8. GroupsXML
The GroupsXML
module is a module that reports on critical security
issues related to decryptable passwords in group policy files, that
are readable for anyone within a Windows Domain.
8.1. References
8.2. Samples
Aug 28 11:07:24 System32.local.net/10.2.0.7
THOR: Warning: MODULE: GroupsXML
MESSAGE: Found decryptable password in Groups.xml
FILE: D:\SYSVOL_DFSR\sysvol\win55.local.net\Policies\{FFABF4BC-8A98-4B3F-AD7D-D65A5F4C26C1}\Machine\Preferences\Groups\Groups.xml
USER: Administrator (built-in)
PASSWORD: win***removed***
SCORE: 75
8.3. Typical False Positives
Old
groups.xml
files in backup locations that are not active anymore
8.4. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
PASSWORD |
Does the password start with 3 digits that could indicate password that is easy to guess? (e.g. |
Yes |
Bad |
Medium |
USER |
Is the user name a default user account that attackers could easily use without attracting attention? (e.g. Administrator, Admin) |
Yes |
Bad |
Medium |