• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Defense > Prevent GPO from applying to your attack VM

Prevent GPO from applying to your attack VM

July 28, 2017 By RSM Author

You’re on an engagement and just obtained your first set of credentials. Score! You attempt to join your Windows VM to the domain and you are greeted with a warm message: “Welcome to the __ domain”. You’re excited to have your initial foothold in the network but you quickly realize these credentials don’t provide much access. We need to go deeper!

You start looking for ways to elevate your access in the network. Should we gather a list of Active Directory users for a reverse bruteforce? Perhaps there’s a set of local admin credentials tucked away inside GPP? Or maybe you already have access to a host that has Domain Admin credentials in memory but you don’t know it yet- Bloodhound to the rescue!

Wait! Let’s pump the breaks a bit. The benefits listed above don’t come without a drawback. Do you realize that by joining your VM to the domain, you’ve effectively granted Domain Administrators access to it? In order to prevent Group Policy from adding any unwanted restrictions or unauthorized access to your Windows VM you should disable the Group Policy Service.

Warning: Standard local user accounts will not be able to log in after this change. Therefore this configuration should not be applied to machines that are meant for actual production use since it is best practice to log in as a standard user.

1. Open regedit

2. Navigate to the Services tab. HKLM\SYSTEM\CurrentControlSet\services

3. Now scroll through the list until you find the “gpsrv” key. Right click on it and select Permissions

4. Select Advanced

5. Click Change

6. Click Administrators and then check Full Control and click OK

7. Double click the Start key under gpsvc

8. Change the value to 4.

The value 4 sets the Group Policy service to “Disabled”. Other values include:
Automatic – 2
Manual – 3

9. Ater a reboot you will see the following message. Now domain Group Policies will not be applied to this machine.

Originally authored by Corey

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

RSM Author

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.