GPOHound: Offensive GPO dumping and analysis tool

GPOHound is a tool for dumping and analysing Group Policy Objects (GPOs) extracted from the SYSVOL share.

It provides a structured, formalized format to help uncover misconfigurations, insecure settings, and privilege escalation paths in Active Directory environments.

The tool integrates with BloodHound’s Neo4j database, using it as an LDAP-like source for Active Directory information while also enriching it by adding new relationships (edges) and node properties based on the analysis.

GPOHound, Active Directory

Features

Dump

  •  Dumps GPOs in a structured JSON or tree format

  •  Handles multiple domains

  •  Resolves GPO names with GPO GUIDs

  •  Filters output by GPO files, GPO GUIDs, and domains

  •  Searches in key/value pairs using regex

Analysis

  •  Groups settings by impacted object (e.g., Local Groups, Registry)

  •  Detects members added to local privileged groups

  •  Detects insecure registry settings, stored credentials, and privilege rights

  •  Supports decrypting VNC credentials and GPP passwords

  •  Finds domains, containers, and OUs affected by GPOs

  •  Gets GPOs applied to a specific user, computer, OU, container, or domain

  •  Enriches BloodHound data with relationships and properties

Current analysis and enrichment

Local Groups

  • Detection of users assigned to privileged local groups during logon

  • Detection of renamed built-in privileged local groups.

  • Detection of trustees added to privileged local groups using “Preference Process Variables” (e.g., %ComputerName%, %DomainName%)

  • Detection of abusable trustees using sAMAccountName hijacking

  • Detection of any trustees added to privileged local groups:

    Group Edge
    Administrators AdminTo
    Remote Desktop Users CanRDP
    Distributed COM Users ExecuteDCOM
    Remote Management Users CanPSRemote
    Backup Operators CanPrivEsc
    Print Operators CanPrivEsc
    Network Configuration Operators CanPrivEsc

Registry

Analysis Property
“Everyone” group includes “Anonymous Logon”
SMB server session signing is not enabled smbSigningEnabled: false
SMB server session signing is not required smbSigningRequired: false
NTLMv1 authentication is supported NTLMv1Support: true
Windows automatic logon default password
VNC credentials (Generic: RealVNC, TightVNC, TigerVNC, etc.) *VNC*PASS* (various)
FileZilla stored passwords
PuTTY proxy password
TeamViewer stored credentials
WinSCP saved sessions
Picasa stored password

Privileged Rights

Default privileged trustees, as well as service accounts with SIDs starting with S-1-5-8, are excluded from analysis.

Privilege Description Edge
SeDebugPrivilege Allows user to debug and interact with any process CanPrivEsc
SeBackupPrivilege Grants access to sensitive files CanPrivEsc
SeRestorePrivilege Bypasses object permissions during restore CanPrivEsc
SeAssignPrimaryTokenPrivilege Enables token impersonation for SYSTEM escalation CanPrivEsc
SeImpersonatePrivilege Allows creation of process under another user’s context CanPrivEsc
SeTakeOwnershipPrivilege Lets users take ownership of system objects CanPrivEsc
SeTcbPrivilege Grants the ability to act as part of the OS CanPrivEsc
SeCreateTokenPrivilege Permits creation of authentication tokens CanPrivEsc
SeLoadDriverPrivilege Authorizes driver loading/unloading CanPrivEsc
SeManageVolumePrivilege Grants volume or disk management privileges CanPrivEsc

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce