Group Policy is an extremely powerful component of Microsoft Active Directory (AD). That makes it a vital tool for IT and cybersecurity professionals — and an increasingly common target of attackers. Indeed, adversaries are abusing Group Policy objects (GPOs) with such regularity that threat intelligence firm Mandiant devotes an entire step of its five-step attack playbook to Group Policy!
The best way to thwart Group Policy attacks is a defense-in-depth approach that covers all the pillars detailed by the NIST Cybersecurity Framework (CSF). This article explains what you need to know: exactly how Group Policy is being attacked today, the specific factors that make Group Policy such an attractive target, and the core strategies your organization can implement to defend your Group Policy — and your business.
The anatomy of real-world cyberattacks that abuse Group Policy
The playbook developed by Mandiant shows how Group Policy abuse fits into a broader cyberattack. While it’s common to think of cyberattacks in terms of their outcomes — such as ransomware encrypting all of a company’s data — the truth is, most cyberattacks unfold carefully over a fairly long period of time. The Mandiant playbook outlines the following five operational phases:
- Living on the edge — First, an adversary needs to get inside the victim’s network. (Of course, malicious insiders can skip this phase altogether, since they’re already inside the network.) Mandiant notes that adversaries often gain (or regain) access to the target environment by compromising edge infrastructure components like routers, VPNs, firewalls and mail servers.
- Living off the land — Once inside, malicious actors want to move through the environment while evading detection. A key technique is to use built-in tools like operating system components and pre-installed software, so that their activity blends in with normal everyday operations.
- Going for the GPO — Typically, cybercriminals start with relatively limited access, such as control over an ordinary user account. But those rights are generally insufficient to accomplish goals like stealing valuable data or bringing operations to a standstill by spreading ransomware beyond one user workstation. Therefore, they spend days, weeks, months or even years carefully working to expand their reach. Abusing Group Policy is an effective strategy for privileged escalation.
- Disrupt and deny — Once adversaries have the access rights they need, they deploy ransomware, file wipers and other malicious payloads. Group Policy can be abused in this operational phase as well, since one of its many legitimate uses is to deploy software across devices in a network.
- Telegraphing “success” — Finally, adversaries use instant messaging services like Telegram to spread a narrative of successful disruption. As Mandiant notes, they do this regardless of the actual impact of the attack.
What does this playbook look like in practice? Let’s review some of recent incidents and see exactly how the malicious actors abused Group Policy once they breached the victim organization.
SwiftSlicer: Abusing Group Policy to distribute malware across networked computers
In January 2023, Ukraine’s national news agency was hit by SwiftSlicer, malware designed to wipe files and even bring down entire Windows domains. The attack was attributed to the Russia-backed group Sandworm.
In this case, Group Policy was used to distribute the malware to multiple computers on the network. In earlier attacks, Sandworm used the same technique of abusing Group Policy to plant other wiper malware, such as HermeticWiper and CaddyWiper.
UNC3810: Abusing Group Policy to both distribute and execute malware
UNC3810, a threat group linked to Russian military intelligence (GRU), has conducted many espionage and disruptive operations against Ukrainian organizations in recent years. One attack against a government agency featured the CADDYWIPER malware, which is designed to enumerate the file system’s physical drives and overwrite file content and partitions with null bytes.
In the incident, UNC3810 abused Group Policy in two ways:
- Like SwiftSlicer, they changed GPOs to deploy the malware on all systems joined to the victim organization’s Active Directory domains.
- They also used Group Policy to create a scheduled task that executed the malware.
Mango Sandstorm: Abusing Group Policy to blind defensive controls and spread to the cloud
In April 2023, Microsoft Threat Intelligence reported an attack by Mango Sandstorm (previously known as Mercury or Muddywater), a malware gang linked to Iran’s Ministry of Intelligence and Security. The incident started in the victim’s on-premises environment and expanded to the cloud, destroying server farms, storage accounts, virtual machines and virtual networks.
In this case, the threat actors abused Group Policy in two ways:
- They modified GPOs to impair the organization’s security controls, which enabled them to stage the malware undetected.
- Like UNC3810, they used Group Policy to register a scheduled task to deploy the ransomware.
Key techniques for abusing Group Policy
These incidents reveal four key goals that adversaries accomplish by abusing Group Policy:
- Avoid detection
- Move from one device or system to others
- Increase their access rights
- Deploy malware
But exactly how do malicious actors use to accomplish these goals? Here are some of the most common techniques.
Disabling defensive controls to avoid detection
Many security solutions have a Group Policy interface. For example, IT pros can use Group Policy to configure and manage some Microsoft Defender Antivirus settings. Unfortunately, adversaries can abuse that capability. For instance, they can exclude certain files or folders from Microsoft Defender Antivirus scans so that they can plant malicious code or other files on the system without being detected and blocked.
Indeed, this type of Group Policy abuse was a key part of the Mango Sandstorm attack described earlier: The group used Group Policy to impair the victim organization’s antivirus software so they could avoid detection while planting and executing their ransomware.
Creating a scheduled task to deploy malware
The Windows Task Scheduler service can run any executable run automatically at a specific time or when a specific event occurs. By combining this capability with Group Policy, administrators can perform a variety of useful tasks, such as executing certain cleanup operations whenever a user logs off. Unfortunately, adversaries can easily abuse this functionality to create a scheduled task to execute malware, as happened both the Mango Sandstorm and UNC3810 incidents.
Moreover, there are other ways to abuse scheduled tasks. For example, an adversary can create an immediate task and run it under an AD user account: The task will run as soon as the user logs on, start any executable that the account has privileges to run, and then will remove itself. This technique can both enable lateral movement and privilege escalation; for instance, an adversary could do a credential dump in order to compromise additional accounts. Adversaries can also run tasks as SYSTEM instead of a particular user, if that’s more expedient for their current goals.
What’s more, the activity will be virtually invisible because it runs as a legitimate user; not even the user whose account was abused would know that it happened.
Executing a startup script as SYSTEM
A scheduled task requires an external executable, which can be an obstacle in some cases. To get around this, an adversary can package a script with a GPO and set it to execute at startup or shutdown. In other words, the script is stored within the Group Policy object, giving adversaries a completely self-contained option.
The primary downside to this technique is that the script can be set to run only at startup or shutdown, whereas scheduled tasks can be triggered at a specific time or upon a particular event. As a result, it’s harder for the attacker to know exactly when the script will be executed.
Why Group Policy is a top target
In order to develop effective defense strategies against attacks that leverage Group Policy, it’s useful to consider exactly why Group Policy is such an attractive target for attackers. The key factors are that Group Policy is:
- Ubiquitous — Cybercrime is increasingly a tool of well-organized groups, including ransomware gangs focused on profit and nation-states bent on disruption and destruction. To maximize their effectiveness, these malicious actors target technologies that are used in a high percentage of environments. Group Policy fits the bill perfectly since it is an integral component of Active Directory, and almost every organization today has Active Directory. Even organizations moving workloads to the cloud usually maintain their on-premises Active Directory since they need to support legacy workloads, comply with strict data security requirements and so on.
- Flexible — A GPO does not do anything until it is linked to at least one site, domain, organizational unit (OU) or other Active Directory container. That linking can get quite complex very quickly! Any given container can (and often does) have more than one GPO linked to it. If those GPOs have conflicting settings, there are rules that determine the order in which GPOs are applied and therefore which settings take effect. Adversaries abuse this flexibility; for example, they can alter which GPOs are applied to which devices using Windows Management Instrumentation (WMI) filters.
- Readable by anyone — By design, every user can see not just the GPOs that exist, but also where they’re applied and who has access to them. That means a hacker who takes over any user account can see all that information, too. And since IT teams usually pick descriptive names for objects in Active Directory to simplify administration, attackers can easily find the information they need to direct and hone their attacks.
- Hard to monitor using native auditing — By default, native Group Policy auditing is not enabled. And even if it is, administrators who examine the security log can see that a GPO has been changed but not exactly what change was made. Plus, the details are fairly cryptic; for example, the GPO is identified by its GUID, which is not particularly useful. Finally, there are just not enough IT pros with the deep Active Directory training required to monitor and manage Group Policy using native tools.
- Exceedingly powerful — Group Policy enables IT administrators to centrally manage users and computers across an AD domain, including highly privileged users like IT admins and critical servers like domain controllers (DCs). Moreover, Group Policy offers literally thousands of settings and operates under a very privileged process. By gaining control of Group Policy, adversaries can do just about anything they want, instead of having to spend weeks or months painstakingly trying to complete their mission.
- Often neglected by pen testers — Penetration testers are trained to think like adversaries, but they simply do not have the risk tolerance to behave the way an actual adversary would. After all, attackers want to do damage, while a red team’s goal is to prove that a vulnerability exists without doing any damage. As we have seen, Group Policy is both complex and powerful, and pen testers often lack the expertise to change it effectively, as well as the confidence that they can put it back in order once the testing exercise is complete. As a result, their reports often fail to detail how Group Policy is vulnerable to attacks.
A defense-in-depth approach to protecting your Group Policy
After the Mango Sandstorm attack, Microsoft provided guidance for organizations seeking to improve their defenses. Unfortunately, their advice for protecting Group Policy is simply for organizations to configure their mobile device management (MDM) solution so that clients will ignore Group Policy. That’s not a great solution for multiple reasons; one of most important is that MDM solutions do not apply to servers, which is a huge risk factor with Group Policy.
A better approach to increasing security around Group Policy is a defense-in-depth strategy using a time-tested framework like the NIST CSF. It details five (soon to be six) key functions to pay attention to: Identify, Protect, Govern (in the works), Detect, Respond and Recover. Let’s explore how your organization can improve Group Policy security in each of these key areas.
Identify: Discover GPO attack paths.
It’s critical to know which GPOs apply to your most critical (Tier 0) assets, such as domain controllers and highly privileged users like Domain Admins. But Group Policy is complex — and most organizations do not even have a solid understanding of what Tier 0 assets they have.
SpecterOps Bloodhound Enterprise will automatically catalog your Tier 0 assets for you — and identify all GPOs that apply to any of those Tier 0 assets. Organizations are often shocked at what the analysis reveals. For instance, it’s common to have a server that syncs the on-premises directory to the Microsoft cloud. This server is clearly a critical asset, but often it is not in the same OU as the domain controllers. Instead, it’s buried in some generic servers OU, so the GPOs applied to it are not appropriate to its level of sensitivity. Many organizations also discover that all authenticated users have rights over at least some Group Policy objects. Bloodhound Enterprise presents this information in clear visualizations so you know exactly which policies apply to which assets.
Protect: Lock down your critical GPOs.
You also want to prevent your most critical GPOs from being changed. That way, adversaries will have a harder time gaining control of your IT environment, which is always a good thing. The right change management solution will give you this vital superpower.
Govern: Implement GPO governance.
Organizations of all sizes often have a large number of accounts that can modify Group Policy. That gives adversaries lots of opportunity: By compromising any one of those accounts, they gain control over an incredibly powerful feature of Active Directory.
A great way to mitigate this risk is to invest in a Group Policy management solution. That way, you have a single set of credentials for managing Group Policy. All the delegation is handled within the governance tool. You typically get other valuable benefits as well, such as versioning, rollback capabilities and approval workflows.
Reduce your AD attack surface.
Detect and respond: Use GPO-aware auditing.
You also need advanced Active Directory auditing so you can monitor activity around Group Policy, get real-time alerts on suspicious events, see in detail exactly what changed, and promptly revert unwanted changes and take other response actions. As noted earlier, native auditing simply can’t provide this breadth of visibility and control, but third-party Active Directory auditing solutions can. Make sure that any solution you select is fully GPO-aware.
Recover: Ensure you can restore your Group Policy.
Last but by no means least, you have to be prepared for disaster. Even if an attack does not specifically target your Group Policy, if your Active Directory is wiped out, your GPOs get wiped out with it.
It’s vital to understand that simple backups of your data will not enable you to restore Active Directory and Group Policy. You need an detailed Active Directory disaster recovery strategy, backed by an enterprise-quality Active Directory backup and recovery solution that is fully GPO-aware.
Conclusion
Group Policy is an increasingly common target of attackers — so common that Mandiant devotes an entire step of its five-step playbook to GPOs. The best way to defend your organization is to build defense-in-depth approach that covers all the pillars detailed by the NIST CSF.