# GPP Attack

### Overview

**Group Policy Preferences (GPP) / cpassword attacks** exploit a legacy design flaw in Microsoft Active Directory where **credentials were stored using reversible encryption** inside Group Policy Preference XML files.

These XML files (e.g., `Groups.xml`, `Services.xml`, `ScheduledTasks.xml`) were stored in the **SYSVOL share**, which is **readable by all authenticated domain users**. Although Microsoft removed the ability to create new policies containing passwords in 2014, **existing policies may still persist** in many environments.

Because the encryption key used to protect the `cpassword` value is **publicly known**, any domain user who can read SYSVOL can **decrypt and recover plaintext credentials**

### Attack Prequisites

1. **Any authenticated domain account**
2. **Read access to SYSVOL** (default for domain users)
3. Presence of **legacy GPP XML files** containing `cpassword`

### Steps

1. **Enumerate SYSVOL:**

* Browse Group Policy folders stored in SYSVOL.
* Look for XML files related to Group Policy Preferences.

2. **Identify `cpassword` entries**

* Certain preference files may contain a `cpassword` field representing an encrypted password.

3. **Decrypt the password**

```bash
gpp-decrypt <Password>
```

### Defences

1. Remove all GPP Passwords.
2. Rotate Exposed Credentials.
3. Prefer gSMA/LAPS.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/post-compromise-attacks/gpp-attack.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.