T1552.006: Group Policy Preferences
| View on MITRE ATT&CK | T1552.006 |
|---|---|
| Tactic(s) | Credential Access |
| Associated CAPEC Patterns | Probe System Files (CAPEC-639) |
Data from MITRE ATT&CK®:
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
- Metasploit’s post exploitation module:
post/windows/gather/credentials/gpp - Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)
- gpprefdecrypt.py
On the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: dir /s * .xml
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Mitigations for this technique
MITRE ATT&CK Mitigations
Update Software
Perform regular software updates to mitigate exploitation risk.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.How to detect this technique
MITRE ATT&CK Data Components
Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )File Access (File)
Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
Suspicious SYSVOL Domain Group Policy Access
Findstr GPP Passwords
Access To Potentially Sensitive Sysvol Files By Uncommon Application
Permission Misconfiguration Reconnaissance Via Findstr.EXE
LSASS Process Reconnaissance Via Findstr.EXE
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.