Fortinet Inc.

07/31/2020 | Press release | Distributed by Public on 07/31/2020 18:18

Offense and Defense – A Tale of Two Sides: Group Policy and Logon Scripts

FortiGuard Labs Threat Analysis Report

This is the 4th installment of the 'Offense and Defense - A Tale of Two Sides blog series, where we focus on different tactics and techniques malicious actors use to complete their cyber missions-and how organizations can detect and ultimately prevent them. If you happened to miss the first three blogs of the series you can check them out atOffense and Defense - A Tale of Two Sides: PowerShell, Offense and Defense - A Tale of Two Sides: Bypass UAC and Offense and Defense - A Tale of Two Sides: OS Credential Dumping.


In this blog, we will look at Group Policy Objects (GPO) in Windows operating systems. Specifically, how they can be used to deploy and execute malicious payloads on target machines within an Active Directory environment. We will also look at ways to reduce the risk of an attacker using this technique. The technique is called Group Policy Modification in the MITRE ATT&CK knowledgebase, and it is being actively used these days in targeted ransomware attacks.

Group Policies 101

Simply put, GPOs are built-in configuration management technology found in Windows and Active Directory. They can be used by administrators to perform a variety of admin tasks, such as:

  • General lockdown of systems
  • Security Hardening
  • Configuration of Internet Explorer
  • Logon and logoff script changes
  • Drive and printer mappings
  • Setting local administrators - Local group membership

GPOs are stored in two locations:

  1. Group Policy Containers (GPC)
  • GPCs are stored in each domain controller in an Active Directory environment. They contain property information, such as status and versioning information, references to client-side extensions (CSEs), paths to Group policy templates (GPT) and software installation packages and others. It's important to note that GPCs are referenced by a GPO GUID (Globally Unique Identifier).

2. Group Policy Templates (GPT)

  • The GPT is stored as a file system folder located on the system volume folder (SysVol) in the domain policies subfolder. It contains information about the specific setting you define in the policy itself. This could be security settings, script files, etc.