SYSVOL is a target for attackers who want to gain unauthorized access to the domain. An attacker accessing a domain is catastrophic to any organization; admins would need to go through the arduous process of rebuilding from scratch to ensure the attacker was out of the environment.
Fortunately, there are ways to detect SYSVOL exploits and stop an attack in progress.
What is SYSVOL?
System Volume (SYSVOL) is a shared folder within the hard disk of each domain controller in a domain. It contains essential components required for the proper functioning of Microsoft Active Directory, including Group Policy Objects (GPOs), scripts, and other components that allow domain controllers to share system policies with client computers.
By default, the location of SYSVOL is C:\Windows\ SYSVOL, but it can be moved to a different address when a domain controller is promoted.
Why Is SYSVOL Exploited?
SYSVOL stores information related to the GPOs, which are used to define and enforce security policies for user and computer accounts within the domain. These policies can include password requirements, such as length, complexity, and expiration intervals, which can provide attackers with valuable information to use in brute force attacks.
It can also contain scripts that are executed when a user logs in, such as login scripts that map network drives or install software. Attackers can modify these scripts to execute malicious code or create backdoors that allow them to gain persistence within the network.
Attackers may also attempt to locate GPO backup files within SYSVOL. These files contain information about the domain’s security settings and can be used by attackers to reverse engineer security policies and exploit vulnerabilities.
You can find out more about attacks involving SYSVOL here (https://adsecurity.org/?p=2362) and here (https://attack.mitre.org/techniques/T1552/006/)
How To Detect SYSVOL Exploits With a Honeyfile
To detect this directory scanning we must first create two honeyfiles in the SYSVOL directory. You can learn more about active deception in this article.
- Run the PowerShell script found in our github. This will create a the datasources.xml and registry.xml files in the “C:\Windows\SYSVOL\domain\Policies” directory.
- This allows Windows Event ID 5145 to be generated
- For your Domain Controllers, enable “Success” and “Failure” in the following Group Policy Setting.
Configuration>Policies>Windows Settings>Security Settings>Advanced Audit Policy>
Access>Audit Detailed File Share
How Can Blumira Help?
Blumira has a detection called “SYSVOL Enumeration of Saved Credentials” to look for this attack in your environment, which is automatically built into its cloud-based XDR + SIEM platform.
This detection is considered a Priority 1 Suspect for two reasons:
- If the canary file is present, that indicates a user has purposefully placed it there and has enabled the detection.
- Blumira would only trigger a false positive for this detection if there was a backup solution or another software scanning the file remotely. These false positives can be remediated with adding a detection filter.
Blumira detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack.
Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Contact us to learn more about Blumira.