Threat (Privilege Escalation)
Group Policy Preferences allow administrators to create and manage local accounts on servers and workstations in an Active Directory domain. Attackers can easily find and obtain the encrypted passwords of administrative account credentials managed by Group Policy Preferences and decrypt them using the Microsoft-published AES key.
How Plaintext Password Extraction through Group Policy Preferences Works
The following is a summarization of how the attack works:
- An attacker locates group policy XML files containing AES encrypted local account passwords on a Domain Controller’s SYSVOL share, leveraging PowerShell or other tools like PowerSploit’s Get-GPPPassword command.
- In conjunction with the Microsoft-published AES key, the attacker decrypts the passwords, exposing Administrative account passwords in clear text.
Important Notes about Plaintext Password Extraction through Group Policy Preferences:
- Because the SYSVOL share is open to Authenticated Users, anybody within the organization can read the files stored here. Therefore, any user account can find and decrypt these files and gain access to plain text passwords for Administrator accounts.
Watch this brief video of a Plaintext Password Extraction through Group Policy Preferences attack in action:
Potential Solutions and Mitigating Controls for Plaintext Password Extraction through Group Policy Preferences
The first step in mitigating the threat of Plaintext Password Extraction through Group Policy Preferences is understanding whether or not the condition exists in your environment. Microsoft provides a script in their security bulletin
on this vulnerability that can be leveraged and software solutions have also been designed to find instances of passwords that can be stolen using this method. Once potential vulnerabilities have been identified, it is advisable to find alternative methods of enabling the tasks or processes being facilitated previously through Group Policy Preferences. For instance, Microsoft’s Local Administrator Password Solution (LAPS) is a potential solution for providing administrative access to systems rather than logon scripts through Group Policy Preferences.
Addtional Resources Plaintext Password Extraction through Group Policy Preferences Resources: Related Attacks & Concepts: Solutions: