T1552.006 Google Chronicle · YARA-L

Detect Group Policy Preferences in Google Chronicle

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP allows administrators to set local accounts and passwords in Active Directory environments. These credentials are stored in SYSVOL as XML files (Groups.xml, ScheduledTasks.xml, Printers.xml, etc.) with passwords encrypted using AES-256. However, Microsoft publicly released the AES encryption key in 2012 (MS14-025), making any stored cpassword trivially decryptable. Domain users have read access to SYSVOL. Tools include PowerSploit's Get-GPPPassword, Metasploit's post/windows/gather/credentials/gpp module, and gpprefdecrypt.py. APT33, Wizard Spider, and SILENTTRINITY have all used this technique.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.006 Group Policy Preferences
Canonical reference
https://attack.mitre.org/techniques/T1552/006/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule gpp_credential_harvesting {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Group Policy Preferences credential harvesting via PowerSploit GPP modules, cpassword enumeration, SYSVOL XML file access, and gpprefdecrypt tool execution (T1552.006)"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.006"
    mitre_attack_technique_name = "Unsecured Credentials: Group Policy Preferences"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1552/006/"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.metadata.vendor_name = "Microsoft"
    (
      re.regex($e.target.process.command_line,
        `(?i)(Get-GPPPassword|Get-CachedGPPPassword|Find-GPOPassword|Get-GPPAutologon|Get-SiteListPassword)`)
      or re.regex($e.target.process.command_line, `(?i)cpassword`)
      or re.regex($e.target.process.command_line, `(?i)gpprefdecrypt`)
      or (
        re.regex($e.target.process.command_line, `(?i)SYSVOL`)
        and re.regex($e.target.process.command_line, `(?i)\.xml`)
      )
    )

  condition:
    $e
}

rule gpp_sysvol_xml_file_access {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects direct file read access to GPP XML credential files (Groups.xml, ScheduledTasks.xml, DataSources.xml, Printers.xml, Services.xml) in SYSVOL by non-system processes (T1552.006)"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1552.006"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "FILE_READ"
    $e.metadata.vendor_name = "Microsoft"
    re.regex($e.target.file.full_path,
      `(?i)(Groups\.xml|ScheduledTasks\.xml|DataSources\.xml|Printers\.xml|Services\.xml)`)
    re.regex($e.target.file.full_path, `(?i)(SYSVOL|\\Policies\\)`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(System32\\svchost\.exe|System32\\lsass\.exe|System32\\gpupdate\.exe|System32\\csrss\.exe)`)

  condition:
    $e
}
high severity high confidence

Two complementary YARA-L 2.0 rules for detecting GPP credential harvesting. Rule 1 (gpp_credential_harvesting) matches PROCESS_LAUNCH events where the command line contains PowerSploit GPP cmdlet names, the cpassword string, the gpprefdecrypt decryption utility, or a combination of SYSVOL and .xml references indicating active file enumeration. Rule 2 (gpp_sysvol_xml_file_access) detects FILE_READ events targeting known GPP XML credential stores (Groups.xml, ScheduledTasks.xml, DataSources.xml, Printers.xml, Services.xml) within SYSVOL or Policies paths, excluding legitimate Windows system processes. Together they cover both the execution and file access dimensions of T1552.006.

Data Sources

Google Chronicle SIEMMicrosoft Windows endpoint telemetry via Chronicle forwarderGoogle Workspace activity logs (supplementary)

Required Tables

PROCESS_LAUNCH UDM eventsFILE_READ UDM events

False Positives & Tuning

  • Group Policy Client Service (svchost.exe hosting gpsvc) and gpupdate.exe access SYSVOL XML files during legitimate policy refresh on all domain-joined endpoints — both are excluded in Rule 2 but verify the exclusion list covers your environment's policy processing binaries.
  • Active Directory health monitoring solutions (Microsoft AD Health Monitor, SolarWinds Server & Application Monitor, Netwrix Auditor) with privileged domain read access regularly scan SYSVOL for configuration drift and compliance reporting — baseline these tool identities in UDM principal fields and suppress.
  • Penetration testing engagements and red team exercises authorized by the organization will generate high-fidelity true-positive alerts for all rule branches — coordinate suppression windows with the security team during scheduled assessments.
Download portable Sigma rule (.yml)

Other platforms for T1552.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Search SYSVOL for GPP Credentials with findstr

    Expected signal: Sysmon Event ID 1: findstr.exe with 'cpassword' and SYSVOL. Sysmon Event ID 3: outbound SMB connection to DC (port 445). Security Event ID 5140 on DC: share access to \\*\SYSVOL.

  2. Test 2PowerSploit Get-GPPPassword

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-GPPPassword and DownloadString. Sysmon Event ID 3: connection to SYSVOL on DC (port 445) AND outbound to GitHub for download. PowerShell ScriptBlock Log Event ID 4104 with Get-GPPPassword function.

  3. Test 3Enumerate GPP XML Files in SYSVOL

    Expected signal: Sysmon Event ID 1: cmd.exe with 'dir /s' and SYSVOL. Sysmon Event ID 3: SMB connection to DC. Security Event ID 5140 on DC: SYSVOL share access.

  4. Test 4Decrypt GPP cpassword with Python

    Expected signal: Sysmon Event ID 1: powershell.exe with AesManaged and cpassword in command line. PowerShell ScriptBlock Log Event ID 4104 showing the AES decryption logic.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.002Credentials in RegistryT1135Network Share DiscoveryT1021.002SMB/Windows Admin SharesT1078.002Domain AccountsT1484.001Group Policy Modification

Same Tactic: Credential Access

Popular Detections