// notes/ Active Directory
🏛️
Post Compromise Attacks Gpp Cpassword Attacks
Group policy preferences (GPP) allowed Administrators to create policies using embedded credentials. These credentials were encrypted and placed in a "cPassword". The encryption k…
#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-attacks_gpp-cpassword-attacks ↗GPP / cPassword Attacks
Overview
Group policy preferences (GPP) allowed Administrators to create policies using embedded credentials. These credentials were encrypted and placed in a "cPassword". The encryption key was released by accident so the all the passwords are decryptable.
<figure><img src="/files/WQnVEUWiEBXBVZxLFbNK" alt=""><figcaption><p>Hack the Box machine <em>Querier</em></p></figcaption></figure> <figure><img src="/files/LhZOzoOlcq0lj8SpIsDQ" alt=""><figcaption><p>Hack the Box machine <em>Querier</em></p></figcaption></figure>Check with PowerUp.ps1
powerquery
01. .\PowerUp.ps102Invoke-AllCheckGPP Attack via Metasploit
bash
$use auxiliary/scanner/smb/smb_enum_gpp Mitigation
- Be up to date on patching
- Delete old GPP xml files inside the SYSVOL