8000 GitHub - jeremiahn/GPOHound: Offensive GPO dumping and analysis tool that leverages and enriches BloodHound data
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
/ GPOHound Public
forked from cogiceo/GPOHound

Offensive GPO dumping and analysis tool that leverages and enriches BloodHound data

License

GPL-3.0 license
0 stars 27 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jeremiahn/GPOHound

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
config
config
 
 
example
example
 
 
gpohound
gpohound
 
 
.gitignore
.gitignore
 
 
CONFIG.md
CONFIG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
customqueries.json
customqueries.json
 
 
gpohound.py
gpohound.py
 
 
setup.py
setup.py
 
 

Repository files navigation

GPOHound

GPOHound is a tool for dumping and analysing Group Policy Objects (GPOs) extracted from the SYSVOL share.

It provides a structured, formalized format to help uncover misconfigurations, insecure settings, and privilege escalation paths in Active Directory environments.

The tool integrates with BloodHound's Neo4j database, using it as an LDAP-like source for Active Directory information while also enriching it by adding new relationships (edges) and node properties based on the analysis.

Features

Dump

  • Dumps GPOs in a structured JSON or tree format

  • Handles multiple domains

  • Resolves GPO names with GPO GUIDs

  • Filters output by GPO files, GPO GUIDs, and domains

  • Searches in key/value pairs using regex

Analysis

  • Groups settings by impacted object (e.g., Local Groups, Registry)

  • Detects members added to local privileged groups

  • Detects insecure registry settings, stored credentials, and privilege rights

  • Supports decrypting VNC credentials and GPP passwords

  • Finds domains, containers, and OUs affected by GPOs

  • Gets GPOs applied to a specific user, computer, OU, container, or domain

  • Enriches BloodHound data with relationships and properties

Installation

Install with pip

git clone "https://github.com/cogiceo/GPOHound"
cd GPOHound
pip install .

Install with pipx

pipx install "git+https://github.com/cogiceo/GPOHound"

Setup APOC for Neo4j

You need to setup Neo4j APOC for BloodHound data enrichment. If you're using the standard Neo4j installation, you can enable APOC by copying the APOC jar file to the plugin folder and then restart Neo4j:

cp /var/lib/neo4j/labs/apoc-* /var/lib/neo4j/plugins/
neo4j restart

For more details or alternate installation methods, refer to the official APOC Documentation.

Add BloodHound Queries

To visualize the relationships and properties added by GPOHound, you can import the custom queries from the customqueries.json file into BloodHound. By default, this file is located at ~/.config/bloodhound/customqueries.json.

Prerequisites

Dumping SYSVOL

Start by downloading the SYSVOL contents from the domain controller. You can do this using smbclient or other tools:

smbclient -U "$USER"%"$PASS" //"$DC_IP"/SYSVOL -c "recurse; prompt; mget *;"

For a faster download, target only the GPOs :

mkdir -p "$DOMAIN"/Policies && cd "$DOMAIN"/Policies
smbclient -U "$USER"%"$PASS" //"$DC_IP"/SYSVOL -c "recurse; prompt; cd $DOMAIN/Policies/; mget {*};" && cd -

BloodHound

To enable name resolution and data enrichment, you must collect BloodHound data using a collector such as bloodhound.py or SharpHound.exe and import the gathered data into the BloodHound interface.

Usage

See CONFIG.md for instructions on customizing default values and configurations

gpohound --neo4j-user $USER --neo4j-pass $PASS -S ./example dump
gpohound --neo4j-user $USER --neo4j-pass $PASS -S ./example analysis

Dump

gpohound dump -h
gpohound dump --json
gpohound dump --list --gpo-name
gpohound dump --guid 21246D99-1426-495B-9E8E-556ABDD81F94
gpohound dump --file scripts psscripts
gpohound dump --search 'VNC.*Server' --show

Analysis

gpohound analysis -h
gpohound analysis --json
gpohound analysis --processed --object group registry
gpohound analysis --guid CCF6CAE3-E280-4109-8F9D-25461DBB5D67 --affected
gpohound analysis --computer 'SRV-PA-03.NORTH.SEVENKINGDOMS.LOCAL' --order
gpohound analysis --enrich

Current analysis and enrichment

Important

  • Conditions like security filters, WMI filters, and item-level targeting are not interpreted.
  • GPO conflicts are not simulated, to avoid missing valid settings.

Local Groups

  • Detection of users assigned to privileged local groups during logon

  • Detection of renamed built-in privileged local groups.

  • Detection of trustees added to privileged local groups using system-defined variables (e.g., %ComputerName%, %DomainName%) for possible sAMAccountName spoofing

  • Detection of any trustees added to privileged local groups:

    Group Edge
    Administrators AdminTo
    Remote Desktop Users CanRDP
    Distributed COM Users ExecuteDCOM
    Remote Management Users CanPSRemote
    Backup Operators CanPrivEsc
    Print Operators CanPrivEsc
    Network Configuration Operators CanPrivEsc

Registry

Analysis Property
"Everyone" group includes "Anonymous Logon"
SMB server session signing is not enabled smbSigningEnabled: false
SMB server session signing is not required smbSigningRequired: false
NTLMv1 authentication is supported NTLMv1Support: true
Windows automatic logon default password
VNC credentials (Generic: RealVNC, TightVNC, TigerVNC, etc.) *VNC*PASS* (various)
FileZilla stored passwords
PuTTY proxy password
TeamViewer stored credentials
WinSCP saved sessions
Picasa stored password

Privileged Rights

Default privileged trustees, as well as service accounts with SIDs starting with S-1-5-8, are excluded from analysis.

Privilege Description Edge
SeDebugPrivilege Allows user to debug and interact with any process CanPrivEsc
SeBackupPrivilege Grants access to sensitive files CanPrivEsc
SeRestorePrivilege Bypasses object permissions during restore CanPrivEsc
SeAssignPrimaryTokenPrivilege Enables token impersonation for SYSTEM escalation CanPrivEsc
SeImpersonatePrivilege Allows creation of process under another user’s context CanPrivEsc
SeTakeOwnershipPrivilege Lets users take ownership of system objects CanPrivEsc
SeTcbPrivilege Grants the ability to act as part of the OS CanPrivEsc
SeCreateTokenPrivilege Permits creation of authentication tokens CanPrivEsc
SeLoadDriverPrivilege Authorizes driver loading/unloading CanPrivEsc
SeManageVolumePrivilege Grants volume or disk management privileges CanPrivEsc

Improvement

  • Improve logging
  • HTML output
  • Integrate LDAP
  • Integrate SMB
  • Highlight potential conflicts between GPOs
  • Parse remaining extensions

GPO Documentation

SYSVOL and LDAP

LDAP Only

  • [MS-GPDPC] Deployed Printer Connections Extension
  • [MS-GPFR] Folder Redirection Protocol Extension
  • [MS-GPWL] Wireless/Wired Protocol Extension

About

Offensive GPO dumping and analysis tool that leverages and enriches BloodHound data

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 99.2%
  • PowerShell 0.8%
0