Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1075: Analytic 1075

Correlates file enumeration of XML files in the SYSVOL share with suspicious process execution that decodes or reads encrypted credentials embedded in Group Policy Preference files (e.g., Get-GPPPassword.ps1, gpprefdecrypt.py, Metasploit). Detects abnormal access to \DOMAIN\SYSVOL combined with XML file parsing or decryption logic.

EnterpriseAN1075AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it focuses on a classic Active Directory exposure path: access to XML files in the Windows SYSVOL share combined with tools or scripts that read or decrypt credentials stored in Group Policy Preference files. For leaders, the value is not just detecting a script name; it is validating whether the organization can spot credential-harvesting behavior against domain policy data before it enables broader identity compromise.

Executive priority

Prioritize this as an identity and Active Directory resilience control. Executives and security leaders should ask whether legacy Group Policy Preference credential exposure has been remediated, whether SYSVOL access is monitored, and whether the SOC can correlate file enumeration with suspicious execution. This supports incident readiness, audit evidence around credential protection, and prioritization of Active Directory hardening work.

Technical view

For Windows environments, validate whether telemetry can correlate abnormal access to \\DOMAIN\\SYSVOL, enumeration or parsing of XML files, and execution of suspicious tooling or code associated with reading or decoding encrypted credentials in Group Policy Preference files. Because the official object provides no separate detection logic, teams should treat AN1075 as a correlation concept and test it against local process, file, script, and network-share access telemetry.

Likely telemetry

  • Windows process creation events, including command-line arguments where available
  • PowerShell or script execution logs where enabled
  • File access or file enumeration telemetry for SYSVOL paths
  • Network share access telemetry involving \\DOMAIN\\SYSVOL
  • Evidence of XML file parsing or access to Group Policy Preference XML content

Detection direction

  • Correlate SYSVOL XML enumeration with suspicious process or script execution rather than alerting on SYSVOL access alone, which may be common for legitimate domain activity.
  • Tune for administrative baselines, software deployment systems, domain controllers, and management hosts that may legitimately read Group Policy content.
  • Validate visibility into command lines, script block or equivalent script telemetry, and file/share access; missing any of these can make the correlation weak.
  • Look for tool-name and behavior-based indicators, but avoid relying only on filenames such as Get-GPPPassword.ps1, gpprefdecrypt.py, or Metasploit because names can change.
  • Use this analytic to drive retrospective review when suspicious SYSVOL access and credential-related scripting appear close together in time.

Mitigation priorities

  • Inventory and remove legacy Group Policy Preference credentials where present.
  • Review permissions and exposure of SYSVOL content consistent with domain operational requirements.
  • Harden credential storage and administrative practices so reusable credentials are not embedded in policy artifacts.
  • Enable and retain the Windows, process, script, and file/share telemetry required to support the correlation.
  • Prepare incident response procedures for suspected Active Directory credential exposure, including credential rotation and scope review.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows and describes a correlation between SYSVOL XML enumeration and suspicious credential-decryption or parsing behavior. No tactics, related techniques, relationships, or formal detection pseudocode were supplied, so this take frames practical validation rather than a guaranteed detection rule.

This assessment is limited to the supplied official STIX fields, the MITRE external reference, and the object description. It does not establish active exploitation, attribution, prevalence, impact, or complete detection coverage. Local environment baselines and telemetry quality are required to determine whether this analytic is actionable.

Official MITRE ATT&CK definition

Analytic 1075

Correlates file enumeration of XML files in the SYSVOL share with suspicious process execution that decodes or reads encrypted credentials embedded in Group Policy Preference files (e.g., Get-GPPPassword.ps1, gpprefdecrypt.py, Metasploit). Detects abnormal access to \DOMAIN\SYSVOL combined with XML file parsing or decryption logic.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f14ff8c4db21d41d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f14ff8c4db21…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1075
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use