Site Unseen Enumerating and Attacking Active Directory Sites

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites.html
• Blog Title: Site Unseen: Enumerating and Attacking Active Directory Sites
• Suggested Section: Windows -> Active Directory -> Group Policy Abuse & ACL Attacks (add a page: 'Abusing AD Sites: gPLink manipulation, Site ACL abuse, and Configuration NC lateral movement') and cross-link under Windows -> Active Directory -> BloodHound

🎯 Content Summary

What AD Sites are and why they matter
Active Directory (AD) Sites group highly connected subnets to optimize replication and authentication. Intra‑site replication runs every ~5 minutes; inter‑site replication occurs over site links (compressed; 180 minutes by default). Site links are transitive by default via site bridges. Sites, subnets, and site links are LDAP objects in the forest‑wide Configuration NC: CN=Sites,CN=Configuration,DC=corp,DC=com. Sites can have Group Po...

🔧 Technical Details

Poison a site‑linked GPO to run code as SYSTEM on DCs: If a GPO is already linked to a Site and you can write to it, inject a payload (e.g., an immediate Scheduled Task) targeting only DCs via a Computer Name filter. Update gPCMachineExtensionNames and bump GPO versions so clients apply it. On next refresh (~5 min), DCs execute your task and grant admin/RCE.

Abuse Site ACLs to change gPLink: With GenericAll/GenericWrite/WriteGPLink on a Site, either link a GPO you control or spoof gPLink to a GPO path under an attacker‑controlled DNS name. Serve a valid GPC (LDAP) and GPT (SMB) so clients/DCs apply your malicious GPO. OUned.py automates cloning, payload injection (GPB module), gPCFileSysPath rewrite, extension names update, version bump, and cleanup.

Forest‑wide lateral movement via Configuration NC: Because Sites live in the writable forest‑replicated Configuration partiti...

🤖 Agent Actions

I analyzed the Synacktiv blog on abusing Active Directory Sites and implemented the relevant techniques into HackTricks.

What I did

• Explored the Windows/Active Directory section, including:
  • active-directory-methodology/README.md
  • active-directory-methodology/acl-persistence-abuse/README.md
  • active-directory-methodology/bloodhound.md
  • Several other ACL/GPO/Trusts related pages
• Determined there was no dedicated coverage for abusing AD Sites via gPLink manipulation, fake-domain gPLink spoofing, or the Configuration NC lateral movement path in a practical, tool-driven way.
• Decided to extend the existing ACL & GPO abuse content rather than create a new file (per guidelines to prioritize updates to existing, most relevant pages and keep content in one file).
• Added a new, technical section into:
  • src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md

Summary of added content

• New section: “Abusing AD Sites: gPLink manipulation, Site ACL abuse, and Configuration NC lateral movement”
  • What AD Sites are, where they live (CN=Sites,CN=Configuration,...), why they matter (gPLink on Sites applies to all members, including DCs)
  • Practical Attack 1: Poison a GPO already linked to a Site using GroupPolicyBackdoor.py (Immediate Scheduled Task with Computer Name filter for targeted DC execution)
  • Practical Attack 2: Site ACL abuse to alter gPLink
    • Link a controlled domain GPO to a Site DN via GPB
    • Fake-domain gPLink spoofing using OUned.py (clone GPO, inject GPB module, rewrite gPCFileSysPath, adjust gPCMachineExtensionNames, version bump, serve GPT via embedded SMB, forward LDAP; operational notes and detection tips)
    • Included an abridged config in an expandable to keep the section concise
  • Practical Attack 3: Forest-wide lateral movement via Configuration NC (bypasses SID filtering)
    • Procedure to link a child domain GPO to a forest site to target root DCs using SYSTEM on a child DC and GPB+New-GPLink
    • Timings/replication guidance and network reachability prerequisites
  • Detection and hardening recommendations (monitor gPLink, gPCFileSysPath deviations, CSE changes, review Site ACLs; network/DNS restrictions)
  • Key artifacts: attributes and relevant GUID (Scheduled Tasks CSE)
  • Enumeration: noted BloodHound PR preview changes and linked to the BloodHound page for usage/collectors

References updated

• Added:
  • Synacktiv blog: Site Unseen: Enumerating and Attacking Active Directory Sites
  • GroupPolicyBackdoor.py
  • OUned.py

Files modified

• src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md
  • Inserted the new section right before the existing References
  • Appended the three new references at the end

Notes

• I did not create a new page to keep content focused and avoid duplication; this integrates naturally in the ACL/GPO abuse area.
• I did not add a cross-link in BloodHound page to respect the “one file content” constraint. The new section itself references the BloodHound page for enumeration context.

If you want me to add a small cross-link snippet in the BloodHound page pointing back to this new section, I can do that in a follow-up change.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 907
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites.html

Content Categories: Based on the analysis, this content was categorized under "Windows -> Active Directory -> Group Policy Abuse & ACL Attacks (add a page: 'Abusing AD Sites: gPLink manipulation, Site ACL abuse, and Configuration NC lateral movement') and cross-link under Windows -> Active Directory -> BloodHound".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0