07/31/2020 | Press release | Distributed by Public on 07/31/2020 18:18
FortiGuard Labs Threat Analysis Report
This is the 4th installment of the 'Offense and Defense - A Tale of Two Sides blog series, where we focus on different tactics and techniques malicious actors use to complete their cyber missions-and how organizations can detect and ultimately prevent them. If you happened to miss the first three blogs of the series you can check them out atOffense and Defense - A Tale of Two Sides: PowerShell, Offense and Defense - A Tale of Two Sides: Bypass UAC and Offense and Defense - A Tale of Two Sides: OS Credential Dumping.
In this blog, we will look at Group Policy Objects (GPO) in Windows operating systems. Specifically, how they can be used to deploy and execute malicious payloads on target machines within an Active Directory environment. We will also look at ways to reduce the risk of an attacker using this technique. The technique is called Group Policy Modification in the MITRE ATT&CK knowledgebase, and it is being actively used these days in targeted ransomware attacks.
Simply put, GPOs are built-in configuration management technology found in Windows and Active Directory. They can be used by administrators to perform a variety of admin tasks, such as:
GPOs are stored in two locations:
2. Group Policy Templates (GPT)