Detect Group Policy Preferences in CrowdStrike LogScale
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP allows administrators to set local accounts and passwords in Active Directory environments. These credentials are stored in SYSVOL as XML files (Groups.xml, ScheduledTasks.xml, Printers.xml, etc.) with passwords encrypted using AES-256. However, Microsoft publicly released the AES encryption key in 2012 (MS14-025), making any stored cpassword trivially decryptable. Domain users have read access to SYSVOL. Tools include PowerSploit's Get-GPPPassword, Metasploit's post/windows/gather/credentials/gpp module, and gpprefdecrypt.py. APT33, Wizard Spider, and SILENTTRINITY have all used this technique.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1552 Unsecured Credentials
- Sub-technique
- T1552.006 Group Policy Preferences
- Canonical reference
- https://attack.mitre.org/techniques/T1552/006/
LogScale Detection Query
// GPP Credential Harvesting — T1552.006
// Pattern 1 & 2: Process execution indicators (PowerSploit GPP, cpassword, gpprefdecrypt, SYSVOL+xml)
#event_simpleName = ProcessRollup2
| CommandLine = /(?i)(Get-GPPPassword|Get-CachedGPPPassword|Find-GPOPassword|Get-GPPAutologon|Get-SiteListPassword|cpassword|gpprefdecrypt)/
OR (CommandLine = /(?i)SYSVOL/ AND CommandLine = /(?i)\.xml/)
| case {
CommandLine = /(?i)(Get-GPPPassword|Get-CachedGPPPassword|Find-GPOPassword|Get-GPPAutologon|Get-SiteListPassword)/
| AlertType := "PowerSploit_GPP" ;
CommandLine = /(?i)gpprefdecrypt/
| AlertType := "GPP_DecryptionTool" ;
CommandLine = /(?i)cpassword/
| AlertType := "GPP_CpasswordSearch" ;
CommandLine = /(?i)SYSVOL/ AND CommandLine = /(?i)\.xml/
| AlertType := "GPP_SYSVOLSearch" ;
*
| AlertType := "GPP_Other"
}
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, AlertType])
| sort(timestamp, order=desc)
// Pattern 3: File access to GPP XML files (run as separate saved search)
// #event_simpleName = SuspiciousCredentialModuleLoad
// | ImageFileName = /(?i)(Groups\.xml|ScheduledTasks\.xml|DataSources\.xml|Printers\.xml|Services\.xml)/
// AND ImageFileName = /(?i)(SYSVOL|Policies)/
// | NOT ImageFileName = /(?i)(svchost\.exe|gpupdate\.exe|csrss\.exe)/
// | table([timestamp, ComputerName, UserName, ImageFileName, CommandLine])
// | sort(timestamp, order=desc)Detects GPP credential harvesting via CrowdStrike Falcon ProcessRollup2 events covering three attack patterns: (1) PowerSploit GPP module execution — matches Get-GPPPassword, Get-CachedGPPPassword, Find-GPOPassword, Get-GPPAutologon, and Get-SiteListPassword cmdlet invocations in process command lines; (2) Direct cpassword string enumeration in any command context; (3) Explicit SYSVOL+.xml string combination indicating manual or scripted GPP XML file discovery; and (4) gpprefdecrypt tool execution for offline AES-256 key decryption. Each match is classified into an AlertType dimension for triage routing. A commented supplementary search covers GPP XML file access via module load events. CrowdStrike native behavioral protection (CRED_THEFT_CPASSWORD) may also fire independently.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself reads process command-line telemetry and may generate ProcessRollup2 events for its own enumeration routines — verify sensor version and exclude known Falcon agent process hashes if false triggers occur.
- Legitimate PowerShell scripts using GroupPolicy module cmdlets (Get-GPO, Backup-GPO, Import-GPO) may include SYSVOL paths in their command lines as part of authorized AD administration — create suppression rules based on signed script hashes or known admin account SIDs.
- Vulnerability assessment tools running CIS benchmark checks or DISA STIG audits against Group Policy will enumerate SYSVOL XML files and reference cpassword strings in their scanning logic — correlate with scheduled assessment windows and scanner host identities in ComputerName.
Other platforms for T1552.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Search SYSVOL for GPP Credentials with findstr
Expected signal: Sysmon Event ID 1: findstr.exe with 'cpassword' and SYSVOL. Sysmon Event ID 3: outbound SMB connection to DC (port 445). Security Event ID 5140 on DC: share access to \\*\SYSVOL.
- Test 2PowerSploit Get-GPPPassword
Expected signal: Sysmon Event ID 1: powershell.exe with Get-GPPPassword and DownloadString. Sysmon Event ID 3: connection to SYSVOL on DC (port 445) AND outbound to GitHub for download. PowerShell ScriptBlock Log Event ID 4104 with Get-GPPPassword function.
- Test 3Enumerate GPP XML Files in SYSVOL
Expected signal: Sysmon Event ID 1: cmd.exe with 'dir /s' and SYSVOL. Sysmon Event ID 3: SMB connection to DC. Security Event ID 5140 on DC: SYSVOL share access.
- Test 4Decrypt GPP cpassword with Python
Expected signal: Sysmon Event ID 1: powershell.exe with AesManaged and cpassword in command line. PowerShell ScriptBlock Log Event ID 4104 showing the AES decryption logic.
References (7)
- https://attack.mitre.org/techniques/T1552/006/
- https://obscuresecurity.blogspot.com/2012/05/gpp-passwords-in-group-policy.html
- https://learn.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-025
- https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md
- https://www.mandiant.com/resources/blog/fin12-ransomware-intrusion-actor-partnering-trickbot
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
Unlock Pro Content
Get the full detection package for T1552.006 including response playbook, investigation guide, and atomic red team tests.