New We plan on releasing bi-monthly edits and updates to the OS-CFDB project! Please check out the search function!

Insecure SYSVOL Scripts

3

VSR

4.0-5.9

CVSS

Medium

Risk

OS-CFDB-1006

ID

Finding MITRE ATT&CK Corelation

Name Tactic ID Link
Credentials in Files Credential Access T1081 https://attack.mitre.org/wiki/Technique/T1081

Finding Refrences

Finding Metadata

Finding Service(s)

Service
Internal Penetration Testing
External Penetration Testing

NIST 800-53 Control(s)

NIST
IA-2
IA-7

Finding Development

Author Name Twitter Handle Email Created Updated

Technical Information

Description

The technical overview of a finding, not meant to be all-inclusive.

The SYSVOL folder on DC's (Domain Controllers) is a domain-wide network share in Active Directory (AD) to which all authenticated users in the domain have by default read access. The directory contains login scripts, group policy data, and other data that may be needed to be available to all users. The assessment team discovered that scripts within this folder contain sensitive information that may aid an attacker in lateral movement and reconnaissance. Within these scripts also contained clear text credentials to other domain resources.

Impact

How a finding result will affect an organization.

If an attacker can gain access to the domain environment, they effectively can use these gathered credentials to attempt privilege escalation. These "User" credentials could result in further lateral movement or the ability to gain unauthorized access to different regions within the domain.

Recommendation

Current plan of action recomended.

he assessment team recommends that scripts used for administration, password changes, authenticated share mounting be removed. Automated password changes and authenticated share mounting should be accomplished with proper AD group delegation. A thorough audit should be conducted domain wide to identify other scripts exposing sensitive data or credentials.