Correlates file enumeration of XML files in the SYSVOL share with suspicious process execution that decodes or reads encrypted credentials embedded in Group Policy Preference files (e.g., Get-GPPPassword.ps1, gpprefdecrypt.py, Metasploit). Detects abnormal access to \DOMAIN\SYSVOL combined with XML file parsing or decryption logic.
| Data Component | Name | Channel |
|---|---|---|
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Share Access (DC0102) | WinEventLog:Security | EventCode=5145 |
| Script Execution (DC0029) | WinEventLog:PowerShell | Scripts with references to XML parsing, AES decryption, or gpprefdecrypt logic |
| Field | Description |
|---|---|
| UserContext | Tune to exclude authorized admin users or domain controllers accessing SYSVOL |
| TimeWindow | Adjust for correlation timing between file access and script execution |
| KnownToolsSignature | Extend to include known GPP parsing tool names or script hashes |
| HostType | Distinguish between expected access from DCs vs. lateral movement from workstations |