T1552.006 Group Policy Preferences Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect GPP credential harvesting via SYSVOL access and decryption tools
DeviceProcessEvents
| where Timestamp > ago(24h)
// Pattern 1: PowerSploit GPP modules
| where ProcessCommandLine has_any (
    "Get-GPPPassword", "Get-CachedGPPPassword", "Find-GPOPassword",
    "Get-GPPAutologon", "Get-SiteListPassword"
  )
| extend Pattern = "PowerSploit_GPP"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, Pattern
| union (
    // Pattern 2: Search for cpassword string in SYSVOL XML files
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has "cpassword"
        or (ProcessCommandLine has "SYSVOL" and ProcessCommandLine has ".xml")
    | extend Pattern = "GPP_CpasswordSearch"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, Pattern
)
| union (
    // Pattern 3: Direct SYSVOL XML file access
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileRead" or ActionType == "FileAccessed"
    | where (FolderPath has "SYSVOL" or FolderPath has "Policies")
        and (FileName has_any ("Groups.xml", "ScheduledTasks.xml", "DataSources.xml",
                               "Printers.xml", "Services.xml"))
    | where InitiatingProcessFileName !in~ ("System", "svchost.exe")
    | extend Pattern = "GPP_XMLAccess"
    | project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
             InitiatingProcessFileName, Pattern
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution File: File Access Network Traffic: Network Share Access

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Group Policy administrators legitimately accessing and reviewing GPP XML files for configuration management
GPMC (Group Policy Management Console) reading GPP XML files during policy editing and backup operations
Active Directory backup tools that read the entire SYSVOL share including GPP XML files
Authorized security assessments explicitly checking for cpassword fields in GPP XML files
Domain controller replication processes synchronizing SYSVOL content between DCs

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  EventCode=1
  (CommandLine="*Get-GPPPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR
   CommandLine="*Find-GPOPassword*" OR CommandLine="*Get-GPPAutologon*" OR
   CommandLine="*cpassword*" OR
   (CommandLine="*SYSVOL*" AND CommandLine="*.xml*"))
| eval AlertType="GPP_CommandExec"
| table _time, host, User, Image, CommandLine, AlertType
)
OR
(
  sourcetype="WinEventLog:Security" (EventCode=5140 OR EventCode=5145)
  (Share_Name="\\\\*\\SYSVOL" OR Object_Name="*\\Policies\\*" OR
   Object_Name="*Groups.xml*" OR Object_Name="*ScheduledTasks.xml*" OR
   Object_Name="*DataSources.xml*" OR Object_Name="*Printers.xml*")
  NOT Account_Name IN ("SYSTEM", "*$")
| eval AlertType="GPP_SYSVOLAccess"
| table _time, host, Account_Name, Client_Address, Share_Name, Object_Name, AlertType
)
OR
(
  EventCode=1
  (Image="*\\gpprefdecrypt*" OR CommandLine="*gpprefdecrypt*" OR CommandLine="*AES-256*SYSVOL*")
| eval AlertType="GPP_DecryptionTool"
| table _time, host, User, Image, CommandLine, AlertType
)
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Network Traffic: Network Share Access Sysmon Event ID 1 Windows Security Event ID 5140, 5145

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Group Policy administrators accessing GPP XML files for configuration management
GPMC reading GPP XML files during policy editing
Active Directory backup tools reading SYSVOL share
Authorized security assessments checking for cpassword in GPP XML
Domain controller replication synchronizing SYSVOL

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      process.command_line : ("*Get-GPPPassword*", "*Get-CachedGPPPassword*",
                              "*Find-GPOPassword*", "*Get-GPPAutologon*",
                              "*Get-SiteListPassword*", "*cpassword*", "*gpprefdecrypt*")
      or (process.command_line : "*SYSVOL*" and process.command_line : "*.xml*")
    )
  )
  or
  (
    event.category == "file" and event.type in ("access", "change") and
    file.path : ("*\\SYSVOL\\*", "*\\Policies\\*") and
    file.name : ("Groups.xml", "ScheduledTasks.xml", "DataSources.xml",
                 "Printers.xml", "Services.xml") and
    not process.name : ("System", "svchost.exe", "lsass.exe", "gpupdate.exe")
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat (file integrity module)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Group Policy administrative tools (GPMC, RSoP) run by AD administrators legitimately read SYSVOL XML files during policy troubleshooting or auditing — filter on known admin accounts and approved workstations.
Automated configuration management platforms (SCCM, Ansible, Puppet) may enumerate SYSVOL policies during inventory or compliance scanning — create allowlists by service account and source host.
Security scanning tools (Tenable Nessus, Qualys) running GPP auditing checks as part of credential exposure assessments will trigger the cpassword and XML access patterns — correlate with scheduled scan windows and scanner IPs.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  sourceip AS SourceIP,
  "CommandLine" AS CommandLine,
  "Image" AS ProcessImage,
  "Object_Name" AS ObjectName,
  "Share_Name" AS ShareName,
  CASE
    WHEN "CommandLine" ILIKE '%Get-GPPPassword%'
      OR "CommandLine" ILIKE '%Get-CachedGPPPassword%'
      OR "CommandLine" ILIKE '%Find-GPOPassword%'
      OR "CommandLine" ILIKE '%Get-GPPAutologon%'
      OR "CommandLine" ILIKE '%Get-SiteListPassword%'
      THEN 'PowerSploit_GPP'
    WHEN "CommandLine" ILIKE '%cpassword%'
      OR ("CommandLine" ILIKE '%SYSVOL%' AND "CommandLine" ILIKE '%.xml%')
      THEN 'GPP_CpasswordSearch'
    WHEN "CommandLine" ILIKE '%gpprefdecrypt%'
      THEN 'GPP_DecryptionTool'
    WHEN (eventid = 5140 OR eventid = 5145)
      AND ("Object_Name" ILIKE '%Groups.xml%'
        OR "Object_Name" ILIKE '%ScheduledTasks.xml%'
        OR "Object_Name" ILIKE '%DataSources.xml%'
        OR "Object_Name" ILIKE '%Printers.xml%'
        OR "Object_Name" ILIKE '%Services.xml%')
      THEN 'GPP_XMLAccess'
    WHEN (eventid = 5140 OR eventid = 5145)
      AND "Share_Name" ILIKE '%SYSVOL%'
      THEN 'GPP_SYSVOLShare'
    ELSE 'GPP_Unknown'
  END AS AlertType
FROM events
WHERE
  (
    LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Windows Security%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Windows Event Log%'
  )
  AND (
    (
      eventid = 1
      AND (
        "CommandLine" ILIKE '%Get-GPPPassword%'
        OR "CommandLine" ILIKE '%Get-CachedGPPPassword%'
        OR "CommandLine" ILIKE '%Find-GPOPassword%'
        OR "CommandLine" ILIKE '%Get-GPPAutologon%'
        OR "CommandLine" ILIKE '%Get-SiteListPassword%'
        OR "CommandLine" ILIKE '%cpassword%'
        OR "CommandLine" ILIKE '%gpprefdecrypt%'
        OR ("CommandLine" ILIKE '%SYSVOL%' AND "CommandLine" ILIKE '%.xml%')
      )
    )
    OR (
      eventid IN (5140, 5145)
      AND (
        "Share_Name" ILIKE '%SYSVOL%'
        OR "Object_Name" ILIKE '%\\Policies\\%'
        OR "Object_Name" ILIKE '%Groups.xml%'
        OR "Object_Name" ILIKE '%ScheduledTasks.xml%'
        OR "Object_Name" ILIKE '%DataSources.xml%'
        OR "Object_Name" ILIKE '%Printers.xml%'
        OR "Object_Name" ILIKE '%Services.xml%'
      )
      AND username NOT LIKE '%$'
      AND username NOT ILIKE 'SYSTEM'
      AND username NOT ILIKE 'ANONYMOUS LOGON'
    )
  )
ORDER BY starttime DESC
LAST 1 DAYS

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log Sysmon Event Log

Required Tables

events

False Positives

Domain controllers and member servers running Group Policy Client Service (gpsvc) access SYSVOL XML files on every policy refresh cycle (default every 90 minutes) — machine accounts (username ending in $) are excluded but edge cases may exist for non-standard service accounts.
IT administrators running Group Policy Management Console (GPMC.msc) or PowerShell Group Policy cmdlets (Get-GPO, Get-GPOReport) access SYSVOL XML files for legitimate administration — correlate with known admin accounts and jump-host source IPs.
Microsoft Baseline Security Analyzer (MBSA) and third-party AD audit tools (Semperis, Tenable.ad, Varonis) perform scheduled SYSVOL enumeration for compliance reporting — baseline expected scan times and source IPs and suppress during scheduled windows.

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| where EventCode in ("1", "5140", "5145")
// Parse GPP-relevant command-line indicators
| parse regex field=CommandLine "(?i)(?<gpp_keyword>Get-GPPPassword|Get-CachedGPPPassword|Find-GPOPassword|Get-GPPAutologon|Get-SiteListPassword|cpassword|gpprefdecrypt)" nodrop
// Parse SYSVOL XML access pattern from command line
| parse regex field=CommandLine "(?i)(?<sysvol_cmd>SYSVOL)" nodrop
| parse regex field=CommandLine "(?i)(?<xml_ext>\.xml)" nodrop
// Parse GPP XML filenames from share access events
| parse regex field=Object_Name "(?i)(?<gpp_file>Groups\.xml|ScheduledTasks\.xml|DataSources\.xml|Printers\.xml|Services\.xml)" nodrop
// Parse SYSVOL share name
| parse regex field=Share_Name "(?i)(?<sysvol_share>SYSVOL)" nodrop
// Filter: keep only events matching at least one GPP indicator
| where !isNull(gpp_keyword)
    OR (!isNull(sysvol_cmd) AND !isNull(xml_ext))
    OR !isNull(gpp_file)
    OR !isNull(sysvol_share)
// Exclude legitimate system accounts from share-access events
| where !(EventCode in ("5140","5145") AND (Account_Name matches ".*\$$" OR Account_Name = "SYSTEM" OR Account_Name = "ANONYMOUS LOGON"))
// Classify detection pattern
| if (!isNull(gpp_keyword) AND gpp_keyword matches "(?i)Get-GP.*|Find-GPO.*",
      "PowerSploit_GPP",
      if (!isNull(gpp_keyword) AND gpp_keyword = "cpassword",
          "GPP_CpasswordSearch",
          if (!isNull(gpp_keyword) AND gpp_keyword = "gpprefdecrypt",
              "GPP_DecryptionTool",
              if (!isNull(sysvol_cmd) AND !isNull(xml_ext),
                  "GPP_SYSVOLCommandSearch",
                  if (!isNull(gpp_file) OR !isNull(sysvol_share),
                      "GPP_XMLFileAccess",
                      "GPP_Other"))))) as AlertType
| fields _time, host, User, Account_Name, Image, CommandLine, Object_Name, Share_Name, AlertType
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon (via Sumo Logic Windows collector) Windows Security Event Log (via Sumo Logic Windows collector)

Required Tables

windows event log sources sysmon sources

False Positives

Group Policy infrastructure processes on domain controllers (gpupdate, gpsvc, svchost hosting the Group Policy Client) access SYSVOL XML files during normal policy refresh — these are excluded via machine account filter but check for service accounts not ending in $ that perform legitimate policy reads.
Enterprise backup agents (Veeam, Commvault, Veritas) with domain-level access may traverse SYSVOL as part of Active Directory backup procedures — correlate alerts with backup job schedules and service account identities.
Red team or purple team exercises executing authorized GPP attack simulations will generate true-positive alerts that must be suppressed — maintain a change management window blocklist correlated with exercise schedules.

Google Chronicle / SecOps

yaral

rule gpp_credential_harvesting {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Group Policy Preferences credential harvesting via PowerSploit GPP modules, cpassword enumeration, SYSVOL XML file access, and gpprefdecrypt tool execution (T1552.006)"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.006"
    mitre_attack_technique_name = "Unsecured Credentials: Group Policy Preferences"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1552/006/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.vendor_name = "Microsoft"
    (
      re.regex($e.target.process.command_line,
        `(?i)(Get-GPPPassword|Get-CachedGPPPassword|Find-GPOPassword|Get-GPPAutologon|Get-SiteListPassword)`)
      or re.regex($e.target.process.command_line, `(?i)cpassword`)
      or re.regex($e.target.process.command_line, `(?i)gpprefdecrypt`)
      or (
        re.regex($e.target.process.command_line, `(?i)SYSVOL`)
        and re.regex($e.target.process.command_line, `(?i)\.xml`)
      )
    )

  condition:
    $e
}

rule gpp_sysvol_xml_file_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects direct file read access to GPP XML credential files (Groups.xml, ScheduledTasks.xml, DataSources.xml, Printers.xml, Services.xml) in SYSVOL by non-system processes (T1552.006)"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.006"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_READ"
    $e.metadata.vendor_name = "Microsoft"
    re.regex($e.target.file.full_path,
      `(?i)(Groups\.xml|ScheduledTasks\.xml|DataSources\.xml|Printers\.xml|Services\.xml)`)
    re.regex($e.target.file.full_path, `(?i)(SYSVOL|\\Policies\\)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(System32\\svchost\.exe|System32\\lsass\.exe|System32\\gpupdate\.exe|System32\\csrss\.exe)`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Microsoft Windows endpoint telemetry via Chronicle forwarder Google Workspace activity logs (supplementary)

Required Tables

PROCESS_LAUNCH UDM events FILE_READ UDM events

False Positives

Group Policy Client Service (svchost.exe hosting gpsvc) and gpupdate.exe access SYSVOL XML files during legitimate policy refresh on all domain-joined endpoints — both are excluded in Rule 2 but verify the exclusion list covers your environment's policy processing binaries.
Active Directory health monitoring solutions (Microsoft AD Health Monitor, SolarWinds Server & Application Monitor, Netwrix Auditor) with privileged domain read access regularly scan SYSVOL for configuration drift and compliance reporting — baseline these tool identities in UDM principal fields and suppress.
Penetration testing engagements and red team exercises authorized by the organization will generate high-fidelity true-positive alerts for all rule branches — coordinate suppression windows with the security team during scheduled assessments.

CrowdStrike LogScale (CQL)

cql

// GPP Credential Harvesting — T1552.006
// Pattern 1 & 2: Process execution indicators (PowerSploit GPP, cpassword, gpprefdecrypt, SYSVOL+xml)
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(Get-GPPPassword|Get-CachedGPPPassword|Find-GPOPassword|Get-GPPAutologon|Get-SiteListPassword|cpassword|gpprefdecrypt)/
  OR (CommandLine = /(?i)SYSVOL/ AND CommandLine = /(?i)\.xml/)
| case {
    CommandLine = /(?i)(Get-GPPPassword|Get-CachedGPPPassword|Find-GPOPassword|Get-GPPAutologon|Get-SiteListPassword)/
      | AlertType := "PowerSploit_GPP" ;
    CommandLine = /(?i)gpprefdecrypt/
      | AlertType := "GPP_DecryptionTool" ;
    CommandLine = /(?i)cpassword/
      | AlertType := "GPP_CpasswordSearch" ;
    CommandLine = /(?i)SYSVOL/ AND CommandLine = /(?i)\.xml/
      | AlertType := "GPP_SYSVOLSearch" ;
    *
      | AlertType := "GPP_Other"
  }
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, AlertType])
| sort(timestamp, order=desc)

// Pattern 3: File access to GPP XML files (run as separate saved search)
// #event_simpleName = SuspiciousCredentialModuleLoad
// | ImageFileName = /(?i)(Groups\.xml|ScheduledTasks\.xml|DataSources\.xml|Printers\.xml|Services\.xml)/
//   AND ImageFileName = /(?i)(SYSVOL|Policies)/
// | NOT ImageFileName = /(?i)(svchost\.exe|gpupdate\.exe|csrss\.exe)/
// | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine])
// | sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection CrowdStrike LogScale (Humio) Falcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2

False Positives

CrowdStrike Falcon sensor itself reads process command-line telemetry and may generate ProcessRollup2 events for its own enumeration routines — verify sensor version and exclude known Falcon agent process hashes if false triggers occur.
Legitimate PowerShell scripts using GroupPolicy module cmdlets (Get-GPO, Backup-GPO, Import-GPO) may include SYSVOL paths in their command lines as part of authorized AD administration — create suppression rules based on signed script hashes or known admin account SIDs.
Vulnerability assessment tools running CIS benchmark checks or DISA STIG audits against Group Policy will enumerate SYSVOL XML files and reference cpassword strings in their scanning logic — correlate with scheduled assessment windows and scanner host identities in ComputerName.

Group Policy Preferences

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections