T1552.006 IBM QRadar · QRadar

Detect Group Policy Preferences in IBM QRadar

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP allows administrators to set local accounts and passwords in Active Directory environments. These credentials are stored in SYSVOL as XML files (Groups.xml, ScheduledTasks.xml, Printers.xml, etc.) with passwords encrypted using AES-256. However, Microsoft publicly released the AES encryption key in 2012 (MS14-025), making any stored cpassword trivially decryptable. Domain users have read access to SYSVOL. Tools include PowerSploit's Get-GPPPassword, Metasploit's post/windows/gather/credentials/gpp module, and gpprefdecrypt.py. APT33, Wizard Spider, and SILENTTRINITY have all used this technique.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.006 Group Policy Preferences
Canonical reference
https://attack.mitre.org/techniques/T1552/006/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  sourceip AS SourceIP,
  "CommandLine" AS CommandLine,
  "Image" AS ProcessImage,
  "Object_Name" AS ObjectName,
  "Share_Name" AS ShareName,
  CASE
    WHEN "CommandLine" ILIKE '%Get-GPPPassword%'
      OR "CommandLine" ILIKE '%Get-CachedGPPPassword%'
      OR "CommandLine" ILIKE '%Find-GPOPassword%'
      OR "CommandLine" ILIKE '%Get-GPPAutologon%'
      OR "CommandLine" ILIKE '%Get-SiteListPassword%'
      THEN 'PowerSploit_GPP'
    WHEN "CommandLine" ILIKE '%cpassword%'
      OR ("CommandLine" ILIKE '%SYSVOL%' AND "CommandLine" ILIKE '%.xml%')
      THEN 'GPP_CpasswordSearch'
    WHEN "CommandLine" ILIKE '%gpprefdecrypt%'
      THEN 'GPP_DecryptionTool'
    WHEN (eventid = 5140 OR eventid = 5145)
      AND ("Object_Name" ILIKE '%Groups.xml%'
        OR "Object_Name" ILIKE '%ScheduledTasks.xml%'
        OR "Object_Name" ILIKE '%DataSources.xml%'
        OR "Object_Name" ILIKE '%Printers.xml%'
        OR "Object_Name" ILIKE '%Services.xml%')
      THEN 'GPP_XMLAccess'
    WHEN (eventid = 5140 OR eventid = 5145)
      AND "Share_Name" ILIKE '%SYSVOL%'
      THEN 'GPP_SYSVOLShare'
    ELSE 'GPP_Unknown'
  END AS AlertType
FROM events
WHERE
  (
    LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Windows Security%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
    OR LOGSOURCETYPENAME(devicetype) ILIKE '%Microsoft Windows Event Log%'
  )
  AND (
    (
      eventid = 1
      AND (
        "CommandLine" ILIKE '%Get-GPPPassword%'
        OR "CommandLine" ILIKE '%Get-CachedGPPPassword%'
        OR "CommandLine" ILIKE '%Find-GPOPassword%'
        OR "CommandLine" ILIKE '%Get-GPPAutologon%'
        OR "CommandLine" ILIKE '%Get-SiteListPassword%'
        OR "CommandLine" ILIKE '%cpassword%'
        OR "CommandLine" ILIKE '%gpprefdecrypt%'
        OR ("CommandLine" ILIKE '%SYSVOL%' AND "CommandLine" ILIKE '%.xml%')
      )
    )
    OR (
      eventid IN (5140, 5145)
      AND (
        "Share_Name" ILIKE '%SYSVOL%'
        OR "Object_Name" ILIKE '%\\Policies\\%'
        OR "Object_Name" ILIKE '%Groups.xml%'
        OR "Object_Name" ILIKE '%ScheduledTasks.xml%'
        OR "Object_Name" ILIKE '%DataSources.xml%'
        OR "Object_Name" ILIKE '%Printers.xml%'
        OR "Object_Name" ILIKE '%Services.xml%'
      )
      AND username NOT LIKE '%$'
      AND username NOT ILIKE 'SYSTEM'
      AND username NOT ILIKE 'ANONYMOUS LOGON'
    )
  )
ORDER BY starttime DESC
LAST 1 DAYS
high severity high confidence

Detects GPP credential harvesting across three attack patterns using Windows Security Event Log and Sysmon sources: (1) Sysmon Event ID 1 (Process Create) identifying PowerSploit GPP cmdlets, cpassword string references, SYSVOL+XML command-line combinations, and gpprefdecrypt tool invocations; (2) Windows Security Event IDs 5140/5145 (network share access/object access) for direct SYSVOL share enumeration and access to GPP XML credential files (Groups.xml, ScheduledTasks.xml, DataSources.xml, Printers.xml, Services.xml). Machine accounts and SYSTEM are excluded to reduce noise from legitimate Group Policy processing.

Data Sources

IBM QRadar SIEMWindows Security Event LogSysmon Event Log

Required Tables

events

False Positives & Tuning

  • Domain controllers and member servers running Group Policy Client Service (gpsvc) access SYSVOL XML files on every policy refresh cycle (default every 90 minutes) — machine accounts (username ending in $) are excluded but edge cases may exist for non-standard service accounts.
  • IT administrators running Group Policy Management Console (GPMC.msc) or PowerShell Group Policy cmdlets (Get-GPO, Get-GPOReport) access SYSVOL XML files for legitimate administration — correlate with known admin accounts and jump-host source IPs.
  • Microsoft Baseline Security Analyzer (MBSA) and third-party AD audit tools (Semperis, Tenable.ad, Varonis) perform scheduled SYSVOL enumeration for compliance reporting — baseline expected scan times and source IPs and suppress during scheduled windows.
Download portable Sigma rule (.yml)

Other platforms for T1552.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Search SYSVOL for GPP Credentials with findstr

    Expected signal: Sysmon Event ID 1: findstr.exe with 'cpassword' and SYSVOL. Sysmon Event ID 3: outbound SMB connection to DC (port 445). Security Event ID 5140 on DC: share access to \\*\SYSVOL.

  2. Test 2PowerSploit Get-GPPPassword

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-GPPPassword and DownloadString. Sysmon Event ID 3: connection to SYSVOL on DC (port 445) AND outbound to GitHub for download. PowerShell ScriptBlock Log Event ID 4104 with Get-GPPPassword function.

  3. Test 3Enumerate GPP XML Files in SYSVOL

    Expected signal: Sysmon Event ID 1: cmd.exe with 'dir /s' and SYSVOL. Sysmon Event ID 3: SMB connection to DC. Security Event ID 5140 on DC: SYSVOL share access.

  4. Test 4Decrypt GPP cpassword with Python

    Expected signal: Sysmon Event ID 1: powershell.exe with AesManaged and cpassword in command line. PowerShell ScriptBlock Log Event ID 4104 showing the AES decryption logic.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.002Credentials in RegistryT1135Network Share DiscoveryT1021.002SMB/Windows Admin SharesT1078.002Domain AccountsT1484.001Group Policy Modification

Same Tactic: Credential Access

Popular Detections