Overview
Attackers may attempt to locate group policy preference (GPP) files within SYSVOL. Attackers often target these files to identify hardcoded username and password values and accounts configured for automated login. You can use Blumira's honeyfile creation scriptto create honey files used with file auditing to detect malicious actors who are using tools like CrackMapExec, Impacket, and Netexec.
Before you begin
To ensure that Blumira can receive logs for detections, you must first do the following:
- Integrate Blumira with your Windows machines by completing the steps in Automating Windows log collection with Poshim or by deploying Blumira Agenton your Windows endpoints.
- Deploy our Logmira Group Policy Template to ensure auditing of Sysvol file shares is set up.
Running the script
After downloading the HoneyFile Creation Script, run it from an administrative PowerShell command prompt with a user account that has privileges to create files in your SYSVOL share. If you have a multi-domain forest, you must run this once for each domain within your forest.
Related finding
The “SYSVOL Enumeration of Saved Credentials” detection rule looks for this attack in your environment, and it automatically deploys to supported accounts in a default-disabled state. To use this detection rule, ensure that you enable it in the Detection Rules page.
This detection is considered a Priority 1 Suspect for two reasons:
- If the canary file is present, that indicates a user has purposefully placed it there and has enabled the detection.
- Blumira would only trigger a false positive for this detection if a backup solution or another software was scanning the file remotely. Adding detection filters can remediate any false positives.