DET0381 Detect Access and Decryption of Group Policy Preference (GPP) Credentials in SYSVOL

Item	Value
ID	DET0381
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1552.006 (Group Policy Preferences)

Analytics

Windows

AN1075

Correlates file enumeration of XML files in the SYSVOL share with suspicious process execution that decodes or reads encrypted credentials embedded in Group Policy Preference files (e.g., Get-GPPPassword.ps1, gpprefdecrypt.py, Metasploit). Detects abnormal access to \DOMAIN\SYSVOL combined with XML file parsing or decryption logic.

Log Sources

Data Component	Name	Channel
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Network Share Access (DC0102)	WinEventLog:Security	EventCode=5145
Script Execution (DC0029)	WinEventLog:PowerShell	Scripts with references to XML parsing, AES decryption, or gpprefdecrypt logic

Mutable Elements

Field	Description
UserContext	Tune to exclude authorized admin users or domain controllers accessing SYSVOL
TimeWindow	Adjust for correlation timing between file access and script execution
KnownToolsSignature	Extend to include known GPP parsing tool names or script hashes
HostType	Distinguish between expected access from DCs vs. lateral movement from workstations