Quick Links

Deploying Blumira HoneyFiles to detect SYSVOL exploits

Overview

Attackers may attempt to locate group policy preference (GPP) files within SYSVOL. Attackers often target these files to identify hardcoded username and password values and accounts configured for automated login. You can use Blumira's honeyfile creation scriptto create honey files used with file auditing to detect malicious actors who are using tools like CrackMapExec, Impacket, and Netexec.

Reference: See How To Detect SYSVOL Enumeration Exploits for more details.

Before you begin

To ensure that Blumira can receive logs for detections, you must first do the following:

Running the script

Caution: Some NGAV or EDR tools can cause host isolation when you run a PowerShell script. Allowlist the scripts or temporarily place the host into a bypass mode to run the script and avoid potential host isolation occurrences.

After downloading the HoneyFile Creation Script, run it from an administrative PowerShell command prompt with a user account that has privileges to create files in your SYSVOL share. If you have a multi-domain forest, you must run this once for each domain within your forest.

Related finding

The “SYSVOL Enumeration of Saved Credentials” detection rule looks for this attack in your environment, and it automatically deploys to supported accounts in a default-disabled state. To use this detection rule, ensure that you enable it in the Detection Rules page.

This detection is considered a Priority 1 Suspect for two reasons:

  • If the canary file is present, that indicates a user has purposefully placed it there and has enabled the detection.
  • Blumira would only trigger a false positive for this detection if a backup solution or another software was scanning the file remotely. Adding detection filters can remediate any false positives.