Unsecured Credentials: Group Policy Preferences

Other sub-techniques of Unsecured Credentials (8)

ID	Name
ATAGS-T1126.001	Chat Messages
ATAGS-T1126.002	Cloud Instance Metadata API
ATAGS-T1126.003	Container API
ATAGS-T1126.004	Credentials In Files
ATAGS-T1126.005	Credentials in Registry
ATAGS-T1126.006	Group Policy Preferences
ATAGS-T1126.007	Private Keys
ATAGS-T1126.008	Shell History

Threat Actors may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.

ID: ATAGS-T1126.006

Sub-technique of: ATAGS-T1126

ⓘ

Tactic: Credential Access

ⓘ

Targeted Components: Mission, Personnel & Identity

ⓘ

Responsibility: Shared

Created: 18 April 2026

Last Modified: 18 April 2026

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.