Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target system.
GPO
/Practice/Vault/5-Privilege_Escalation/attachments/{846699EE-8473-4361-B38E-E5E4A3068B4E}.png)
Default Domain Policy: Delegation is set to the anirudh user
/Practice/Vault/5-Privilege_Escalation/attachments/{1FDDA590-3D04-4580-9523-3307BEEFE0A9}.png)
The task created by thepyGPOAbuse can be seen
Literally ANYTHING can be done through GPO as it affects the entire domain
Any form of Write access to Default Domain Policy basically means a complete domain compromise
Scheduled Tasks
/Practice/Vault/5-Privilege_Escalation/attachments/{E5E35964-CE14-474B-BF49-CB3868434DCB}.png)
KillexplorerShareCheck
Killexplorer Task
/Practice/Vault/5-Privilege_Escalation/attachments/{A9EBA9CF-BD69-42E0-87ED-D758779FF9D3}-1.png)
/Practice/Vault/5-Privilege_Escalation/attachments/{C3739256-B5D6-4254-9A76-475577D2200E}.png)
Every 5 minutes, executing powershell.exe C:\Users\anirudh\KillExplorer.ps1
C:\Users\anirudh\KillExplorer.ps1
PS C:\Windows\system32> cat C:\Users\anirudh\KillExplorer.ps1
$shell=New-Object -ComObject Shell.Application
$window = $shell.Windows() | Where-Object { $_.LocationURL -like "$(([uri]"C:\DocumentsShare").AbsoluteUri)*" }
$window | ForEach-Object { $_.Quit() }This just kills the explorer process created by the ShareCheck task below
ShareCheck Task
/Practice/Vault/5-Privilege_Escalation/attachments/{84E01CA3-AD01-4F32-96E0-C1A2B0C7754A}.png)
/Practice/Vault/5-Privilege_Escalation/attachments/{F36D5A91-3F50-4650-8688-0919FDD8F80A}.png)
Every minute, executing explorer.exe "C:\DocumentsShare"