How to Own Any Windows Network via Group Policy Hijacking Attacks

Learn how to exploit vulnerabilities in Windows Group Policy to gain control over entire networks in this 49-minute conference talk from SyScan'15 Singapore. Explore the inner workings of Group Policy, configuration settings, and potential attack vectors. Examine threat scenarios involving domain controllers, domain members, and service principal signing. Follow along with a live demonstration of exploiting weak passwords, user settings, and Kerberos to compromise systems. Discover the effectiveness of security controls like MS15-011 and MS15-014. Gain insights into the exploit process, system shells, and mitigation strategies for protecting against Group Policy hijacking attacks.

Introduction
Outline
What is Group Policy
How does it work
Configuration settings
Prepatch scenario
How can it be attacked
Threat scenarios
Domain controllers
Domain members
SP signing
SP signing scenarios
SP signing diagram
Does it work
How to get a shell
Summary
Exploit process
Demo
Windows Domain Member
Linux Server
System Shells
Group Policy
Weak Passwords
User Settings
Local Configuration
Update User Settings
Win logon session
MS15011 and MS15014
How effective are these controls
User settings exploit
Is kerberos viable
kerberos example
decryption
domain controller
hardened uncpass
kerberos
log in
read response
caveats
Mitigation
User Policy