title: Group Policy Preferences (T1552.006)
id: df00tech-t1552-006
status: experimental
description: "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP allows administrators to set local accounts and passwords in Active Directory environments. These credentials are stored in SYSVOL as XML files (Groups.xml, ScheduledTasks.xml, Printers.xml, etc.) with passwords encrypted using AES-256. However, Microsoft publicly released the AES encryption key in 2012 (MS14-025), making any stored cpassword trivially decryptable. Domain users have read access to SYSVOL. Tools include PowerSploit's Get-GPPPassword, Metasploit's post/windows/gather/credentials/gpp module, and gpprefdecrypt.py. APT33, Wizard Spider, and SILENTTRINITY have all used this technique."
references:
  - https://attack.mitre.org/techniques/T1552/006/
  - https://df00tech.com/detections/T1552.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1552.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Group Policy administrators legitimately accessing and reviewing GPP XML files for configuration management
  - GPMC (Group Policy Management Console) reading GPP XML files during policy editing and backup operations
  - Active Directory backup tools that read the entire SYSVOL share including GPP XML files
  - Authorized security assessments explicitly checking for cpassword fields in GPP XML files
  - Domain controller replication processes synchronizing SYSVOL content between DCs
level: high