Groups.xml Password Decrypt

Credential Dumping (T1003) - MITRE ATT&CK Before the MS14-025 patch, in Windows Server 2012 R2 and earlier versions, administrators could create group policies that stored credentials for user accounts or network drive mappings. Passwords associated with these group policies, such as those for drive mappings, were saved in the 'Groups.xml' policy file located in SYSVOL, which is accessible to all domain users. These passwords were stored under the 'cpassword' attribute. The AES-32bit encryption key used for this was publicly disclosed, allowing attackers on the network to decrypt the key with widely available tools. This vulnerability could potentially lead to privilege escalation within the domain. The MS14-025 patch addresses this issue; however, any policies created before the patch was applied will need to be recreated, as the patch does not fix policies that existed before its installation.