← Back to Explore
T1552.006
Group Policy Preferences
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016) These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key) Th...
Windows
8
Detections
3
Sources
2
Threat Actors
BY SOURCE
5sigma2splunk_escu1elastic
PROCEDURES (5)
Process Creation Monitoring4 detections
Auto-extracted: 4 detections for process creation monitoring
Privilege1 detections
Auto-extracted: 1 detections for privilege
Powershell1 detections
Auto-extracted: 1 detections for powershell
Registry Monitoring1 detections
Auto-extracted: 1 detections for registry monitoring
Powershell1 detections
Auto-extracted: 1 detections for powershell
THREAT ACTORS (2)
DETECTIONS (8)
Access To Potentially Sensitive Sysvol Files By Uncommon Applications
sigmamedium
Findstr GPP Passwords
sigmahigh
LSASS Process Reconnaissance Via Findstr.EXE
sigmahigh
Permission Misconfiguration Reconnaissance Via Findstr.EXE
sigmamedium
Potential PowerShell HackTool Script by Function Names
elasticmedium
Suspicious SYSVOL Domain Group Policy Access
sigmamedium
Windows Findstr GPP Discovery
splunk_escu
Windows PowerSploit GPP Discovery
splunk_escu