AD-GPP-CPASSWORDCredential Access

GPP cpassword Recovery (MS14-025)

Decrypt cpassword from Groups.xml / ScheduledTasks.xml in SYSVOL using the published AES key.

§ Where this technique fits

AD-GPP-CPASSWORD is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

Group Policy Preferences cpassword → user takeover
Pre-MS14-025 GPPs left cpassword-encrypted credentials in SYSVOL with a published AES key. Any authenticated user can decrypt them.
step 3 / 5

§ What commonly comes next

01
Valid Accounts
T1078 · Initial Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Group Policy Preferences cpassword → user takeover

§ What commonly comes next