GPOHound: Offensive GPO dumping and analysis tool
GPOHound is a tool for dumping and analysing Group Policy Objects (GPOs) extracted from the SYSVOL share.
It provides a structured, formalized format to help uncover misconfigurations, insecure settings, and privilege escalation paths in Active Directory environments.
The tool integrates with BloodHound’s Neo4j database, using it as an LDAP-like source for Active Directory information while also enriching it by adding new relationships (edges) and node properties based on the analysis.
Features
Dump
-
Dumps GPOs in a structured JSON or tree format
-
Handles multiple domains
-
Resolves GPO names with GPO GUIDs
-
Filters output by GPO files, GPO GUIDs, and domains
-
Searches in key/value pairs using regex
Analysis
-
Groups settings by impacted object (e.g., Local Groups, Registry)
-
Detects members added to local privileged groups
-
Detects insecure registry settings, stored credentials, and privilege rights
-
Supports decrypting VNC credentials and GPP passwords
-
Finds domains, containers, and OUs affected by GPOs
-
Gets GPOs applied to a specific user, computer, OU, container, or domain
-
Enriches BloodHound data with relationships and properties
Current analysis and enrichment
Local Groups
-
Detection of users assigned to privileged local groups during logon
-
Detection of renamed built-in privileged local groups.
-
Detection of trustees added to privileged local groups using “Preference Process Variables” (e.g., %ComputerName%, %DomainName%)
-
Detection of abusable trustees using
sAMAccountNamehijacking -
Detection of any trustees added to privileged local groups:
Group Edge Administrators AdminToRemote Desktop Users CanRDPDistributed COM Users ExecuteDCOMRemote Management Users CanPSRemoteBackup Operators CanPrivEscPrint Operators CanPrivEscNetwork Configuration Operators CanPrivEsc
Registry
| Analysis | Property |
|---|---|
| “Everyone” group includes “Anonymous Logon” | — |
| SMB server session signing is not enabled | smbSigningEnabled: false |
| SMB server session signing is not required | smbSigningRequired: false |
| NTLMv1 authentication is supported | NTLMv1Support: true |
| Windows automatic logon default password | — |
| VNC credentials (Generic: RealVNC, TightVNC, TigerVNC, etc.) | *VNC*PASS* (various) |
| FileZilla stored passwords | — |
| PuTTY proxy password | — |
| TeamViewer stored credentials | — |
| WinSCP saved sessions | — |
| Picasa stored password | — |
Privileged Rights
Default privileged trustees, as well as service accounts with SIDs starting with S-1-5-8, are excluded from analysis.
| Privilege | Description | Edge |
|---|---|---|
| SeDebugPrivilege | Allows user to debug and interact with any process | CanPrivEsc |
| SeBackupPrivilege | Grants access to sensitive files | CanPrivEsc |
| SeRestorePrivilege | Bypasses object permissions during restore | CanPrivEsc |
| SeAssignPrimaryTokenPrivilege | Enables token impersonation for SYSTEM escalation | CanPrivEsc |
| SeImpersonatePrivilege | Allows creation of process under another user’s context | CanPrivEsc |
| SeTakeOwnershipPrivilege | Lets users take ownership of system objects | CanPrivEsc |
| SeTcbPrivilege | Grants the ability to act as part of the OS | CanPrivEsc |
| SeCreateTokenPrivilege | Permits creation of authentication tokens | CanPrivEsc |
| SeLoadDriverPrivilege | Authorizes driver loading/unloading | CanPrivEsc |
| SeManageVolumePrivilege | Grants volume or disk management privileges | CanPrivEsc |
