Description
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
Metasploit’s post exploitation module: post/windows/gather/credentials/gpp
Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)
gpprefdecrypt.py
On the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: dir /s .xml
Platforms
Mitigations (3)
AuditM1047
Search SYSVOL for any existing GGPs that may contain credentials and remove them.(Citation: ADSecurity Finding Passwords in SYSVOL)
Update SoftwareM1051
Apply patch KB2962486 which prevents credentials from being stored in GPPs.(Citation: ADSecurity Finding Passwords in SYSVOL)(Citation: MS14-025)
Active Directory ConfigurationM1015
Remove vulnerable Group Policy Preferences.(Citation: Microsoft MS14-025)
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0064 | APT33 | [APT33](https://attack.mitre.org/groups/G0064) has used a variety of publicly available tools like Gpppassword to gather credentials.(Citation: Symant... |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used PowerShell cmdlets `Get-GPPPassword` and `Find-GPOPassword` to find unsecured credenti... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) has a module that can extract cached GPP passwords.(Citation: GitHub SILENTTRINITY Modules Ju... |
| S0194 | PowerSploit | Tool | [PowerSploit](https://attack.mitre.org/software/S0194) contains a collection of Exfiltration modules that can harvest credentials from Group Policy Pr... |
| S9022 | MirrorStealer | Malware | [MirrorStealer](https://attack.mitre.org/software/S9022) can target Group Policy Preferences for credentials.(Citation: Trend Micro Earth Kasha NOV 20... |
References
- Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell. Retrieved April 11, 2018.
- Microsoft. (2016, August 31). Group Policy Preferences. Retrieved March 9, 2020.
- Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April 11, 2018.
- Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
Frequently Asked Questions
What is T1552.006 (Group Policy Preferences)?
T1552.006 is a MITRE ATT&CK technique named 'Group Policy Preferences'. It belongs to the Credential Access tactic(s). Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies all...
How can T1552.006 be detected?
Detection of T1552.006 (Group Policy Preferences) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1552.006?
There are 3 documented mitigations for T1552.006. Key mitigations include: Audit, Update Software, Active Directory Configuration.
Which threat groups use T1552.006?
Known threat groups using T1552.006 include: APT33, Wizard Spider.