Audit and identify vulnerabilities in GPOs (SYSVOL)

Audit and identify vulnerabilities in GPOs (SYSVOL)

Active Directory (AD) security remains a major concern for organizations running on the Windows environment, and it represents a significant workload. 

Fortunately, tools exist to audit directory objects, their settings, and sometimes even basic GPOs (such as autologon's) as well as ACLs. However, there is no solution that addresses the content of GPOs, especially those in the Sysvol shared folder, which has often been misused historically. 

This folder contains binaries, archives, logs, scripts, and sometimes even configurations to redirect logs or write files. This represents a real gateway for an attacker, who could exploit this vulnerability to take control of your directory or exploit other vulnerabilities for malicious purposes. 

It is in this context that HardenSysvol was created, in order to strengthen the security of this file and to protect the GPOs from unauthorized exploitation.

1.  What is Hardensysvol

HardenSysvol is an open source solution developed in PowerShell, created by the HardenAD community, made up of Microsoft MVPs as well as other security experts and enthusiasts. 

The objective is to meet a specific market need around AD security by complementing existing solutions. This module allows you to explore the entire contents of the Sysvol folder, including GPOs, and scan its contents for vulnerabilities. 

Below, a table outlines the major features of HardenSysvol :

HardenSysvol scans the contents of multiple file types (scripts like BAT, Python, PowerShell, VBS, as well as files like PDF, DOCX, DOC, Excel, OpenOffice, etc.) to detect sensitive information such as passwords, hashes, and other confidential data.

HardenSysvol scans binaries of more than 180 known file extensions to determine if they have any suspicious characteristics. This can detect malicious files that may have been renamed, such as an EXE disguised as a TXT file, for example.

HardenSysvol reviews certificates to identify those that are unprotected or contain exportable keys. It also helps spot Excel files that contain macros or other unsigned binary files, making auditing easier.

HardenSysvol deeply scans images for the presence of hidden binaries (such as ZIP, RAR, EXE, MSI, DLL, etc.), and if steganography has been used by attackers to conceal malicious files.

2.  Why audit your AD with HardenSysvol

To better understand the interest and the need to audit your Active Directory (AD) with HardenSysvol, let's carry out a simple test together.

Creating an image that contains a malicious file :
 First, combine a binary or compressed file into an image using the following command, and then place that file in your shared Sysvol folder or in a GPO (for example, the logon GPO). This action aims to assess the extent to which a file accessible for reading by the entire computer park can represent a threat.

Then, to take the experience a step further, rename a well-known file extension, such as .dll, .exe, .msi, or .pdf, to a simpler extension in order to obfuscate detection by your defense solutions, such as .txt, .config, or .ini

You can also create a VBS script or any other file such as .txt, .bat, or .ps1 by inserting a plaintext password or hash. Here is the script we have chosen for this demo :

The .txt file contains an empty password variable, making it a false positive. However, HardenSysvol is able to detect these false positives while spotting an IP address and a SHA1 hash.

I added other infected elements to show the potential of the tool. 

If you launch your usual AD auditing tools now, it's quite possible that this information will not be detected. This is normal, because they do not fall within the scope of the classic AD audit. We won't provide specific results, but if you don't report this sensitive information, it's possible that your park is vulnerable, despite having a very high or favorable AD security score.

Now we're going to use hardensysvol to complete the AD audit. To do this, a single command is enough, and no elevated privileges are needed.

Prerequisites : 

• A standard domain account
• A client machine in the domain (Windows 10/11 or a server)

From a PowerShell window, enter the following command :

The installation will start automatically, hardensysvol integrates the Pswritehtml, pswriteoffice and pdf modules: allowing you to manage office and pdf files.

At the end of the installation, we find the modules in the documents folder.

It's finished, the installation is done without any problems, all that remains is to start the scan.

3.  Using the tool :

As with the installation, a single command is enough to start the scan, from a PowerShell prompt enter the following command : 

The scan is then launched: first, the tool lists the available files, then processes them in separate threads in order to speed up processing. 

Reminder: The Sysvol folder is read-only, just like HardenSysvol, which ensures that there is no risk of modification or impact on the environment. The tool does not interfere with the AD and can be run at any time of the day. Because the folder is read-only, no EDR alerts are generated.

At the end of the scan, a report is generated and the page opens directly on the browser.

Note that it is possible to stop the scan at any time using the combination "ctrl + C".

Managing usage errors : 

By default, the powershell execution policy might block command execution. 

To run the HardenSysvol scan without difficulty, you can adjust the execution policy with the following command:

 If the issue persists, contact the administrator to change the PowerShell runtime restriction.

4.  Analysis of the result :

Before we explore the results, it's important to note that, by default, HardenSysvol supports certain types of extensions commonly found in Sysvol, as well as specific keywords. This scan can be expanded by adding other file types as needed, at any time.

The full list of default keywords, extensions, and binaries to check is available in the project repository. Feel free to check it out or make suggestions to add other default elements.

Note that extensions associated with GPO modules, such as adml, adm, and admx, are not integrated by default, as these files often generate many false positives.

5.  Report Analysis

The analysis of the report is quite simple. On the main page, you will find a dashboard with a score indicative of the potential risk. Other statistics are also available, including the number of files scanned and detected, the keywords most exposed, as well as the files presenting the most risk. Finally, best practice recommendations are given to strengthen security.

The second tab presents a summary table of the results of suspicious files. False positives can appear, which can be an advantage in a broader detection context.

For example, variables like password, detected in a PowerShell script, don't always correspond to sensitive information. Without the integration of AI, it is difficult to differentiate between a real use and a simple example of code.

It is therefore important to take the time to analyze the results carefully.

You can also view an online demo version of the HardenSysvol report at the following link Exemple_rapport_HardenSysvol

In the example below, we find unsigned extensions (EXE, MSI, DLL), password-protected certificates, image files containing a hidden extension (such as a ZIP file with the list of contents), as well as a modified extension, marked with "Binary not match". In our case, it's an EXE renamed to JPG

Thanks to the HTML modules, it is possible to add filters to hide an extension or a path, in our case the HardenAD module.

6.  Other options :

As with any solution, HardenSysvol offers additional parameters and options that provide flexibility in use and allow for a broader search. Here is a table of the different options available. For more examples and details, see the project's GitHub page.

7.  Advanced use:

To integrate as many results as possible, you can use the following command :

To make sure you don't miss anything, use the : 

You can also limit the maximum file size. For example, to exclude all extensions larger than 3 MB and all binaries larger than 10 MB, because best practices dictate that the Sysvol folder should not be used as a share folder. This will make it easier to detect unwanted items. Like what :

• A PDF file, script, Office file, or image larger than 3 MB may contain a suspicious file.
• A binary larger than 10 MB could slow down production.

Use the following command to apply these restrictions.

These commands allow for a broader set of results, probably including some false positives. However, it is still useful for refining the analysis and performing a thorough inspection.

8.  Annexe :

Below is a list of the keywords searched for by default : 

You will find in the project repository the list of binaries that can be used to identify more than 180 types of extensions. Among them, the following list:

The link to the project page Github and the HardenAD project. 

9.  Conclusion  

HardenSysvol is the result of several months of work, designed to support and strengthen the security of Active Directory (AD), in addition to the tools already existing on the market. The goal of this project is to make the work of administrators easier while increasing awareness of the importance of AD security.

I would like to warmly thank all the people who contributed to this project, directly or indirectly, starting with IT-Connect and its members, as well as the cybersecurity leaders and enthusiasts who shared their expertise.

Feel free to add your contribution or support the project if it could be helpful for you.