Zero Point LogoZero Point

Privilege Escalation via Group Policy Preferences (GPP)

By Samarth Desai2/14/2025
Privilege Escalation via Group Policy Preferences (GPP)
#GPPExploit
#ActiveDirectorySecurity
#CredentialTheft

It is a technique where hackers look for passwords stored in an insecure way on computers and networks. Specifically, they target something called Group Policy Preferences (GPP), which are used by administrators to set policies on computers. These preferences can sometimes store passwords in a way that hackers can easily find and use them. Group Policy Preferences (GPP) once was a powerful tool that allowed administrators to create domain policies with embedded credentials. These policies enabled administrators to set local accounts, embed credentials for mapping drives, or perform other tasks that would otherwise require a password in a script. However, the storage mechanism for these credentials had a significant flaw, allowing attackers to easily decrypt the plaintext credentials. While Microsoft addressed this issue with the MS14-025 patch, the fix only prevents new policies from being created. Any existing GPPs containing credentials must still be found and removed. These policies often involve service accounts with elevated privileges, making them attractive targets for attackers. One method to locate these credentials is by mining the SYSVOL share for credential data. SYSVOL is a domain-wide share in Active Directory that all authenticated users can read. It contains logon scripts, group policy data, and other domain-wide data needed by Domain Controllers. Since SYSVOL is automatically synchronized and shared among all Domain Controllers, it becomes a critical area to secure. The Domain Group Policies are stored at: "\Domain\SYSVOL\Domain\Policies" Want to pentest it use this metasploit module

  • use auxiliary/scanner/smb/smb_enum_gpp
  • post/windows/gather/credentials/gpp Use impacket module Get-GPPPassword.py to search and dump the password: Get-GPPPassword.py -no-pass 'DOMAIN_CONTROLLER' Get-GPPPassword.py 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' Get-GPPPassword.py -hashes :'NThash' 'DOMAIN'/'USER':'PASSWORD'@'DOMAIN_CONTROLLER' Get-GPPPassword.py -xmlfile '/path/to/Policy.xml' 'LOCAL'

Reference