T1552.006 Microsoft Sentinel · KQL

Detect Group Policy Preferences in Microsoft Sentinel

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP allows administrators to set local accounts and passwords in Active Directory environments. These credentials are stored in SYSVOL as XML files (Groups.xml, ScheduledTasks.xml, Printers.xml, etc.) with passwords encrypted using AES-256. However, Microsoft publicly released the AES encryption key in 2012 (MS14-025), making any stored cpassword trivially decryptable. Domain users have read access to SYSVOL. Tools include PowerSploit's Get-GPPPassword, Metasploit's post/windows/gather/credentials/gpp module, and gpprefdecrypt.py. APT33, Wizard Spider, and SILENTTRINITY have all used this technique.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.006 Group Policy Preferences
Canonical reference
https://attack.mitre.org/techniques/T1552/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detect GPP credential harvesting via SYSVOL access and decryption tools
DeviceProcessEvents
| where Timestamp > ago(24h)
// Pattern 1: PowerSploit GPP modules
| where ProcessCommandLine has_any (
    "Get-GPPPassword", "Get-CachedGPPPassword", "Find-GPOPassword",
    "Get-GPPAutologon", "Get-SiteListPassword"
  )
| extend Pattern = "PowerSploit_GPP"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, Pattern
| union (
    // Pattern 2: Search for cpassword string in SYSVOL XML files
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has "cpassword"
        or (ProcessCommandLine has "SYSVOL" and ProcessCommandLine has ".xml")
    | extend Pattern = "GPP_CpasswordSearch"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, Pattern
)
| union (
    // Pattern 3: Direct SYSVOL XML file access
    DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileRead" or ActionType == "FileAccessed"
    | where (FolderPath has "SYSVOL" or FolderPath has "Policies")
        and (FileName has_any ("Groups.xml", "ScheduledTasks.xml", "DataSources.xml",
                               "Printers.xml", "Services.xml"))
    | where InitiatingProcessFileName !in~ ("System", "svchost.exe")
    | extend Pattern = "GPP_XMLAccess"
    | project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName,
             InitiatingProcessFileName, Pattern
)
| sort by Timestamp desc
high severity high confidence

Detects GPP credential harvesting via three patterns: PowerSploit GPP modules (Get-GPPPassword, Get-CachedGPPPassword, Find-GPOPassword) in PowerShell command lines; searches for 'cpassword' string or SYSVOL XML files; and direct file access to known GPP credential XML files (Groups.xml, ScheduledTasks.xml, etc.) from non-system processes.

Data Sources

Process: Process CreationCommand: Command ExecutionFile: File AccessNetwork Traffic: Network Share Access

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Group Policy administrators legitimately accessing and reviewing GPP XML files for configuration management
  • GPMC (Group Policy Management Console) reading GPP XML files during policy editing and backup operations
  • Active Directory backup tools that read the entire SYSVOL share including GPP XML files
  • Authorized security assessments explicitly checking for cpassword fields in GPP XML files
  • Domain controller replication processes synchronizing SYSVOL content between DCs
Download portable Sigma rule (.yml)

Other platforms for T1552.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Search SYSVOL for GPP Credentials with findstr

    Expected signal: Sysmon Event ID 1: findstr.exe with 'cpassword' and SYSVOL. Sysmon Event ID 3: outbound SMB connection to DC (port 445). Security Event ID 5140 on DC: share access to \\*\SYSVOL.

  2. Test 2PowerSploit Get-GPPPassword

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-GPPPassword and DownloadString. Sysmon Event ID 3: connection to SYSVOL on DC (port 445) AND outbound to GitHub for download. PowerShell ScriptBlock Log Event ID 4104 with Get-GPPPassword function.

  3. Test 3Enumerate GPP XML Files in SYSVOL

    Expected signal: Sysmon Event ID 1: cmd.exe with 'dir /s' and SYSVOL. Sysmon Event ID 3: SMB connection to DC. Security Event ID 5140 on DC: SYSVOL share access.

  4. Test 4Decrypt GPP cpassword with Python

    Expected signal: Sysmon Event ID 1: powershell.exe with AesManaged and cpassword in command line. PowerShell ScriptBlock Log Event ID 4104 showing the AES decryption logic.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.002Credentials in RegistryT1135Network Share DiscoveryT1021.002SMB/Windows Admin SharesT1078.002Domain AccountsT1484.001Group Policy Modification

Same Tactic: Credential Access

Popular Detections