T1552.006: T1552.006

Essential information

MITRE technique ID: T1552.006
Confidence: 100/100
Revoked: No
Published: 16/12/2025 19:38
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Group Policy Preferences

Platforms

windows

Description

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016) These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key) The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files: * Metasploit’s post exploitation module: `post/windows/gather/credentials/gpp` * Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword) * gpprefdecrypt.py On the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: `dir /s * .xml`

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access

Marking (TLP)

External references

Related entities

APT33 uses HOLMIUMElfin

The MITRE Corporation Confidence 100

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:14
UNC5518 and UNC5774 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 16:16 · Modified 21/12/2025 16:16
Sukob uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 21/05/2026 18:46 · Modified 21/05/2026 18:46
TeamPCP uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 Published 20/03/2026 22:18 · Modified 20/03/2026 22:18
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal …

First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 04/05/2026 16:33

Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics … related

AlienVault Confidence 100 19 MITREs 3 Malwares 2 IOCs 2 Observables

Published 08/06/2026 21:36 · Modified 09/06/2026 08:57 · threat-report
Laravel Lang Compromised with RCE Backdoor Across 700+ … related

19 MITREs 2 Malwares 2 Observables

Published 23/05/2026 10:56 · Modified 25/05/2026 10:51
Inside a Tor Backed Supply Chain Worm related

AlienVault Confidence 100 19 MITREs 2 Malwares 1 IOC 1 Observable 1 APT

Published 20/05/2026 13:12 · Modified 21/05/2026 16:46 · threat-report
Latest PyPi Compromise related

AlienVault Confidence 100 20 MITREs 3 Malwares 9 IOCs 9 Observables 1 APT

Published 20/05/2026 00:26 · Modified 21/05/2026 00:36 · threat-report
The Worm That Keeps on Digging: Latest Wave related

17 MITREs 1 Observable 1 APT

Published 19/05/2026 12:45 · Modified 21/05/2026 17:12
Supply Chain Poisoning via PyPI Repository Compromise related

AlienVault Confidence 100 20 MITREs 4 IOCs 4 Observables

Published 27/04/2026 13:40 · Modified 27/04/2026 14:58 · threat-report
Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets related

19 MITREs 1 Malware 2 Observables 1 APT

Published 20/03/2026 09:51 · Modified 20/03/2026 21:18

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (5)

Malware (14)

Reports (7)

Attack patterns (MITRE) (1)

Tool (2)

Course Of Action (3)