Unsecured Credentials: Параметры групповой политики
Other sub-techniques of Unsecured Credentials (7)
Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)
These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
* Metasploit’s post exploitation module: post/windows/gather/credentials/gpp
* Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)
* gpprefdecrypt.py
On the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: dir /s * .xml
Примеры процедур |
|
| Название | Описание |
|---|---|
| SILENTTRINITY |
SILENTTRINITY has a module that can extract cached GPP passwords.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| PowerSploit |
PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
| APT33 |
APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| Update Software |
Perform regular software updates to mitigate exploitation risk. |
| Active Directory Configuration |
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc. |
Обнаружение
Monitor for attempts to access SYSVOL that involve searching for XML files. Deploy a new XML file with permissions set to Everyone:Deny and monitor for Access Denied errors.(Citation: ADSecurity Finding Passwords in SYSVOL)
Ссылки
- Sean Metcalf. (2015, December 28). Finding Passwords in SYSVOL & Exploiting Group Policy Preferences. Retrieved February 17, 2020.
- Campbell, C. (2012, May 24). GPP Password Retrieval with PowerShell. Retrieved April 11, 2018.
- Microsoft. (n.d.). 2.2.1.1.4 Password Encryption. Retrieved April 11, 2018.
- Microsoft. (2016, August 31). Group Policy Preferences. Retrieved March 9, 2020.
- Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved February 17, 2020.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- Microsoft. (2014, May 13). MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege. Retrieved January 28, 2015.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.