This note documents detection patterns related to Group Policy Preference Passwords within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 5145 | A network share object was checked to see whether client can access it | Critical | Access to SYSVOL share containing Group Policy Preference files that may store cpassword values. |
| Security | 4663 | An attempt was made to access an object | High | File access events on GPP XML files containing encrypted passwords. |
| Security | 4624 | Successful logon | Medium | Authentication that precedes or follows SYSVOL access. |
| Sysmon | 1 | Process creation | Medium | Execution of tools parsing GPP XML files for cpassword values. |
| Sysmon | 11 | File created | Low | Temporary files created when copying SYSVOL contents. |
| Sysmon | 3 | Network connection | Medium | SMB connections to domain controllers accessing SYSVOL. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Access to SYSVOL Policies folder | SMB reads from \\<domain>\\SYSVOL\\Policies | Critical | Location where GPP XML files are stored. |
| Presence of cpassword fields | XML files containing encrypted credentials | Critical | Classic Group Policy Preference credential exposure. |
| Enumeration of multiple GPO directories | Mass reads of policy files | High | Possible automated credential harvesting. |
| Use of decryption scripts | Execution of scripts extracting GPP passwords | High | Attacker decrypting stored credentials. |
| Authentication using recovered credentials | Logon events after SYSVOL enumeration | Critical | Indicates attacker leveraged recovered passwords. |
Common Tools
| Tool | Usage |
|---|---|
| PowerSploit Get-GPPPassword | Extracts GPP passwords from SYSVOL. |
| gpp-decrypt | Decrypts cpassword values from GPP XML files. |
| CrackMapExec | Automates enumeration and credential extraction. |
| Impacket | Uses recovered credentials for remote execution. |
| Manual scripts | Parsing XML files from SYSVOL. |
Relevant Artifacts
- Domain controller Security logs (5145, 4663)
- SMB access logs to SYSVOL share
- File system artifacts on domain controllers
- Sysmon logs (1, 3, 11)
- EDR telemetry identifying credential harvesting tools
- Prefetch artifacts showing execution of PowerSploit or scripts
- Authentication logs following credential extraction
MITRE ATT&CK References
- T1552 Unsecured Credentials
- T1552.006 Group Policy Preferences
- T1003 Credential Dumping
Decision Tree
- Is the suspicious event present?
- Identify SYSVOL access events (5145 / 4663).
- What host generated the event?
- Determine workstation accessing SYSVOL files.
- Is the account expected to perform this action?
- Investigate whether account normally manages GPOs.
- Pivot:
- Source host → inspect execution of PowerSploit or GPP extraction scripts.
- File access → determine which policy files were accessed.
- Authentication → review logon events after credential extraction.
- Confirm exploitation
- Determine whether attacker retrieved and decrypted cpassword credentials.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 5145
| where ShareName contains "SYSVOL"
SecurityEvent
| where EventID == 4663
| where ObjectName contains "Policies"
EQL
any where event.code == "5145"
Sigma
title: Suspicious SYSVOL Access for GPP Files
id: gpp-passwords-detection
status: experimental
description: Detects access to SYSVOL policies which may indicate Group Policy Preference password harvesting
logsource:
product: windows
service: security
detection:
selection:
EventID: 5145
ShareName|contains: SYSVOL
condition: selection
fields:
- SubjectUserName
- ShareName
falsepositives:
- Legitimate GPO management activity
level: medium
tags:
- attack.credential_access
- attack.t1552.006
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Credential hygiene | Remove GPP passwords from SYSVOL | Critical | Microsoft deprecated storing credentials in GPP. |
| Audit policies | Search domain for cpassword values | Critical | Identify legacy exposures. |
| Least privilege | Restrict who can read sensitive policy files | Medium | Limits attack surface. |
| Monitoring | Alert on mass SYSVOL enumeration | High | Detects credential harvesting attempts. |
| Credential rotation | Rotate any exposed passwords immediately | Critical | Prevents continued abuse. |