Windows Group Policy
Research, and more research
Windows attack patterns in the last 12 months and local GPO defenses
Attackers have leaned hard on abusing Group Policy as a distribution and control layer for malware, scripts, and ransomware. The core pattern is: gain a foothold, live off the land, escalate, then use GPO to push payloads or weaken defenses. Below is a practical mapping of attack techniques seen since last year and the most relevant local Group Policy Object (GPO) defenses you can apply on endpoints and within your domain.
Summary table: Attack techniques and local GPO defenses
| Attack pattern | Recent example/timeframe | Technique detail | Local GPO defenses | Notes |
|---|---|---|---|---|
| Ransomware distributed via GPO | Cyclops ransomware case (described by Sophos) | Threat actor used AD GPO to push ransomware binary via UNC path and execute via Scheduled Tasks; also cleared logs and disabled endpoint protection | • AppLocker or WDAC allow‑listing to block unauthorized executables • Restrict scheduled task creation (non‑admins) • Force PowerShell Constrained Language Mode • Enable tamper protection and prevent disabling AV via policy • Harden event log retention and lock down clearing | Verify SYSVOL integrity and GPO change auditing; ensure AV policies cannot be disabled by local scripts |
| GPO cpassword credential theft | Ongoing technique | Attackers read Group Policy Preferences (GPP) “cpassword” values in SYSVOL to recover credentials, then pivot | • Audit and eliminate GPP passwords; disable “passwords in GPP” usage • Remove legacy GPP policies; rotate affected creds • Tighten SYSVOL permissions; enable “Deny write” to non‑admins | Even if no longer used, old GPP artifacts can expose creds; scrub SYSVOL |
| Malicious scripts via GPO logon/logoff/startup | Common across campaigns | Hidden BAT/PS1 scripts staged in SYSVOL, applied via GPO, executing at logon/startup | • Block PowerShell v2; enforce CLM • AppLocker script rules (PowerShell, cmd, wscript, cscript) • Disable “Run logon scripts synchronously” unless required; audit script processing • Enable AMSI & Defender Script Scan | Prefer signed scripts; restrict script CSE usage to admins only |
| UNC path abuse to less‑secure shares | Common lateral movement | GPO pointing to weakly secured file shares; clients fetch payloads from attacker‑controlled UNC | • Restrict UNC paths to signed, read‑only, approved sources • Enable SMB signing; restrict anonymous access • AppLocker network path rules | Periodically validate GPO path targets and share ACLs |
| Scheduled tasks pushed via GPO | Increasingly used | Create tasks via GPO to persist or detonate payload across domain | • “Do not allow task scheduling by standard users” (via security hardening) • AppLocker/WDAC to block task action binaries • Audit Task Scheduler operational logs | Pair with SIEM alerts on GPO‑created tasks |
| Living‑off‑the‑land via GPO extensions | Playbook phase usage | Abuse Client Side Extensions (CSE), scripts, and built‑ins to blend in with normal ops | • AppLocker/WDAC allow‑listing for LOLBins (powershell.exe, cmd.exe, mshta.exe) • Disable Windows Installer for non‑admins • Policy to deny interactive PowerShell for non‑admins | Build a minimal, signed toolchain policy baseline |
| Event log tampering via policy | Observed in ransomware ops | Attackers clear logs and reduce retention to hinder forensics | • Enforce minimum log sizes; prevent log clearing by non‑admins • Forward logs to remote collectors (not GPO‑only) • Enable advanced audit policy (object access, process creation, policy changes) | Lock down “Clear logs” permissions; ship logs off‑host |
| AnyDesk/Cobalt Strike distribution via GPO | Seen in intrusion chains | Remote tools deployed or staged via GPO to maintain access | • AppLocker/WDAC: deny unknown remote admin tools • Block unsigned installers; enforce code signing • Restrict MSI installs; “Always install with elevated privileges” disabled | Maintain a deny‑list for known RATs via hash/path rules |
| Policy/object tampering in AD (GPC/GPT) | Active in 2024–2025 reports | Attackers alter GPO container or template (SYSVOL) to redirect or inject | • Enable auditing on GPO changes • Tighten ACLs on GPC/GPT and SYSVOL • Monitor gpLink changes and SOM scope drift | Baseline and regularly diff SYSVOL contents |
Sources: Sophos News The Quest Blog Securelist
What’s been happening and why GPO is targeted
Attackers increasingly use GPO as a centralized distribution mechanism: once they have sufficient privileges, they can push malware, create scheduled tasks, deploy remote tools, and manipulate client behavior at scale. Real incidents show ransomware operators distributing binaries via UNC paths and triggering them with scheduled tasks set through GPO, alongside clearing event logs and disabling protections to evade detection Sophos News. More broadly, modern intrusion playbooks emphasize “going for the GPO” after living off the land and expanding privileges, because GPO offers rapid, systemic control and software deployment across devices The Quest Blog. Technical analyses detail how GPO’s container (GPC) and template (GPT) in SYSVOL, plus Client Side Extensions, are manipulated—making GPO a powerful but risky layer when not tightly governed Securelist.
Concrete local GPO defenses to implement
- Allow‑listing with AppLocker or WDAC: Enforce an allow‑list for executables, scripts, installers, and LOLBins (e.g., powershell.exe, mshta.exe). This stops ransomware or remote tools from executing even if staged via GPO.
- PowerShell hardening:
- Block PowerShell v2.
- Enforce Constrained Language Mode for non‑admins.
- Enable AMSI and Defender Script Scan.
- Script control via GPO:
- Require signed scripts; restrict script CSE usage to administrators.
- Audit and monitor logon/logoff/startup script execution.
- Scheduled task restrictions:
- Prevent standard users from creating or modifying scheduled tasks.
- Monitor Task Scheduler operational logs for GPO‑created tasks.
- Windows Installer control:
- Disable “Always install with elevated privileges.”
- Restrict MSI installs to admins; enforce code signing.
- Credential hygiene in GPO:
- Remove Group Policy Preferences passwords; scrub legacy cpassword artifacts from SYSVOL.
- Rotate any credentials historically exposed via GPP.
- SYSVOL and GPO integrity:
- Tighten ACLs on SYSVOL, GPC/GPT; restrict write access.
- Baseline and diff SYSVOL; alert on unexpected changes, gpLink edits, and SOM scope drift.
- Network path and SMB hardening:
- Enforce SMB signing; restrict anonymous access.
- Limit GPO UNC targets to approved, read‑only, signed sources.
- Event log protection:
- Enforce minimum sizes and retention; disallow log clearing by non‑admins.
- Forward logs off‑host to a collector/SIEM; enable advanced audit policies (process creation, object access, policy changes).
- Endpoint protection resilience:
- Enable tamper protection; prevent AV/EDR disablement via policy.
- Audit attempts to alter protection policies through GPO.
These measures directly impede GPO‑delivered payloads and the living‑off‑the‑land techniques adversaries use during escalation and deployment phases The Quest Blog Securelist. Specific incident evidence shows these controls would have disrupted the described ransomware distribution and execution path Sophos News.
When no local GPO defense applies
- Initial exploitation outside GPO (e.g., Exchange/edge device exploits): Local GPO cannot prevent the initial breach of an internet‑facing service; you need patching, network segmentation, and identity protections. Local endpoint policies still help contain post‑breach execution, but they won’t stop the exploit itself Sophos News The Quest Blog.
- Domain‑level privilege abuse that changes AD/GPO directly: If an attacker obtains Domain Admin, they can alter GPOs and SYSVOL. While local allow‑listing, PowerShell CLM, and installer restrictions still block payload execution, preventing policy tampering requires AD‑level controls: hardened ACLs, change auditing, tiered admin, and protected groups The Quest Blog Securelist.
- Credential compromise via out‑of‑band theft: If creds are stolen from sources beyond GPO (e.g., cloud tokens), local GPO doesn’t remediate the theft. It can reduce blast radius (e.g., via AppLocker), but identity governance and conditional access are needed The Quest Blog.
Practical next steps
- Build a baseline: Author a hardened local GPO baseline combining AppLocker/WDAC, PowerShell CLM, installer restrictions, and log protections; test on a pilot OU.
- Evidence and audit: Enable GPO change auditing, SYSVOL diffing, and SIEM alerts for gpLink changes and scheduled task creation.
- Remove legacy risk: Hunt for GPP cpassword artifacts and purge them; rotate any associated credentials.
- Runtime validation: Capture endpoint logs proving allow‑listing blocks GPO‑delivered binaries and scripts, aligning with your audit trail expectations.
Interesting stuff - I might ditch Windows and move to Linux 😄
#enoughsaid