Site Unseen Enumerating and Attacking Active Directory Sites

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites
• Blog Title: Site Unseen: Enumerating and Attacking Active Directory Sites
• Suggested Section: Windows / Active Directory -> GPO & ACL Abuse (BloodHound) -> Abusing Sites and gPLink (WriteGPLink/GenericWrite/GenericAll) for DC compromise

🎯 Content Summary

What AD Sites are and why they matter.
Active Directory (AD) Sites are LDAP objects in the forest-wide Configuration partition that group IP subnets for efficient replication and authentication. They live under CN=Sites,CN=Configuration,DC=.... Intra-site replication runs roughly every 5 minutes; inter-site replication is 180 minutes by default and governed by site links and bridges. Sites can contain domain controllers ("servers" in Sites and Services) from ...

🔧 Technical Details

Site-linked GPO injection: If you can write to a GPO already linked to a Site, inject a malicious configuration (e.g., Immediate Scheduled Task) with a Computer Name filter to target only DCs. This executes as SYSTEM during the ~5‑minute DC GPO refresh, achieving domain compromise. Use GroupPolicyBackdoor’s gpo inject/gpo clean for deployment and rollback.

Abusing Site gPLink write rights: With GenericAll/GenericWrite/WriteGPLink on a Site, either link any controlled GPO, or spoof the Site’s gPLink by appending a GPO DN that resolves to an attacker-controlled host (e.g., DC=s1n,DC=corp,DC=com). Simulate the GPC (LDAP) and GPT (SMB) to deliver the malicious policy. Automate with OUned.py, then restore gPLink.

Cross-domain lateral movement via Configuration NC: Sites reside in the forest‑w...

🤖 Agent Actions

I analyzed the Synacktiv post and the Windows/AD structure in HackTricks, and found that while GPO abuse and ACL techniques are covered, AD Sites and gPLink-specific abuse paths (including WriteGPLink/GenericWrite/GenericAll on Site objects, Site-linked GPO injection, and gPLink spoofing with a fake domain) were not documented. BloodHound support for Sites and Site control edges was also missing.

I updated the most appropriate existing page to keep the content centralized with related GPO/ACL abuse techniques:

• Updated file: src/windows-hardening/active-directory-methodology/acl-persistence-abuse/README.md

• Change: Added a new, concise, highly technical section “Abusing AD Sites and gPLink for DC compromise” that covers:

  • Brief background on Sites (CN=Sites,CN=Configuration,DC=...), gPLink linkage, and why Site scope affects DCs
  • BloodHound enumeration updates for Sites (nodes/edges and attack path modeling)
  • Exploitation scenarios:
    • A) Control an existing Site-linked GPO and inject a targeted Immediate Scheduled Task (GroupPolicyBackdoor usage with Computer Name filter)
    • B) Write rights on Site object (WriteGPLink/GenericWrite/GenericAll):
      • Link an attacker-controlled GPO via GPB
      • gPLink spoofing using a fake-domain GPC/GPT with OUned.py (config snippet included), including inter-site replication timing note (180 min by default)
    • C) Cross-domain movement via Configuration NC: child → root compromise using SYSTEM on a child DC to link a malicious GPO at Site scope (step-by-step with GPB)
  • Detection/Hardening recommendations focused on Site gPLink change monitoring, GPO version increments, and DC GPT fetches to unexpected domains/hosts
  • Tool references: GroupPolicyBackdoor and OUned

• Also appended relevant references to the end of the file:

  • Synacktiv blog
  • GroupPolicyBackdoor
  • OUned
  • BloodHound/SharpHound PRs adding Sites support

No new file was created, and content was kept concise and technical per HackTricks style.

Summary of modifications:

• Inserted new section immediately before “## SYSVOL/NETLOGON Logon Script Poisoning”
• Updated the References section at the end to include the above links

Links and references added:

• https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites
• https://github.com/synacktiv/GroupPolicyBackdoor
• https://github.com/synacktiv/OUned
• Feature: Add collection of Active Directory Sites ACLs and data SpecterOps/SharpHound#186
• Feature: Add collection of Active Directory Sites ACLs and data SpecterOps/SharpHoundCommon#257
• feat: Add visualisation of Active Directory site data SpecterOps/BloodHound#2031

If you want me to add any BloodHound example cypher queries for locating Site-to-DC compromise paths, I can include a short snippet, but I kept the current update focused and aligned with existing structure.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 907
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-attacking-active-directory-sites

Content Categories: Based on the analysis, this content was categorized under "Windows / Active Directory -> GPO & ACL Abuse (BloodHound) -> Abusing Sites and gPLink (WriteGPLink/GenericWrite/GenericAll) for DC compromise".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0