-
Notifications
You must be signed in to change notification settings - Fork 375
/
ssa___windows_powersploit_gpp_discovery.yml
67 lines (67 loc) · 2.6 KB
/
ssa___windows_powersploit_gpp_discovery.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: Windows PowerSploit GPP Discovery
id: fdef746e-71fb-41ce-8ab2-b4a5a6b50ca2
version: 4
date: '2023-05-02'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies the use of the Get-GPPPassword PowerShell commandlet employed to search for unsecured credentials Group Policy Preferences (GPP).
GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.
These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).
While Microsoft released a patch that impedes Administrators to create unsecure credentials, existing Group Policy Preferences files with passwords are not removed from SYSVOL.
data_source:
- Powershell 4104
search:
selection1:
process.cmd_line|re: 'get-gpppassword'
condition: selection1
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: Unknown
references:
- https://attack.mitre.org/techniques/T1552/006/
- https://pentestlab.blog/2017/03/20/group-policy-preferences/
- https://adsecurity.org/?p=2288
- https://www.hackingarticles.in/credential-dumping-group-policy-preferences-gpp/
- https://adsecurity.org/?p=2288
- https://support.microsoft.com/en-us/topic/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevation-of-privilege-may-13-2014-60734e15-af79-26ca-ea53-8cd617073c30
tags:
analytic_story:
- Active Directory Privilege Escalation
asset_type: Endpoint
confidence: 80
impact: 70
message: Commandlets leveraged to discover GPP credentials were executed on $Computer$
mitre_attack_id:
- T1552
- T1552.006
observable:
- name: Computer
type: Hostname
role:
- Victim
- name: UserID
type: User
role:
- Victim
product:
- Splunk Behavioral Analytics
required_fields:
- _time
- EventCode
- ScriptBlockText
- Opcode
- Computer
- UserID
kill_chain_phases:
- Exploitation
risk_score: 56
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.006/powershell_gpp_discovery/win-powershell.log
source: XmlWinEventLog
sourcetype: XmlWinEventLog
update_timestamp: true