Esc
Group Policy Preferences - T1552.006

(ATT&CK® Technique)
Definition

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1552006["Group Policy Preferences"] --> |accesses| GroupPolicy["Group Policy"]; class T1552006 OffensiveTechniqueNode;
        class GroupPolicy ArtifactNode; click GroupPolicy href "/dao/artifact/d3f:GroupPolicy";
        click T1552006 href "/offensive-technique/attack/T1552.006/"; click GroupPolicy href "/dao/artifact/d3f:GroupPolicy";     T1552006["Group Policy Preferences"] --> |accesses| Credential["Credential"]; class T1552006 OffensiveTechniqueNode;
        class Credential ArtifactNode; click Credential href "/dao/artifact/d3f:Credential";
        click T1552006 href "/offensive-technique/attack/T1552.006/"; click Credential href "/dao/artifact/d3f:Credential";         RestoreConfiguration["Restore Configuration"] -->
          | restores | GroupPolicy["Group Policy"];

          RestoreConfiguration["Restore Configuration"] -.->
            | may-restore | T1552006["Group Policy Preferences"] ;
          class RestoreConfiguration DefensiveTechniqueNode;
          class GroupPolicy ArtifactNode;
          click RestoreConfiguration href "/technique/d3f:RestoreConfiguration";          ReissueCredential["Reissue Credential"] -->
          | restores | Credential["Credential"];

          ReissueCredential["Reissue Credential"] -.->
            | may-restore | T1552006["Group Policy Preferences"] ;
          class ReissueCredential DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click ReissueCredential href "/technique/d3f:ReissueCredential";  DecoyUserCredential["Decoy User Credential"] -->
          | spoofs | Credential["Credential"];

          DecoyUserCredential["Decoy User Credential"] -.->
            | may-deceive | T1552006["Group Policy Preferences"] ;
          class DecoyUserCredential DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
          | analyzes | Credential["Credential"];

          CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
            | may-detect | T1552006["Group Policy Preferences"] ;
          class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
          | deletes | Credential["Credential"];

          AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
            | may-evict | T1552006["Group Policy Preferences"] ;
          class AuthenticationCacheInvalidation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
          | deletes | Credential["Credential"];

          CredentialRevocation["Credential Revocation"] -.->
            | may-evict | T1552006["Group Policy Preferences"] ;
          class CredentialRevocation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialRotation["Credential Rotation"] -->
          | regenerates | Credential["Credential"];

          CredentialRotation["Credential Rotation"] -.->
            | may-harden | T1552006["Group Policy Preferences"] ;
          class CredentialRotation DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialRotation href "/technique/d3f:CredentialRotation"; Multi-factorAuthentication["Multi-factor Authentication"] -->
          | uses | Credential["Credential"];

          Multi-factorAuthentication["Multi-factor Authentication"] -.->
            | may-harden | T1552006["Group Policy Preferences"] ;
          class Multi-factorAuthentication DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
          | isolates | Credential["Credential"];

          CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
            | may-isolate | T1552006["Group Policy Preferences"] ;
          class CredentialTransmissionScoping DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping";                                      CredentialHardening["Credential Hardening"] -->
          | hardens | Credential["Credential"];

          CredentialHardening["Credential Hardening"] -.->
            | may-harden | T1552006["Group Policy Preferences"] ;
          class CredentialHardening DefensiveTechniqueNode;
          class Credential ArtifactNode;
          click CredentialHardening href "/technique/d3f:CredentialHardening";
json