What starting position does this attack require?

The first step is Authenticate as recovered account (T1078) — a initial access primitive. Assumed environment: at least one GPP file (Groups.

What is the final impact of this kill-chain?

The final step lands on Hunt SYSVOL for cpassword (AD-NETEXEC), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

Group Policy Preferences cpassword → user takeover

Pre-MS14-025 GPPs left cpassword-encrypted credentials in SYSVOL with a published AES key. Any authenticated user can decrypt them.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Authenticate as recovered account

T1078 · Valid Accounts

Initial Access

Any authenticated user

T1078 · Valid Accounts

Discovery

Map account's access via BloodHound

AD-BLOODHOUND · BloodHound / SharpHound Enumeration

Credential Access

AES-decrypt with published key

AD-GPP-CPASSWORD · GPP cpassword Recovery (MS14-025)

Discovery

Hunt SYSVOL for cpassword

AD-NETEXEC · NetExec / CrackMapExec Sweep

Get-GPPPassword / nxc smb -M gpp_password

§ Context

Assumed environment: at least one GPP file (Groups.xml, ScheduledTasks.xml, Services.xml, DataSources.xml, Drives.xml, Printers.xml) in SYSVOL contains a non-empty cpassword field.

§ Steps

01
Authenticate as recovered accountInitial Access
T1078— Valid Accounts
02
Any authenticated userInitial Access
T1078— Valid Accounts
03
Map account's access via BloodHoundDiscovery
AD-BLOODHOUND— BloodHound / SharpHound Enumeration
04
AES-decrypt with published keyCredential Access
AD-GPP-CPASSWORD— GPP cpassword Recovery (MS14-025)
05
Hunt SYSVOL for cpasswordDiscovery
AD-NETEXEC— NetExec / CrackMapExec Sweep
Get-GPPPassword / nxc smb -M gpp_password

§ References

T1078Valid Accounts

§ Frequently asked

What is the "Group Policy Preferences cpassword → user takeover" attack path?: Pre-MS14-025 GPPs left cpassword-encrypted credentials in SYSVOL with a published AES key. Any authenticated user can decrypt them. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Authenticate as recovered account (T1078) — a initial access primitive. Assumed environment: at least one GPP file (Groups.
What is the final impact of this kill-chain?: The final step lands on Hunt SYSVOL for cpassword (AD-NETEXEC), which falls under Discovery. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Group Policy Preferences cpassword → user takeover

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Leaked legacy VPN credential → ransomware (Colonial-class)

Citrix Bleed → steal authenticated session → MFA bypass

WriteDACL on a privileged user → ForceChangePassword → takeover

GenericWrite on Domain Admins → AddMember → DA

GPO write rights → Immediate scheduled task → SYSTEM on OU

Unconstrained delegation → Capture DC TGT → DCSync