of people and computers.

As security issues are becoming increasingly paramount in all organizations, the GPOs (contained within Active Directory) are at the forefront of an organization’s ability to roll-out and control functional security. There is good reason why people say that Active Directory holds the keys to the kingdom. Core aspects of user life cycle such as password policies, logon hours, software distribution, and other critical security settings are handled through GPOs. It is of paramount importance for organizations to have proper methods to control the settings of these GPOs.

Let’s take a glance at the power of GPOs and understand how unauthorized changes could ‘bring your enterprise to its knees”:

  • Install malicious software on all of your Domain-Controllers seriously putting the enterprise at risk;
  • Override permitted number of user log-in attempts – facilitating brute-force and other bot attacks by allowing unlimited log-in attempts;
  • Override account lock-out after set number of log-in attempts (normally in conjunction with the above);
  • Override existing security measures that block unidentified users connecting to a network share (including remotely);
  • Replace the standard set of bookmarks with links to malicious sites – enable phishing attacks;
  • Allow access to folders with critical & valuable security data (previously locked down);
  • Give all business users a standard set of bookmarks so they can easily reach your helpdesk or access other important resources – changes to these can take large numbers of your users to unauthorized locations (any one of them could click on something bad…);
  • Restrict access to certain folders – imagine no one is able to access data from fileshares etc;
  • Install the same software on all of your domain controllers (DCs). – install unauthorized software that sends domain information to some other location;
  • Stopping Windows updates being applied promptly and weakening enterprise security posture;
  • Enable the command prompt on users’ machines, and
  • Enable use of the weaker (than Kerberos) NTLM v1 authentication protocol.

Any one of these changes could seriously damage an enterprise — and the change would propagate across the network within minutes or even seconds. These are just some examples of the dark side of the power of GPOs!

By now it should be abundantly clear why hackers want to target GPOs. GPOs are extremely powerful but also vulnerable and, in most organizations, mismanaged. This is hardly surprising given the heavy work burden already placed on IT security teams, it is frankly unrealistic to expect these teams to have deep Active Directory expertise in-house BUT given the majority of significant ransomware attacks stem from weaknesses in the victim’s AD and the fact that AD holds the keys to the kingdom really leads to the position that all enterprises should seek out Active Directory security experts who can join them shoulder-to-shoulder in the fight against the dark side of GPOs and AD more generally.

As we have seen, GPOs are the most efficient and powerful way to distribute any executable/application across all aspects of an enterprise at lightning speed. It doesn’t take a great deal of imagination to see how GPOs can be abused to circumvent security controls and gain access to sensitive data. All you need to do is create a policy or modify an orphan policy using Powershell, for instance.

Other key considerations on GPO vulnerability:

The other factor that makes GPOs such an attractive target is that it is vulnerable on multiple fronts. The design of Active Directory ensures that every user can see the policies you have, where they’re applied and who has access to them. In many cases these policies are delegated to individual users and this allows them to modify etc. What’s more, IT teams usually use descriptive names for objects in Active Directory, which simplifies administration but has the unfortunate side effect of giving hackers critical information they can use to direct and hone their attacks. In short, a hacker could not hope to find a better treasure map of a target enterprise (users & permissions etc) than what is contained within Active Directory.

Even though it is very powerful, GPOs typically are not at the center of an organization’s security strategy and the majority of the time they don’t even feature in security assessments and discussions. It’s often seen as a “set it and forget it” technology. At the same time, it is often very complex, with thousands of policies created to address specific issues over the years, with overlapping settings — and lots and lots of people who have been delegated permissions to create, modify and delete those GPOs. Additionally, with the native toolset there is no version control for enterprise GPOs, meaning that if erroneous changes (accidental or malicious) are made then there is no easy way to revert back to a previous GPO version. With the native toolset there is no way to stop (or make pending until reviewed) new GPOs from being created either.

It is usually incredibly difficult to untangle it all, and it’s risky to remove policies and delegated admins without proper research and attestation. As a result, too many organizations don’t even try. That leaves their IT ecosystem extremely vulnerable.

CionSystems | AD Guardian GPO Control addresses all of these issues and many more (including the ability to cloak GPOs, further improving critical security hygiene).

How can GPOs be compromised?

Let’s explore how GPOs can be compromised. It’s much easier than it seems. First of all, hackers need to gain a foothold in your IT ecosystem. Unfortunately, that often doesn’t require sophisticated skills or exotic techniques: Assume you have password complexity policy enforced. A password spraying attack will likely quickly locate a user account with a common password like “Username$” or “Password1”, or a trending favorite like “CovidSucks2020!”.

CionSystems | AD Guardian SSPR solution will protect your enterprise from these types of password-based attacks. It further evaluates every single password for all users against around 2 billion compromised passwords and if matched will force the user to change the compromised password automatically. Additionally, when the user changes to a new password before enforcing it in Active Directory, it checks against password disallowed dictionaries, and if the password is found then the password is not set for user until a password that doesn’t exist in the dictionary is chosen. This is all done in real-time to make sure you are extra safe!

In fact, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that two of the top ways that the threat actors behind recent hacks gained initial access to victim organizations were the tried and true basic tactics of password guessing and password spraying.

Once attackers get an initial foothold, they don’t need much technical know-how to understand your GPOs and figure out which accounts to target in order to get access to the ones they need to do maximum damage. They have several “easy” buttons ” : BloodHound,
PowerSploit and Mimikatz are just three examples of open-source tools that will do the heavy lifting for them. For instance, BloodHound will quickly give attackers all the information they need — even if your environment is complex, with lots of policies and blocked inheritances and so on. The attacker essentially says, “I think I want access to this system; what GPOs are applied to that system and who are the administrators for those GPOs?” and BloodHound will spit out the details, including a list of exactly which accounts they need to target using spear phishing or other attack vectors. This is a big problem. Once one of those credential-seeking attacks succeeds, it’s game over. GPOs provide access to and control over every system, so it provides hackers with the means to accomplish just about any task — while also avoiding detection (AD is the number 1 lateral movement environment for a reason). They can deploy ransomware or other executables, and then clear from all your DCs scorch all the evidence of their activity on their way out and if you don’t have specialized AD security solutions and are relying on a SIEM for instance, then you may not have a clue what has just happened but heads will start to roll faster than you can say, “what does GPO even stand for?”.

Fight back with CionSystems AD Guardian | GPO Control:
To strengthen your Active Directory security, you must enforce effective Group Policy management. The Group Policy Management Console (GPMC) from Microsoft is a useful tool but has severe limitations, and it doesn’t help you eliminate the core problem: all of those delegated accounts that have permissions to modify your GPOs — accounts that tools like BloodHound are only too capable of identifying and serving right up to hackers. Further it lacks functionality—such as change management, permission management, versioning, delegation, cleanup, GPO workflow management, check in/check out, change control, backup/restore, reports and rollback—is needed to effectively manage GPOs across the enterprise.

Organizations often have dozens or hundreds of such accounts, all ripe for takeover. A great way to dramatically shrink your attack surface area is to reduce the number of accounts with GPO access rights down to a bare minimum. Of course, the permissions of Domain Admins and Enterprise Admins cannot be removed, but if you had just one other account with rights over your policies, instead of dozens or hundreds, just think how frustrating that would be to any attacker. Then combine that with the ability to suspend any newly GPO with GPO Control and hopefully you start to see how our solution can harden your enterprise’s AD Security Posture.

A proxy-based solution like CionSystems | AD Guardian – GPO Control gives you all of that functionality (and more). You create versioning for all of your GPOs in GPO Control and remove all the native delegation that leaves you so vulnerable. BloodHound and other snooping tools instantly become useless, since only Domain Admins, Enterprise Admins and GPO Control itself have permissions to modify your GPOs. Additionally, you can ensure that no one — including users who have access to GPO Control — can make certain modifications, which inoculates your most critical settings from being changed at all.

Not only do Native Toolsets not do this but they cannot even see if it is being done maliciously to your enterprise and therefore it is unlikely that you will even know about it until it’s too late. GPO Control also has settings to stop any and all new GPOs from being created – which is a hugely useful disarming tactic against a hacker who is deep in your network. If you’re interested in additional proven strategies for strengthening your Active Directory security posture then check us out at www.CionSystems.com as we have been building enterprise class technology solutions to protect your Active Directory (on-premise and cloud / hybrid) for over 15 years. Feel free to contact us anytime to start a discussion on how we can assist you in professionally securing your Active Directory today.

Our mission at CionSystems is to help you improve your Active Directory (on-premise and cloud) Security Posture. We have almost 20x enterprise class technology solutions that do just that (GPO Control is just one of them), we are recognized by Gartner and are proud to say that we have recently won the Cyber Defense Media award for, “The Most Comprehensive Active Directory Solution on the Market”. So you know you are in safe hands with us!