GPOHound: Offensive GPO dumping and analysis tool
GPOHound is a tool for dumping and analysing Group Policy Objects (GPOs) extracted from the SYSVOL share.
It provides a structured, formalized format to help uncover misconfigurations, insecure settings, and privilege escalation paths in Active Directory environments.
The tool integrates with BloodHound’s Neo4j database, using it as an LDAP-like source for Active Directory information while also enriching it by adding new relationships (edges) and node properties based on the analysis.
Features
Dump
-
Dumps GPOs in a structured JSON or tree format
-
Handles multiple domains
-
Resolves GPO names with GPO GUIDs
-
Filters output by GPO files, GPO GUIDs, and domains
-
Searches in key/value pairs using regex
Analysis
-
Groups settings by impacted object (e.g., Local Groups, Registry)
-
Detects members added to local privileged groups
-
Detects insecure registry settings, stored credentials, and privilege rights
-
Supports decrypting VNC credentials and GPP passwords
-
Finds domains, containers, and OUs affected by GPOs
-
Gets GPOs applied to a specific user, computer, OU, container, or domain
-
Enriches BloodHound data with relationships and properties
Current analysis and enrichment
Local Groups
-
Detection of users assigned to privileged local groups during logon
-
Detection of renamed built-in privileged local groups.
-
Detection of trustees added to privileged local groups using “Preference Process Variables” (e.g., %ComputerName%, %DomainName%)
-
Detection of abusable trustees using
sAMAccountName
hijacking -
Detection of any trustees added to privileged local groups:
Group Edge Administrators AdminTo
Remote Desktop Users CanRDP
Distributed COM Users ExecuteDCOM
Remote Management Users CanPSRemote
Backup Operators CanPrivEsc
Print Operators CanPrivEsc
Network Configuration Operators CanPrivEsc
Registry
Analysis | Property |
---|---|
“Everyone” group includes “Anonymous Logon” | — |
SMB server session signing is not enabled | smbSigningEnabled: false |
SMB server session signing is not required | smbSigningRequired: false |
NTLMv1 authentication is supported | NTLMv1Support: true |
Windows automatic logon default password | — |
VNC credentials (Generic: RealVNC, TightVNC, TigerVNC, etc.) | *VNC*PASS* (various) |
FileZilla stored passwords | — |
PuTTY proxy password | — |
TeamViewer stored credentials | — |
WinSCP saved sessions | — |
Picasa stored password | — |
Privileged Rights
Default privileged trustees, as well as service accounts with SIDs starting with S-1-5-8
, are excluded from analysis.
Privilege | Description | Edge |
---|---|---|
SeDebugPrivilege | Allows user to debug and interact with any process | CanPrivEsc |
SeBackupPrivilege | Grants access to sensitive files | CanPrivEsc |
SeRestorePrivilege | Bypasses object permissions during restore | CanPrivEsc |
SeAssignPrimaryTokenPrivilege | Enables token impersonation for SYSTEM escalation | CanPrivEsc |
SeImpersonatePrivilege | Allows creation of process under another user’s context | CanPrivEsc |
SeTakeOwnershipPrivilege | Lets users take ownership of system objects | CanPrivEsc |
SeTcbPrivilege | Grants the ability to act as part of the OS | CanPrivEsc |
SeCreateTokenPrivilege | Permits creation of authentication tokens | CanPrivEsc |
SeLoadDriverPrivilege | Authorizes driver loading/unloading | CanPrivEsc |
SeManageVolumePrivilege | Grants volume or disk management privileges | CanPrivEsc |