Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
On the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: <code>dir /s * .xml</code>
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1552.006 | Group Policy Preferences |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. An example of this for Group Policy Preferences (GPPs) is to update software by applying patch KB2962486 which prevents credentials from being stored in group policy preferences.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1552.006 | Group Policy Preferences |
Comments
This diagnostic statement protects against Group Policy Preferences through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Export data | Export data to another site or system | related-to | T1552.006 | Group Policy Preferences | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1552.006 | Group Policy Preferences | |
| attribute.confidentiality.data_disclosure | None | related-to | T1552.006 | Group Policy Preferences |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1552.006 | Group Policy Preferences |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Exfiltration modules, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|