← Back to Explore
sigmahighHunting
Findstr GPP Passwords
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
Detection Query
selection_img:
- Image|endswith:
- \find.exe
- \findstr.exe
- OriginalFileName:
- FIND.EXE
- FINDSTR.EXE
selection_cli:
CommandLine|contains|all:
- cpassword
- \sysvol\
- .xml
condition: all of selection_*
Author
frack113
Created
2021-12-27
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.credential-accessattack.t1552.006
Raw Content
title: Findstr GPP Passwords
id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
status: test
description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
author: frack113
date: 2021-12-27
modified: 2023-11-11
tags:
- attack.credential-access
- attack.t1552.006
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\find.exe'
- '\findstr.exe'
- OriginalFileName:
- 'FIND.EXE'
- 'FINDSTR.EXE'
selection_cli:
CommandLine|contains|all:
- 'cpassword'
- '\sysvol\'
- '.xml'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords/info.yml
simulation:
- type: atomic-red-team
name: GPP Passwords (findstr)
technique: T1552.006
atomic_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f