EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Windows PowerSploit GPP Discovery

The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials.

MITRE ATT&CK

T1552.006

Detection Query

`powershell` EventCode=4104  (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword)
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_powersploit_gpp_discovery_filter`

Author

Mauricio Velazco, Splunk

Created

2026-03-10

Data Sources

Powershell Script Block Logging 4104

References

Tags

Active Directory Privilege Escalation
Raw Content
name: Windows PowerSploit GPP Discovery
id: 0130a0df-83a1-4647-9011-841e950ff302
version: 13
date: '2026-03-10'
author: Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
    - Powershell Script Block Logging 4104
description: The following analytic detects the execution of the Get-GPPPassword PowerShell cmdlet, which is used to search for unsecured credentials in Group Policy Preferences (GPP). This detection leverages PowerShell Script Block Logging to identify specific script block text associated with this cmdlet. Monitoring this activity is crucial as it can indicate an attempt to retrieve and decrypt stored credentials from SYSVOL, potentially leading to unauthorized access. If confirmed malicious, this activity could allow an attacker to escalate privileges or move laterally within the network by exploiting exposed credentials.
search: |-
    `powershell` EventCode=4104  (ScriptBlockText=Get-GPPPassword OR ScriptBlockText=Get-CachedGPPPassword)
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest signature signature_id
           user_id vendor_product EventID
           Guid Opcode Name
           Path ProcessID ScriptBlockId
           ScriptBlockText
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_powersploit_gpp_discovery_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: No false positives have been identified at this time.
references:
    - https://attack.mitre.org/techniques/T1552/006/
    - https://pentestlab.blog/2017/03/20/group-policy-preferences/
    - https://adsecurity.org/?p=2288
    - https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/
    - https://adsecurity.org/?p=2288
    - https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30
drilldown_searches:
    - name: View the detection results for - "$Computer$" and "$user$"
      search: '%original_detection_search% | search  Computer = "$Computer$" user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$Computer$" and "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$", "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Commandlets leveraged to discover GPP credentials were executed on $dest$
    risk_objects:
        - field: dest
          type: system
          score: 50
        - field: user_id
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Privilege Escalation
    asset_type: Endpoint
    mitre_attack_id:
        - T1552.006
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog