Detection: Windows PowerSploit GPP Discovery

Description

The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts. These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public). While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.

Annotations

No annotations available.

Implementation

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

Unknown

Associated Analytic Story

• Active Directory Privilege Escalation

Risk Based Analytics (RBA)

References

• https://attack.mitre.org/techniques/T1552/006/

• https://pentestlab.blog/2017/03/20/group-policy-preferences/

• https://adsecurity.org/?p=2288

• https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/

• https://adsecurity.org/?p=2288

• https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30

Version: 4