Overview
Attackers may attempt to locate group policy preference (GPP) files within SYSVOL. Attackers often target these files to identify hardcoded username and password values and accounts configured for automated login. You can use Blumira's honeyfile creation script to create honey files used with file auditing to detect malicious actors who are using tools like CrackMapExec, Impacket, and Netexec.
Reference: See How To Detect SYSVOL Enumeration Exploits for more details.
Before you begin
To ensure that Blumira can receive logs for detections, you must first do the following:
- Integrate Blumira with your Windows machines by completing the steps in Automating Windows log collection with Poshim or by deploying Blumira Agent on your Windows endpoints.
- Deploy our Logmira Group Policy Template to ensure auditing of Sysvol file shares is set up.
Running the script
After downloading the HoneyFile Creation Script, run it from an administrative PowerShell command prompt with a user account that has privileges to create files in your SYSVOL share. If you have a multi-domain forest, you must run this once for each domain within your forest.
Related finding
Blumira has a detection called “SYSVOL Enumeration of Saved Credentials” that looks for this attack in your environment and is automatically deployed to supported accounts in a default disabled state. To use this detection rule, ensure that you enable it in Settings > Detection Rules.
This detection is considered a Priority 1 Suspect for two reasons:
- If the canary file is present, that indicates a user has purposefully placed it there and has enabled the detection.
- Blumira would only trigger a false positive for this detection if a backup solution or another software was scanning the file remotely. Adding detection filters can remediate any false positives.