An information security expert explains that Grouper is an unstable PowerShell module designed for use by pentesters and redteamers that filters the XML output of the Get-GPOReport cmdlet and identifies all the settings defined in the GPO group policy objects that may be useful for someone who tries to do something bad. Here are some examples of the types of things you find in GPOs:
- GPOs, those that give permission of modifications in the same GPO to non-default users.
- Start and end scripts. Arguments and scripts often include creds. The scripts are stored with permissions that allow them to be modified.
- MSI installers, are implemented automatically, often stored somewhere that will grant you modify permissions.
- Good passwords from outdated group policy preferences.
- Auto logon registry entries that contain credentials.
- Other creds are stored in the registry for fun things like VNC.
- Scheduled tasks with stored credentials. It also usually runs things from insecure shared files.
- Rights of the users. It is useful to detect where administrators accidentally granted RDP access to “Domain Users” or those fun rights that allow you to run mimikatz even without administrator privileges.
- Settings for local file permissions. It’s good to find those machines where administrators have just checked “Full Control” for “All” in “C: \ Program Files”.
- Shared files
- INI files
- Environment Variables
The expert noted that some function names may include the word audit, but Groper does not intend to be an exhaustive audit. The experts recommended to use Microsoft SCT and LGPO.exe or similar, said computer security professionals.
Let’s talk about the use. To create, generate a GPO report on a Windows machine with the Group Policy cmdlets installed. These must be installed on Domain Controllers by default, they can be installed on Windows clients that use RSAT, or they can be enabled through the “Add Functions” wizard on Windows servers.
Get-GPOReport -All -ReportType xml -Path C: \ temp \ gporeport.xml
Import the Grouper module. Import-Module grouper.ps1
To run Grouper. Invoke-AuditGPOReport -Path C: \ temp \ gporeport.xml
The information security researchers said that there are also a couple of parameters that can be entered and that alter the policy settings that Grouper will show you: -showDisabled
Naturally, Grouper only shows the GPOs that are enabled and linked to an organizational unit in AD. This alternates that behavior. Grouper has 3 levels of filtering.
- Show all the settings.
- Show only settings that look ‘interesting’ but may or may not be vulnerable.
- Show the configurations that are a bad idea and probably have certifications in them or else they will grant me the administration of a host.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
