8. GroupsXML

The GroupsXML module is a module that reports on critical security issues related to decryptable passwords in group policy files, that are readable for anyone within a Windows Domain.

8.1. References

• Active Directory Security

• Network Intelligence

8.2. Samples

Aug 28 11:07:24 System32.local.net/10.2.0.7
THOR: Warning: MODULE: GroupsXML
MESSAGE: Found decryptable password in Groups.xml
FILE: D:\SYSVOL_DFSR\sysvol\win55.local.net\Policies\{FFABF4BC-8A98-4B3F-AD7D-D65A5F4C26C1}\Machine\Preferences\Groups\Groups.xml
USER: Administrator (built-in)
PASSWORD: win***removed***
SCORE: 75

8.3. Typical False Positives

• Old groups.xml files in backup locations that are not active anymore

8.4. Attribute Evaluation

Attribute	Question	Answer	Indication	Weight
PASSWORD	Does the password start with 3 digits that could indicate password that is easy to guess? (e.g. pas*******, win******, Def*****)	Yes	Bad	Medium
USER	Is the user name a default user account that attackers could easily use without attracting attention? (e.g. Administrator, Admin)	Yes	Bad	Medium