T1552.006 Splunk · SPL

Detect Group Policy Preferences in Splunk

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP allows administrators to set local accounts and passwords in Active Directory environments. These credentials are stored in SYSVOL as XML files (Groups.xml, ScheduledTasks.xml, Printers.xml, etc.) with passwords encrypted using AES-256. However, Microsoft publicly released the AES encryption key in 2012 (MS14-025), making any stored cpassword trivially decryptable. Domain users have read access to SYSVOL. Tools include PowerSploit's Get-GPPPassword, Metasploit's post/windows/gather/credentials/gpp module, and gpprefdecrypt.py. APT33, Wizard Spider, and SILENTTRINITY have all used this technique.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.006 Group Policy Preferences
Canonical reference
https://attack.mitre.org/techniques/T1552/006/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
(
  EventCode=1
  (CommandLine="*Get-GPPPassword*" OR CommandLine="*Get-CachedGPPPassword*" OR
   CommandLine="*Find-GPOPassword*" OR CommandLine="*Get-GPPAutologon*" OR
   CommandLine="*cpassword*" OR
   (CommandLine="*SYSVOL*" AND CommandLine="*.xml*"))
| eval AlertType="GPP_CommandExec"
| table _time, host, User, Image, CommandLine, AlertType
)
OR
(
  sourcetype="WinEventLog:Security" (EventCode=5140 OR EventCode=5145)
  (Share_Name="\\\\*\\SYSVOL" OR Object_Name="*\\Policies\\*" OR
   Object_Name="*Groups.xml*" OR Object_Name="*ScheduledTasks.xml*" OR
   Object_Name="*DataSources.xml*" OR Object_Name="*Printers.xml*")
  NOT Account_Name IN ("SYSTEM", "*$")
| eval AlertType="GPP_SYSVOLAccess"
| table _time, host, Account_Name, Client_Address, Share_Name, Object_Name, AlertType
)
OR
(
  EventCode=1
  (Image="*\\gpprefdecrypt*" OR CommandLine="*gpprefdecrypt*" OR CommandLine="*AES-256*SYSVOL*")
| eval AlertType="GPP_DecryptionTool"
| table _time, host, User, Image, CommandLine, AlertType
)
| sort - _time
high severity high confidence

Detects GPP credential harvesting using three Splunk searches: PowerSploit GPP modules in command lines (Get-GPPPassword, Find-GPOPassword), SYSVOL share access to GPP XML files via Windows Security Event 5140/5145 (requires Object Access auditing), and execution of gpprefdecrypt tool. The AlertType field identifies the specific detection category.

Data Sources

Process: Process CreationNetwork Traffic: Network Share AccessSysmon Event ID 1Windows Security Event ID 5140, 5145

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Group Policy administrators accessing GPP XML files for configuration management
  • GPMC reading GPP XML files during policy editing
  • Active Directory backup tools reading SYSVOL share
  • Authorized security assessments checking for cpassword in GPP XML
  • Domain controller replication synchronizing SYSVOL
Download portable Sigma rule (.yml)

Other platforms for T1552.006

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Search SYSVOL for GPP Credentials with findstr

    Expected signal: Sysmon Event ID 1: findstr.exe with 'cpassword' and SYSVOL. Sysmon Event ID 3: outbound SMB connection to DC (port 445). Security Event ID 5140 on DC: share access to \\*\SYSVOL.

  2. Test 2PowerSploit Get-GPPPassword

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-GPPPassword and DownloadString. Sysmon Event ID 3: connection to SYSVOL on DC (port 445) AND outbound to GitHub for download. PowerShell ScriptBlock Log Event ID 4104 with Get-GPPPassword function.

  3. Test 3Enumerate GPP XML Files in SYSVOL

    Expected signal: Sysmon Event ID 1: cmd.exe with 'dir /s' and SYSVOL. Sysmon Event ID 3: SMB connection to DC. Security Event ID 5140 on DC: SYSVOL share access.

  4. Test 4Decrypt GPP cpassword with Python

    Expected signal: Sysmon Event ID 1: powershell.exe with AesManaged and cpassword in command line. PowerShell ScriptBlock Log Event ID 4104 showing the AES decryption logic.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.002Credentials in RegistryT1135Network Share DiscoveryT1021.002SMB/Windows Admin SharesT1078.002Domain AccountsT1484.001Group Policy Modification

Same Tactic: Credential Access

Popular Detections