GPP / cPassword Attacks

Overview

Group policy preferences (GPP) allowed Administrators to create policies using embedded credentials. These credentials were encrypted and placed in a "cPassword". The encryption key was released by accident so the all the passwords are decryptable.

Check with PowerUp.ps1

. .\PowerUp.ps1
Invoke-AllCheck

GPP Attack via Metasploit

use auxiliary/scanner/smb/smb_enum_gpp

Mitigation

Be up to date on patching
Delete old GPP xml files inside the SYSVOL

PreviousLNK File Attacks NextMimikatz

Last updated 10 months ago

Was this helpful?