Detections
Analytics

GPO Execution Sanity

high

Language:

Description

CSEs are components that generally will be executed with very high privileges on a domain machine during the GPO application. Hence, it is essential to ensure that every Client-Side Extension (CSE) contained in a GPO is sane and has been certified by a trusted party.

It is also crucial that all GPO files retrieved by domain computers originate from a safe place, before anything is applied.

Solution

You should remove unknown CSEs that are considered dangerous or add them to the whitelist if you accept the risk. The GpcFileSysPath attribute should point towards a safe location such as the SYSVOL share share.

See Also

Microsoft Open Specification on Group Policy Object

Microsoft Open Specification on Client-Side Extension

MS15-011 bulletin regarding "UNC Hardened Access"

GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more!

Sending GPOs Down the Wrong Track-Redirecting the GPT

Exploiting AD gpLink for Good or Evil

Additional explanations about GPOs and their dangers

Indicator Details

Name: GPO Execution Sanity

Codename: C-GPO-EXEC-SANITY

Severity: High

MITRE ATT&CK Information:

Tactics: TA0008, TA0003

Attacker Known Tools

Synacktiv: GPOddity