+- Geeks for your information (https://www.geeks.fyi)
+-- Forum: Security (https://www.geeks.fyi/forumdisplay.php?fid=68)
+--- Forum: Security Vendors (https://www.geeks.fyi/forumdisplay.php?fid=87)
+---- Forum: Kaspersky (https://www.geeks.fyi/forumdisplay.php?fid=90)
+----- Forum: Kaspersky Security Blog (https://www.geeks.fyi/forumdisplay.php?fid=142)
+----- Thread: One policy to rule them all (/showthread.php?tid=20562)
One policy to rule them all - harlan4096 - 01 February 25
Quote:Windows group policies are a powerful management tool that allows administrators to define and control user and computer settings within a domain environment in a centralized manner. While group policies offer functionality and utility, they are unfortunately a prime target for attackers. In particular, attackers are increasingly using group policies to distribute malware, execute hidden scripts and deploy ransomware.
These attacks can range from simple configuration changes that could result in data breaches to more complex scenarios where attackers gain complete control over the corporate network. To ensure the security of your IT infrastructure, it is crucial to understand the vulnerabilities in group policies and the tactics used by attackers. This story examines how cybercriminals exploit group policies as an attack vector, what risks attacks like these pose, and what measures can be taken to protect against potential threats.
Group Policy Object
A Group Policy Object (GPO) includes two key components: a Group Policy Container (GPC) and a Group Policy Template (GPT). A GPC is an Active Directory container that holds information about the GPO version, its status and so on.
Example of Group Policy Container contents
A GPT is a collection of files and folders kept on the SYSVOL system volume of every domain controller within a domain. These files hold a variety of settings, scripts and presets for users and workstations.
Group Policy Templates on SYSVOL
The path to each template is specified in the attribute of the group policy container named gPCFileSysPath.
Contents of the gPCFileSysPath attribute
Next, gPCMachineExtensionNames and gPCUserExtensionNames are important attributes in each policy. Each of these attributes contains a GUID for Client Side Extensions (CSE) that will be distributed to user and/or computer settings. Extensions themselves are most often implemented using libraries that contain a set of functions necessary for applying extension settings to users or computers. So, the GUID provides information about which exact library needs to be loaded. A list of all CSE GUIDs can be found in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\
Contents of one of the GUIDs in GPExtensions
To determine which policies a client will apply, it makes an LDAP query to the domain controller, which returns a set of policies for a specific user and/or computer.
This set is called SOM (Scope of Management). A key attribute of a SOM is gpLink, which connects organizational units (OUs) to the GPOs that apply to them.
Continue Reading...
![[Image: Group_policies_01-1024x453.png]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/29151100/Group_policies_01.png)
![[Image: Group_policies_02.png]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/29152014/Group_policies_02.png)
![[Image: Group_policies_03-1024x475.png]](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/01/29152053/Group_policies_03.png)