Quick Links

Deploying Blumira HoneyFiles to detect SYSVOL exploits

Overview

Attackers may attempt to locate group policy preference (GPP) files within SYSVOL. Attackers often target these files to identify hardcoded username and password values and accounts configured for automated login. You can use Blumira's honeyfile creation script to create honey files used with file auditing to detect malicious actors who are using tools like CrackMapExec, Impacket, and Netexec.

Reference: See How To Detect SYSVOL Enumeration Exploits for more details.

Before you begin

To ensure that Blumira can receive logs for detections, you must first do the following:

Running the script

After downloading the HoneyFile Creation Script, run it from an administrative PowerShell command prompt with a user account that has privileges to create files in your SYSVOL share. If you have a multi-domain forest, you must run this once for each domain within your forest.

Related finding

Blumira has a detection called “SYSVOL Enumeration of Saved Credentials” that looks for this attack in your environment and is automatically deployed to supported accounts in a default disabled state. To use this detection rule, ensure that you enable it in Settings > Detection Rules.

This detection is considered a Priority 1 Suspect for two reasons:

  • If the canary file is present, that indicates a user has purposefully placed it there and has enabled the detection.
  • Blumira would only trigger a false positive for this detection if a backup solution or another software was scanning the file remotely. Adding detection filters can remediate any false positives.