GPO write rights → Immediate scheduled task → SYSTEM on OU

§ Context

Assumed environment: attacker has GenericWrite on a GPO object or write rights on the SYSVOL\Policies\{GUID}\ folder. The GPO is linked to a target OU (e.g. Domain Controllers, Servers).

§ Steps

1. 01
   Principal w/ rights on a GPOInitial Access

   T1078— Valid Accounts
2. 02
   SYSTEM exec on every targeted hostExecution

   T1059— Command and Scripting Interpreter
3. 03
   Wait for gpupdate (≤90 min)Execution

   T1053— Scheduled Task/Job

   Or trigger via remote gpupdate /force.

4. 04
   Identify writable + linked GPODiscovery

   AD-BLOODHOUND— BloodHound / SharpHound Enumeration

   BloodHound GenericWrite/AllExtendedRights edge → OU

5. 05
   Drop Immediate Scheduled Task XMLPrivilege Escalation

   AD-GPO-IMMEDIATE— GPO Immediate Scheduled Task

   SharpGPOAbuse --AddComputerTask --GPOName <gpo> --TaskName x --Author 'NT AUTHORITY\SYSTEM' --Command 'cmd.exe' --Arguments '/c …'

§ References

• T1078Valid Accounts
• T1059Command and Scripting Interpreter
• T1053Scheduled Task/Job

§ Frequently asked

What is the "GPO write rights → Immediate scheduled task → SYSTEM on OU" attack path?

GenericWrite on a linked GPO (or write rights to its SYSVOL folder) lets you drop a ScheduledTasks.xml that fires as SYSTEM on every machine in the OU at the next gpupdate. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Principal w/ rights on a GPO (T1078) — a initial access primitive. Assumed environment: attacker has GenericWrite on a GPO object or write rights on the SYSVOL\Policies\{GUID}\ folder.

What is the final impact of this kill-chain?

The final step lands on Drop Immediate Scheduled Task XML (AD-GPO-IMMEDIATE), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques2

  Industroyer2 IEC-104 substation hijack

  Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.

• Shared techniques2

  io_uring UAF → modprobe_path overwrite → root

  Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.

• Shared techniques2

  nf_tables UAF → kernel R/W → root

  CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.

• Shared techniques2

  Leaked legacy VPN credential → ransomware (Colonial-class)

  A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.

• Shared techniques2

  BYOVD → kernel-level disable of EDR callbacks

  From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.

• Shared techniques2

  Process doppelgänging → spawn signed image with attacker bytes

  Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.