Group Policy Preferences

Many organizations over the past few years have usedĀ Windows 2008 Group Policy Preferences to enforce local password changes for the purposes of management and image deployment. However, any authenticated domain user (and this includes MACHINE$ accounts) can extract this deployment information from the SYSVOL of relevant domain controllers. Many thought this wasn’t an issue, as the passwords are encrypted using AES 256, until people widely realized that the key is static, and Microsoft actually published it. This allows any authenticated domain user to decrypt these passwords as well. There’s a more in depth article titled “Exploiting Windows 2008 Group Policy Preferences“.

@obscuresec later ported this logic into PowerShell, and published a post on the module. Get-GPPPassword will automate the retrieval and decryption for you, and is implemented in the PowerSploit repository. The EmpireĀ privesc/gpp module wraps this all up for running through an Empire agent.

And important to note- while the Microsoft did release a patch for GPP, the patch only prevents new preferences files from being created. Existing files vulnerable to GPP decryption are not retroactively removed.