Full Report
TL;DR - If you have WriteGPLink on an Active Directory Organizational Unit (OU) and you’re on the same network segment as a computer within that OU, you can abuse that permission to link an existing Group Policy Objects…
Analysis Summary
# Tool/Technique: GPO UNC Path Hijacking via WriteGPLink & ARP Spoofing
## Overview
This technique explores the exploitation of the `WriteGPLink` permission on Active Directory Organizational Units (OUs). By combining this high-privileged Active Directory permission with local network attacks like ARP spoofing, an attacker can hijack Group Policy Object (GPO) processing to execute code as `SYSTEM` or relay NTLM credentials. The core concept relies on redirecting the UNC paths used by GPOs (for MSI installers, scripts, or drive maps) to attacker-controlled infrastructure.
## Technical Details
- **Type:** Technique (Lateral Movement / Privilege Escalation)
- **Platform:** Windows (Active Directory environments)
- **Capabilities:** Remote Code Execution (RCE) as SYSTEM, NTLM credential harvesting, NTLM relaying via WebDAV downgrade.
- **First Seen:** April 2024 (TrustedSec research publication)
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
- **TA0003 - Persistence / TA0004 - Privilege Escalation**
- T1484.001 - Domain Policy Modification: Group Policy Modification
- **TA0008 - Lateral Movement**
- T1570 - Lateral Tool Transfer
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
## Functionality
### Core Capabilities
- **MSI Deployment Spoofing:** An attacker with `WriteGPLink` on an OU links a GPO containing a "Software Installation" policy. If the GPO points to a UNC path on a server the attacker can ARP spoof, the attacker can serve a malicious MSI.
- **Logon/Startup Script Hijacking:** Redirecting UNC paths defined in GPOs for scripts to execute malicious code when a user logs in or a computer boots.
- **NTLM Relaying:** Forcing authentication to fall back from SMB to WebDAV by disrupting SMB traffic. This allows relaying NTLM over HTTP to targets such as AD CS or LDAP(S), bypassing SMB signing requirements.
### Advanced Features
- **WebDAV Downgrade:** By blocking port 445 on the attacker’s machine, Windows clients often attempt to access UNC paths via WebDAV (port 80), which facilitates NTLM relaying because NTLM over HTTP does not support session signing in the same way SMB does.
- **SYSVOL Parsing:** Automated identification of existing GPOs utilizing UNC paths to target for hijacking without needing to create new policies.
## Indicators of Compromise
- **File Names:** `AdvancedInstaller` generated MSIs, custom `logon.bat` or `startup.ps1` files hosted on non-standard shares.
- **Network Indicators:**
- Gratuitous ARP traffic from a non-gateway/non-server IP.
- Unexpected outbound traffic on port 80 (WebDAV) to internal IPs.
- SMB traffic redirected to attacker-controlled nodes.
- **Behavioral Indicators:**
- `GPLink` attribute modifications on OUs followed by immediate software installations on member computers.
- Failed SMB connections followed by successful WebDAV/HTTP connections to the same UNC path.
- Modification of the `gPCFileSysPath` or `gpcMachineExtensionNames` attributes.
## Associated Threat Actors
- While no specific named groups are cited, these techniques are commonly utilized by **Red Teams** and sophisticated internal actors/insiders during post-exploitation phases.
## Detection Methods
- **Behavioral Detection:**
- Monitor for Directory Service Changes (Event ID 5136) specifically targeting the `gPLink` attribute on OUs.
- Monitor for `msi` installations originating from unusual or unauthorized network shares.
- **Network Detection:** Use IDS/IPS to detect ARP poisoning (duplicate MAC addresses for the same IP).
- **YARA/Scripting:** Monitor for the use of tools like `parse_sysvol.py` or `Responder` within the environment.
## Mitigation Strategies
- **Least Privilege:** Restrict `WriteGPLink` permissions. Only Domain Admins should generally have the ability to link GPOs to OUs.
- **Network Hardening:** Implement **Dynamic ARP Inspection (DAI)** and **DHCP Snooping** to prevent man-in-the-middle attacks.
- **SMB Strengthening:** Enable **SMB Signing** (and ideally **SMB Encryption**) across the domain to prevent relaying and spoofing.
- **WebClient Service:** Disable the "WebClient" service on sensitive servers and workstations to prevent WebDAV sensitive-data relaying.
- **Software Restriction:** Use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unauthorized MSI packages.
## Related Tools/Techniques
- **[Responder](https://github.com/lgandx/Responder):** Used for LLMNR/NBT-NS poisoning and NTLM relaying.
- **[BloodHound](https://github.com/BloodHoundAD/BloodHound):** Used to identify users with `WriteGPLink` permissions.
- **[parse_sysvol.py](https://raw.githubusercontent.com/Coontzy1/HacknScripts/refs/heads/master/parse_sysvol.py):** Specifically mentioned script for finding GPOs containing UNC paths.
- **NTLM Relay:** General technique for capturing and replaying authentication tokens.