Findstr GPP Passwords
Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
Sigma rule (View on GitHub)
1title: Findstr GPP Passwords
2id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
3status: test
4description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
7author: frack113
8date: 2021-12-27
9modified: 2023-11-11
10tags:
11 - attack.credential-access
12 - attack.t1552.006
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith:
19 - '\find.exe'
20 - '\findstr.exe'
21 - OriginalFileName:
22 - 'FIND.EXE'
23 - 'FINDSTR.EXE'
24 selection_cli:
25 CommandLine|contains|all:
26 - 'cpassword'
27 - '\sysvol\'
28 - '.xml'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Access To Potentially Sensitive Sysvol Files By Uncommon Applications
- LSASS Process Reconnaissance Via Findstr.EXE
- Suspicious SYSVOL Domain Group Policy Access
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript