ARP Around and Find Out Hijacking GPO UNC Paths for Code Exe...#2186
Open
carlospolop wants to merge 1 commit intomasterfrom
Open
ARP Around and Find Out Hijacking GPO UNC Paths for Code Exe...#2186carlospolop wants to merge 1 commit intomasterfrom
carlospolop wants to merge 1 commit intomasterfrom
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://trustedsec.com/blog/arp-around-and-find-out-hijacking-gpo-unc-paths-for-code-execution-and-ntlm-relay Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology (new subsection under GPO/GPP abuse) or Windows Local Privilege Escalation/AD -> add technique page: "WriteGPLink + UNC path hijack (ARP spoof) for GPO Software Installation SYSTEM RCE & NTLM relay"". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Title/Context
TrustedSec (Austin Coontz, April 30, 2026) documents practical Active Directory attack chains that turn a common OU ACL misconfiguration (WriteGPLink) plus same-L2 access (ARP spoofing) into (1) remote code execution as NT AUTHORITY\SYSTEM via hijacked GPO Software Installation UNC paths, and (2) NTLMv2 capture and potential NTLM relay by hijacking UNC paths used by drive mappings (and similarly logon/startup scripts). The...
🔧 Technical Details
WriteGPLink → forced GPO application (OU gPLink manipulation)
If an attacker-controlled principal has
WriteGPLinkover an OU, they can modify the OU’sgPLinkattribute to link an existing GPO (without editing/creating the GPO). This forces that GPO’s settings to apply to all users/computers in the OU, enabling abuse of any “dangerous” pre-existing configurations (software install, drive maps, startup/logon scripts) discovered by reading SYSVOL and correlating GPO GUIDs to targets via BloodHound.GPO Software Installation UNC hijack → SYSTEM execution
When a Software Installation policy references an MSI via a UNC hostname path (e.g.,
\\HOST\share\package.msi), an attacker on the same L2 segment can ARP spoof the UNC host’s IP to redirect SMB traffic to the attacker machine, bind the victim IP locally (ip addr add X/32 dev IFACE), and serve an SMB share (e.g., Impacketsmbserver.py) containin...🤖 Agent Actions
I’m mapping the AD/GPO-related parts of the repo first, then I’ll read the closest existing pages before deciding whether this belongs in an existing GPO abuse page or needs a new technique page.
I found existing coverage for
gPLink, SYSVOL parsing, NTLM relay, and GPP abuse, so I’m reading those pages now to avoid creating redundant content and to pick one precise file for the addition.The closest existing target is the AD ACL/GPO abuse page. It already covers direct GPO modification and SYSVOL script poisoning, but not the narrower
WriteGPLinkplus UNC-host hijack path, so I’m checking that section in detail before patching it.I’ve read the main candidate pages and the gap is narrowing: current coverage explains direct GPO editing and SYSVOL poisoning, but not linking an existing GPO and hijacking its remote UNC dependency over L2. I’m verifying that against the original blog now so the patch stays narrowly scoped and technical.
The blog is accessible, but the initial fetch is mostly page chrome. I’m extracting the embedded article text and cross-checking with adjacent GPO research so the final addition stays about the technique, not the specific writeup.
I’ve confirmed this is new enough to add. I’m patching the AD ACL/GPO abuse page with a compact
WriteGPLink + UNC path hijacksubsection so the technique sits next to the existing GPO delegation material instead of scattering it across multiple files.The patch is in place. I’m re-reading the edited section and the file ending now to verify the placement, wording, and references stay consistent with HackTricks style and that nothing redundant or malformed slipped in.
Updated README.md under the existing GPO delegation abuse section.
The new subsection documents the missing technique: abusing
WriteGPLinkto link an existing UNC-backed GPO, enumerating viable targets from readableSYSVOL, then hijacking the referenced host over L2 to get either MSI-basedSYSTEMexecution, drive-map NTLM capture with SMB-to-WebDAV relay potential, or logon/startup script execution. I kept it in a single file, added concise commands, and appended the TrustedSec blog to the file’s## References.Verification: reviewed the patched section, final references block, and
git diff. No automated tests were applicable for this markdown-only change.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.