The correct answer is D. Find the SYSVOL share for hashes with findstr /i and decrypt using the published key.
Group Policy Preferences previously allowed administrators to store local user passwords in Group Policy XML files inside the domain’s SYSVOL share. These passwords were stored as cpassword values. Although encrypted, Microsoft published the AES key used to decrypt them, which means anyone with domain access could potentially retrieve and decrypt those credentials.
Because SYSVOL is commonly readable by authenticated domain users, a compromised domain-joined endpoint can be used to search SYSVOL for Group Policy Preference XML files containing cpassword values. Once decrypted, these credentials may provide local administrator access across multiple domain-joined systems, making this a fast method for pivoting to production servers.
A is incorrect because scanning the domain controller for remote code execution is noisy, risky, and not the fastest or best approach when Group Policy Preferences already expose a known credential-recovery path.
B is incorrect because password spraying with Hydra is slower, noisier, and may trigger account lockouts or detection. The scenario points specifically to Group Policy Preferences, which suggests credential recovery from SYSVOL.
C is incorrect because BloodHound is useful for identifying Active Directory attack paths, but it is not the fastest option when exploitable Group Policy Preference credentials are already known to be present.
In PenTest+ terms, this falls under Attacks and Exploits, specifically Active Directory post-exploitation, credential discovery, Group Policy Preferences abuse, and lateral movement.
