T1552.006 Elastic Security · Elastic

Detect Group Policy Preferences in Elastic Security

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP allows administrators to set local accounts and passwords in Active Directory environments. These credentials are stored in SYSVOL as XML files (Groups.xml, ScheduledTasks.xml, Printers.xml, etc.) with passwords encrypted using AES-256. However, Microsoft publicly released the AES encryption key in 2012 (MS14-025), making any stored cpassword trivially decryptable. Domain users have read access to SYSVOL. Tools include PowerSploit's Get-GPPPassword, Metasploit's post/windows/gather/credentials/gpp module, and gpprefdecrypt.py. APT33, Wizard Spider, and SILENTTRINITY have all used this technique.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.006 Group Policy Preferences
Canonical reference
https://attack.mitre.org/techniques/T1552/006/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "process" and event.type == "start" and
    (
      process.command_line : ("*Get-GPPPassword*", "*Get-CachedGPPPassword*",
                              "*Find-GPOPassword*", "*Get-GPPAutologon*",
                              "*Get-SiteListPassword*", "*cpassword*", "*gpprefdecrypt*")
      or (process.command_line : "*SYSVOL*" and process.command_line : "*.xml*")
    )
  )
  or
  (
    event.category == "file" and event.type in ("access", "change") and
    file.path : ("*\\SYSVOL\\*", "*\\Policies\\*") and
    file.name : ("Groups.xml", "ScheduledTasks.xml", "DataSources.xml",
                 "Printers.xml", "Services.xml") and
    not process.name : ("System", "svchost.exe", "lsass.exe", "gpupdate.exe")
  )
high severity high confidence

Detects Group Policy Preferences (GPP) credential harvesting via three patterns: (1) PowerSploit GPP cmdlets (Get-GPPPassword, Get-CachedGPPPassword, Find-GPOPassword, Get-GPPAutologon) or gpprefdecrypt tool execution; (2) command-line references to cpassword or SYSVOL combined with XML file extensions indicating active credential search; (3) direct file access to known GPP XML files (Groups.xml, ScheduledTasks.xml, DataSources.xml, Printers.xml, Services.xml) in SYSVOL or Policies paths by non-system processes. Covers T1552.006 across all major attacker toolsets including PowerSploit, Metasploit, and manual enumeration.

Data Sources

Elastic Endpoint SecurityWinlogbeat with SysmonAuditbeat (file integrity module)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Group Policy administrative tools (GPMC, RSoP) run by AD administrators legitimately read SYSVOL XML files during policy troubleshooting or auditing — filter on known admin accounts and approved workstations.
  • Automated configuration management platforms (SCCM, Ansible, Puppet) may enumerate SYSVOL policies during inventory or compliance scanning — create allowlists by service account and source host.
  • Security scanning tools (Tenable Nessus, Qualys) running GPP auditing checks as part of credential exposure assessments will trigger the cpassword and XML access patterns — correlate with scheduled scan windows and scanner IPs.
Download portable Sigma rule (.yml)

Other platforms for T1552.006

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Search SYSVOL for GPP Credentials with findstr

    Expected signal: Sysmon Event ID 1: findstr.exe with 'cpassword' and SYSVOL. Sysmon Event ID 3: outbound SMB connection to DC (port 445). Security Event ID 5140 on DC: share access to \\*\SYSVOL.

  2. Test 2PowerSploit Get-GPPPassword

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-GPPPassword and DownloadString. Sysmon Event ID 3: connection to SYSVOL on DC (port 445) AND outbound to GitHub for download. PowerShell ScriptBlock Log Event ID 4104 with Get-GPPPassword function.

  3. Test 3Enumerate GPP XML Files in SYSVOL

    Expected signal: Sysmon Event ID 1: cmd.exe with 'dir /s' and SYSVOL. Sysmon Event ID 3: SMB connection to DC. Security Event ID 5140 on DC: SYSVOL share access.

  4. Test 4Decrypt GPP cpassword with Python

    Expected signal: Sysmon Event ID 1: powershell.exe with AesManaged and cpassword in command line. PowerShell ScriptBlock Log Event ID 4104 showing the AES decryption logic.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.002Credentials in RegistryT1135Network Share DiscoveryT1021.002SMB/Windows Admin SharesT1078.002Domain AccountsT1484.001Group Policy Modification

Same Tactic: Credential Access

Popular Detections