ARP Around and Find Out: Hijacking GPO UNC Paths for…

This report demonstrates practical TTPs for abusing the Active Directory WriteGPLink permission and UNC-referenced GPO resources to achieve SYSTEM code execution and capture/relay NTLM authentication by combining GPO linking with ARP spoofing; it covers three attacks (MSI deployment spoofing, drive-map spoofing with WebDAV downgrade and NTLM relay, and logon/startup script spoofing), lab procedures, tooling, limitations, and mitigations such as enforcing SMB/LDAP signing, auditing AD ACLs, and hardening layer-2 controls.