Group Policy Preferences
MITRE ATT&CK™ Sub-technique T1552.006
Theory
Windows systems come with a built-in Administrator (with an RID of 500) that most organizations want to change the password of. This can be achieved in multiple ways but there is one that is to be avoided: setting the built-in Administrator's password through Group Policies.
Issue 1: the password is set to be the same for every (set of) machine(s) the Group Policy applies to. If the attacker finds the admin's hash or password, he can gain administrative access to all (or set of) machines.
Issue 2: by default, knowing the built-in Administrator's hash (RID 500) allows for powerful Pass-the-Hash attacks (read more).
Issue 3: all Group Policies are stored in the Domain Controllers'
SYSVOL
share. All domain users have read access to it. This means all domain users can read the encrypted password set in Group Policy Preferences, and since Microsoft published the encryption key around 2012, the password can be decrypted🤷♂️.
In 2015, Microsoft removed storing the encrypted password in the SYSVOL folder. It introduced the Local Administrator Password Solution (LAPS), which offers a much more secure approach to remotely managing the local administrator password.
Practice
From UNIX-like systems, the Get-GPPPassword.py (Python) script in the impacket examples can be used to remotely parse .xml
files and loot for passwords.
Alternatively, searching for passwords can be done manually (or with Metasploit's smb_enum_gpp
module), however it requires mounting the SYSVOL
share, which can't be done through a docker environment unless it's run with privileged rights.
Tools like pypykatz (Python) and gpp-decrypt (Ruby) can then be used to decrypt the matches.
Resources
Last updated