Group policy modification: A common technique for privilege escalation

Group policy and group policy object (GPO)

Group policy enables the centralized management of computer and user accounts by IT administrators. A group policy is a group of settings that can be applied to multiple users and machines. A group policy object (GPO) is a compilation of policy settings, both computer-related and user-related, that define the behavior of computers and users respectively in an Active Directory environment.

Group policy modification for privilege escalation

Privilege escalation occurs when an adversary gains unauthorized access by exploiting vulnerabilities, misconfigurations, bugs, etc. to launch a cyberattack. One of the common techniques of a privilege escalation attack is group policy modification. Often categorized as a sub-technique under domain policy modification, group policy modification involves modifying group policy objects to bypass discretionary access controls as a means to execute privilege escalation. All user accounts are allowed to read group policy objects in a domain, by default. However, GPO access control permissions can be assigned to specific users or groups in a domain.

An adversary can cause malicious attacks through modification of GPOs. Here are a few examples:

• Scheduled Task:Task scheduling functionality could be misused to initiate and repeat the execution of malicious code.
• Disable or Modify Tools:Security tools could be deleted or modified to prevent detection of potential malware and malicious activities.
• Ingress Tool Transfer:Tools can be transferred from an external source and used for malicious purposes.
• Service Execution:Commands can be incorrectly executed when the service control manager is misused.

A few examples of tools and adversary groups that have a history with GPO modifications are:

• Egregor:A cybercriminal group specializing in ransomware attacks, successfully breached operations at the American bookseller Barnes & Noble, and video game developers Crytek and Ubisoft in October 2020.
• Indrike Spider:An eCrime group that has been in operation since July 2014. The sophisticated Dridex banking Trojan was run in 2015 and 2016. Since then, operations using BitPaymer, WastedLocker, and Hades ransomware have been in use.

Identification process for group policy modification

Group policy modifications can be monitored and detected using event logs on directory service. A few examples of modifications can be found as follows:

• Event ID 5136:A directory service object was modified
• Event ID 5137:A directory service object was created

In general, group policy modifications might come with other behavior anomalies. In some cases, this could be an instance of a scheduled task. These anomalies can be searched for within events that are registered with new logon privileges.

Prevention of a group policy modification

Group policy modification can be restored using techniques such as auditing and user account management.

• Performing an audit (ID M1047) of systems, software, configurations, and others can identify and restore a group policy modification using tools such as BloodHound.
• Focused maintenance of a user account within areas of creation, modification, and permission will help prevent adversaries from misusing GPOs to elevate privileges.