### Install GPOHound with pip Source: https://github.com/cogiceo/gpohound/blob/main/README.md Clone the repository and install GPOHound using pip. Ensure you are in the cloned directory. ```bash git clone "https://github.com/cogiceo/GPOHound" cd GPOHound pip install . ``` -------------------------------- ### Install GPOHound with pipx Source: https://github.com/cogiceo/gpohound/blob/main/README.md Install GPOHound globally using pipx for convenient command-line access. ```bash pipx install "git+https://github.com/cogiceo/GPOHound" ``` -------------------------------- ### Install GPOHound with Pip or Pipx Source: https://context7.com/cogiceo/gpohound/llms.txt Install GPOHound from source using pip or pipx. Ensure you are in the cloned repository directory when using pip. ```bash git clone "https://github.com/cogiceo/GPOHound" cd GPOHound pip install . ``` ```bash pipx install "git+https://github.com/cogiceo/GPOHound" ``` -------------------------------- ### GPOHound Dump Command Examples Source: https://context7.com/cogiceo/gpohound/llms.txt Parse GPO files and display them in a structured tree or JSON format. Options include filtering by domain, GUID, file type, and searching for patterns. ```bash # Basic dump with Neo4j connection for GPO name resolution gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example dump ``` ```bash # List all GPOs with resolved names gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example dump --list --gpo-name ``` ```bash # Output: GPOs └── north.sevenkingdoms.local ├── {21246D99-1426-495B-9E8E-556ABDD81F94}: AddLocalAdmin ├── {276AA65B-86AE-4557-8858-3BC1B2C0B384}: Cert DC └── ... ``` ```bash # Dump specific GPO by GUID in JSON format gpohound -S ./example dump --guid 21246D99-1426-495B-9E8E-556ABDD81F94 --json ``` ```bash # Filter by specific GPO file types gpohound -S ./example dump --file groups registry.pol scripts ``` ```bash # Search for patterns in GPO settings using regex gpohound -S ./example dump --search 'VNC.*Server' --show ``` ```bash # Filter by domain gpohound -S ./example dump --domain north.sevenkingdoms.local ``` -------------------------------- ### List GPOs with names Source: https://github.com/cogiceo/gpohound/blob/main/README.md Dump GPO information and display GPO names along with their GUIDs. Useful for identifying specific GPOs. ```bash gpohound dump --list --gpo-name ``` -------------------------------- ### Dump GPO by GUID Source: https://github.com/cogiceo/gpohound/blob/main/README.md Retrieve and display information for a specific GPO using its GUID. Replace the example GUID with the target GPO's GUID. ```bash gpohound dump --guid 21246D99-1426-495B-9E8E-556ABDD81F94 ``` -------------------------------- ### Get GPOHound analysis help Source: https://github.com/cogiceo/gpohound/blob/main/README.md Display the help message for the GPOHound analysis command, detailing its options and usage. ```bash gpohound analysis -h ``` -------------------------------- ### Get GPOHound dump help Source: https://github.com/cogiceo/gpohound/blob/main/README.md Display the help message for the GPOHound dump command, showing available options and usage. ```bash gpohound dump -h ``` -------------------------------- ### Analyze GPO for a specific computer Source: https://github.com/cogiceo/gpohound/blob/main/README.md Analyze GPOs applied to a particular computer, ordered by their application sequence. Replace the example FQDN with the target computer's name. ```bash gpohound analysis --computer 'SRV-PA-03.NORTH.SEVENKINGDOMS.LOCAL' --order ``` -------------------------------- ### GPOHound Analysis Command Examples Source: https://context7.com/cogiceo/gpohound/llms.txt Process GPOs to identify security misconfigurations, privilege escalation paths, and sensitive information. Options include filtering by object type and outputting as JSON. ```bash # Basic security analysis gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis ``` ```bash # Output example: # Analysis Results # └── north.sevenkingdoms.local # └── {21246D99-1426-495B-9E8E-556ABDD81F94} # └── Memberships # └── Machine # └── Administrators # ├── analysis: The following trustees are added to the "Administrators" local group. # ├── Members # │ └── arya.stark@NORTH.SEVENKINGDOMS.LOCAL # └── edge: AdminTo ``` ```bash # Analyze specific GPO with affected containers gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis \ --guid CCF6CAE3-E280-4109-8F9D-25461DBB5D67 --affected ``` ```bash # View processed settings (intermediate analysis step) gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis \ --processed --object group registry ``` ```bash # Filter analysis by specific object types gpohound -S ./example analysis --object group registry privilege gpppassword ``` ```bash # Output as JSON gpohound -S ./example analysis --json ``` -------------------------------- ### Analyze GPO by GUID and show affected objects Source: https://github.com/cogiceo/gpohound/blob/main/README.md Analyze a specific GPO using its GUID and display all affected objects. This helps in understanding the scope of a GPO's impact. ```bash gpohound analysis --guid CCF6CAE3-E280-4109-8F9D-25461DBB5D67 --affected ``` -------------------------------- ### Import Custom BloodHound Queries Source: https://context7.com/cogiceo/gpohound/llms.txt Copy custom GPOHound queries to the BloodHound configuration directory to visualize discovered relationships. Example queries include finding computers with NTLMv1 support or SMB signing disabled. ```bash cp customqueries.json ~/.config/bloodhound/customqueries.json ``` -------------------------------- ### Run GPOHound dump command Source: https://github.com/cogiceo/gpohound/blob/main/README.md Execute the GPOHound dump command to extract GPO information. Requires Neo4j credentials and a path to example data. ```bash gpohound --neo4j-user $USER --neo4j-pass $PASS -S ./example dump ``` -------------------------------- ### Run GPOHound analysis command Source: https://github.com/cogiceo/gpohound/blob/main/README.md Execute the GPOHound analysis command to process extracted GPO data. Requires Neo4j credentials and a path to example data. ```bash gpohound --neo4j-user $USER --neo4j-pass $PASS -S ./example analysis ``` -------------------------------- ### Setup APOC for Neo4j Source: https://github.com/cogiceo/gpohound/blob/main/README.md Configure Neo4j to use the APOC plugin for enhanced data enrichment. This involves copying the APOC jar file to the plugins directory and restarting Neo4j. ```bash cp /var/lib/neo4j/labs/apoc-* /var/lib/neo4j/plugins/ neo4j restart ``` -------------------------------- ### Setup APOC Plugin for Neo4j Source: https://context7.com/cogiceo/gpohound/llms.txt Enable the APOC plugin for Neo4j to support BloodHound data enrichment. This involves copying the plugin to the Neo4j plugins directory and restarting the service, or configuring it in Docker Compose. ```bash # Standard Neo4j installation cp /var/lib/neo4j/labs/apoc-* /var/lib/neo4j/plugins/ neo4j restart ``` ```yaml # Docker Compose configuration # Add to your docker-compose.yml: # neo4j: # image: neo4j:latest # environment: # - NEO4J_PLUGINS=["apoc"] ``` -------------------------------- ### Analyze GPO Settings for a Computer Source: https://context7.com/cogiceo/gpohound/llms.txt Show full GPO settings in application order for a specific computer. Requires Neo4j connection details. ```bash gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis \ --computer 'SRV-PA-03.NORTH.SEVENKINGDOMS.LOCAL' --show ``` -------------------------------- ### Configure Neo4j Connection via Command Line Source: https://context7.com/cogiceo/gpohound/llms.txt Configure Neo4j connection settings using command-line parameters for BloodHound integration. These can be overridden by configuration files. ```bash gpohound --neo4j-host 127.0.0.1 --neo4j-port 7687 --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./sysvol analysis ``` -------------------------------- ### Download full SYSVOL using smbclient Source: https://github.com/cogiceo/gpohound/blob/main/README.md Download the entire SYSVOL directory using smbclient. The 'recurse' option ensures subdirectories are included. ```bash smbclient -U "$USER"%"$PASS" //"$DC_IP"/SYSVOL -c "recurse; prompt; mget *;" ``` -------------------------------- ### Programmatic Usage with GPOHoundCore Source: https://context7.com/cogiceo/gpohound/llms.txt Demonstrates how to use GPOHoundCore in Python scripts for custom analysis workflows, including loading configurations, initializing the core, dumping GPOs, and running analysis. ```APIDOC ## Programmatic Usage with GPOHoundCore Use GPOHound programmatically in Python scripts for custom analysis workflows. ```python from gpohound.core import GPOHoundCore from gpohound.utils.utils import load_yaml_config # Load configuration file_map = load_yaml_config("config", "gpo_files.yaml") policy_files = list(file_map.values()) # Initialize GPOHound with Neo4j connection gpohound_core = GPOHoundCore( policy_files, neo4j_host="127.0.0.1", neo4j_user="neo4j", neo4j_password="bloodhoundcommunityedition", neo4j_port=7687, ) # Dump GPOs gpohound_core.dump( sysvol_path="./example", domains=None, # Filter by domain names guids=None, # Filter by GPO GUIDs gpo_name=True, # Resolve GPO names print_json=False, # Output as JSON list_gpos=False, # List mode search=None, # Regex search pattern show=False, # Show search values ) # Run analysis gpohound_core.analyser( sysvol_path="./example", domains=None, guids=None, processed=False, # Show processed settings affected=True, # Include affected containers ingestor="bh-legacy", # Enrich BloodHound ("bh-legacy" or "bh-ce") gpo_name=True, order=False, # Show GPO order show=False, # Show GPO settings objects=["group", "registry", "privilege", "gpppassword"], container=None, # Target container DN/ID computer=None, # Target computer user=None, # Target user print_json=True, ) # Close connection when done gpohound_core.bloodhound_connector.close() ``` ``` -------------------------------- ### Analyze GPOs Programmatically with GPOHoundCore Source: https://context7.com/cogiceo/gpohound/llms.txt Use GPOHoundCore to load configurations, dump GPO data from SYSVOL, and run analysis against a Neo4j database. ```python from gpohound.core import GPOHoundCore from gpohound.utils.utils import load_yaml_config # Load configuration file_map = load_yaml_config("config", "gpo_files.yaml") policy_files = list(file_map.values()) # Initialize GPOHound with Neo4j connection gpohound_core = GPOHoundCore( policy_files, neo4j_host="127.0.0.1", neo4j_user="neo4j", neo4j_password="bloodhoundcommunityedition", neo4j_port=7687, ) # Dump GPOs gpohound_core.dump( sysvol_path="./example", domains=None, # Filter by domain names guids=None, # Filter by GPO GUIDs gpo_name=True, # Resolve GPO names print_json=False, # Output as JSON list_gpos=False, # List mode search=None, # Regex search pattern show=False, # Show search values ) # Run analysis gpohound_core.analyser( sysvol_path="./example", domains=None, guids=None, processed=False, # Show processed settings affected=True, # Include affected containers ingestor="bh-legacy", # Enrich BloodHound ("bh-legacy" or "bh-ce") gpo_name=True, order=False, # Show GPO order show=False, # Show GPO settings objects=["group", "registry", "privilege", "gpppassword"], container=None, # Target container DN/ID computer=None, # Target computer user=None, # Target user print_json=True, ) # Close connection when done gpohound_core.bloodhound_connector.close() ``` -------------------------------- ### Mount and Dump SYSVOL Share Source: https://context7.com/cogiceo/gpohound/llms.txt Mount the SYSVOL share locally using CIFS and then use rsync or smbclient to download GPO files. Remember to unmount the share when finished. ```bash # Mount the SYSVOL share locally sudo mkdir -p /mnt/$DOMAIN/SYSVOL/ sudo mount -t cifs -o username=$USER,password=$PASS,domain=$DOMAIN,ro "//$DC_IP/SYSVOL" "/mnt/$DOMAIN/SYSVOL/" # Download only the GPOs using rsync mkdir "$DOMAIN" rsync -a -v --exclude="PolicyDefinitions" --update /mnt/$DOMAIN/SYSVOL/*/Policies "$DOMAIN" # Unmount when finished sudo umount /mnt/$DOMAIN/SYSVOL/ ``` ```bash # Alternative: Download using smbclient mkdir -p "$DOMAIN"/Policies && cd "$DOMAIN"/Policies smbclient -U "$USER"%"$PASS" //"$DC_IP"/SYSVOL -c "recurse; prompt; cd $DOMAIN/Policies/; mget {*};" && cd - ``` -------------------------------- ### Mount SYSVOL share locally Source: https://github.com/cogiceo/gpohound/blob/main/README.md Mount the SYSVOL share from a domain controller to a local directory. Replace placeholders with your domain and credentials. ```bash sudo mkdir -p /mnt/$DOMAIN/SYSVOL/ sudo mount -t cifs -o username=$USER,password=$PASS,domain=$DOMAIN,ro "//$DC_IP/SYSVOL" "/mnt/$DOMAIN/SYSVOL/" ``` -------------------------------- ### Download only GPOs using smbclient Source: https://github.com/cogiceo/gpohound/blob/main/README.md Download only the GPO files from the SYSVOL share using smbclient. This command navigates to the Policies directory and downloads its contents. ```bash mkdir -p "$DOMAIN"/Policies && cd "$DOMAIN"/Policies smbclient -U "$USER"%"$PASS" //"$DC_IP"/SYSVOL -c "recurse; prompt; cd $DOMAIN/Policies/; mget {*};" && cd - ``` -------------------------------- ### Analyze GPO Application Order Source: https://context7.com/cogiceo/gpohound/llms.txt Analyze GPO application order for specific computers, users, or containers to understand policy inheritance. This command helps in determining which policies are applied and in what sequence. ```bash # Get GPO application order for a specific computer gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis \ --computer 'SRV-PA-03.NORTH.SEVENKINGDOMS.LOCAL' --order ``` ```bash # Output: GPO Order ``` -------------------------------- ### Analyze GPOs in JSON format Source: https://github.com/cogiceo/gpohound/blob/main/README.md Run the GPOHound analysis command and output the results in JSON format. This is useful for further processing or integration with other tools. ```bash gpohound analysis --json ``` -------------------------------- ### Download full SYSVOL using rsync Source: https://github.com/cogiceo/gpohound/blob/main/README.md Use rsync to download the entire SYSVOL contents, excluding the PolicyDefinitions directory. The --update flag ensures only changed files are transferred. ```bash rsync -a -v --exclude="PolicyDefinitions" --update /mnt/$DOMAIN/SYSVOL . ``` -------------------------------- ### Download only GPOs using rsync Source: https://github.com/cogiceo/gpohound/blob/main/README.md Download only the GPO-related files from SYSVOL, specifically the Policies directory, using rsync. This is useful for reducing the amount of data transferred. ```bash mkdir "$DOMAIN" rsync -a -v --exclude="PolicyDefinitions" --update /mnt/$DOMAIN/SYSVOL/*/Policies "$DOMAIN" ``` -------------------------------- ### Custom Configuration Directory Source: https://context7.com/cogiceo/gpohound/llms.txt Override default GPOHound configurations by placing YAML files in the user's config directory. The location varies by operating system. ```bash ~/.config/gpohound/ ``` -------------------------------- ### Configure Neo4j with Docker Compose for APOC Source: https://github.com/cogiceo/gpohound/blob/main/README.md Enable the APOC plugin for Neo4j when using Docker Compose by setting the NEO4J_PLUGINS environment variable. ```yaml neo4j: image: neo4j:latest environment: - NEO4J_PLUGINS=["apoc"] ``` -------------------------------- ### Dump GPOs in JSON format Source: https://github.com/cogiceo/gpohound/blob/main/README.md Run the GPOHound dump command to output GPO information in JSON format. This is useful for programmatic processing. ```bash gpohound dump --json ``` -------------------------------- ### Analyze GPOs for a Container Source: https://context7.com/cogiceo/gpohound/llms.txt Analyze Group Policy Objects for a specified container (OU or Domain) in application order. Requires Neo4j connection details. ```bash gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis \ --container 'OU=Servers,DC=north,DC=sevenkingdoms,DC=local' --order ``` -------------------------------- ### Search GPO values Source: https://github.com/cogiceo/gpohound/blob/main/README.md Search within GPO key/value pairs for a specific pattern using regex. The --show option displays the matching entries. ```bash gpohound dump --search 'VNC.*Server' --show ``` -------------------------------- ### Default GPOHound Configuration Source: https://github.com/cogiceo/gpohound/blob/main/CONFIG.md This is the default configuration for GPOHound, specifying general settings and attributes to include. ```yaml General: include: attributes: - Version - displayName ``` -------------------------------- ### Enrich BloodHound with GPO Findings Source: https://context7.com/cogiceo/gpohound/llms.txt Enrich BloodHound's Neo4j database with new relationships and properties discovered from GPO analysis. Use --enrich for legacy or --enrich-ce for Community Edition. ```bash gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis --enrich ``` ```bash gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis --enrich-ce ``` -------------------------------- ### Enrich BloodHound data with GPO analysis Source: https://github.com/cogiceo/gpohound/blob/main/README.md Run the GPOHound analysis command with the --enrich flag to add GPO-related relationships and properties to the BloodHound database. ```bash gpohound analysis --enrich ``` -------------------------------- ### Analyze GPOs for a Specific User Source: https://context7.com/cogiceo/gpohound/llms.txt Analyze Group Policy Objects for a specific user, showing them in application order. Requires Neo4j connection details. ```bash gpohound --neo4j-user neo4j --neo4j-pass bloodhoundcommunityedition -S ./example analysis \ --user 'arya.stark@north.sevenkingdoms.local' --order ``` -------------------------------- ### Security Analysis Detection Capabilities Configuration Source: https://context7.com/cogiceo/gpohound/llms.txt Reference for the types of security issues GPOHound can detect, including local group memberships, registry settings, and privilege rights. ```yaml # Local Group Membership Analysis # Detects trustees added to privileged local groups: # - Administrators (S-1-5-32-544) -> AdminTo edge # - Remote Desktop Users (S-1-5-32-555) -> CanRDP edge # - Distributed COM Users (S-1-5-32-562) -> ExecuteDCOM edge # - Remote Management Users (S-1-5-32-580) -> CanPSRemote edge # - Backup Operators (S-1-5-32-551) -> CanPrivEsc edge # - Print Operators (S-1-5-32-550) -> CanPrivEsc edge # - Network Configuration Operators (S-1-5-32-556) -> CanPrivEsc edge # Registry Settings Analysis # - SMB signing disabled/not required # - NTLMv1 authentication enabled # - Windows automatic logon credentials # - VNC stored passwords (RealVNC, TightVNC, TigerVNC, etc.) # - FileZilla stored passwords # - PuTTY proxy passwords # - TeamViewer credentials # - WinSCP saved sessions # - Picasa stored password # Privilege Rights Analysis (dangerous privileges) # - SeDebugPrivilege -> CanPrivEsc # - SeBackupPrivilege -> CanPrivEsc # - SeRestorePrivilege -> CanPrivEsc # - SeAssignPrimaryTokenPrivilege -> CanPrivEsc # - SeImpersonatePrivilege -> CanPrivEsc # - SeTakeOwnershipPrivilege -> CanPrivEsc # - SeTcbPrivilege -> CanPrivEsc # - SeCreateTokenPrivilege -> CanPrivEsc # - SeLoadDriverPrivilege -> CanPrivEsc # - SeManageVolumePrivilege -> CanPrivEsc ``` -------------------------------- ### Dump GPO files by name Source: https://github.com/cogiceo/gpohound/blob/main/README.md Filter GPO dump output to include only specific file types, such as scripts. This helps in focusing on relevant GPO components. ```bash gpohound dump --file scripts psscripts ``` -------------------------------- ### Decrypt GPP Passwords from GPO Analysis Source: https://context7.com/cogiceo/gpohound/llms.txt Run analysis to automatically detect and decrypt Group Policy Preferences (GPP) passwords stored in GPO XML files. Uses Microsoft's public AES key for decryption. ```bash gpohound -S ./example analysis --object gpppassword ``` -------------------------------- ### Decrypt VNC Passwords from Registry Analysis Source: https://context7.com/cogiceo/gpohound/llms.txt Perform registry analysis to detect and decrypt VNC passwords stored in registry settings. Uses the known VNC DES key for decryption. ```bash gpohound -S ./example analysis --object registry ``` -------------------------------- ### Unmount SYSVOL share Source: https://github.com/cogiceo/gpohound/blob/main/README.md Unmount the SYSVOL share after you have finished accessing it to free up resources. ```bash sudo umount /mnt/$DOMAIN/SYSVOL/ ``` -------------------------------- ### Exclude Section in GPOHound Configuration Source: https://github.com/cogiceo/gpohound/blob/main/CONFIG.md To exclude a section from parsing, comment out the 'include' line in the YAML configuration. ```yaml General: #include: attributes: - Version - displayName ``` -------------------------------- ### Security Analysis Detection Capabilities Source: https://context7.com/cogiceo/gpohound/llms.txt Lists the types of security issues GPOHound can detect in Group Policy Object (GPO) configurations. ```APIDOC ## Security Analysis Detection Capabilities GPOHound detects the following security issues in GPO configurations. ```yaml # Local Group Membership Analysis # Detects trustees added to privileged local groups: # - Administrators (S-1-5-32-544) -> AdminTo edge # - Remote Desktop Users (S-1-5-32-555) -> CanRDP edge # - Distributed COM Users (S-1-5-32-562) -> ExecuteDCOM edge # - Remote Management Users (S-1-5-32-580) -> CanPSRemote edge # - Backup Operators (S-1-5-32-551) -> CanPrivEsc edge # - Print Operators (S-1-5-32-550) -> CanPrivEsc edge # - Network Configuration Operators (S-1-5-32-556) -> CanPrivEsc edge # Registry Settings Analysis # - SMB signing disabled/not required # - NTLMv1 authentication enabled # - Windows automatic logon credentials # - VNC stored passwords (RealVNC, TightVNC, TigerVNC, etc.) # - FileZilla stored passwords # - PuTTY proxy passwords # - TeamViewer credentials # - WinSCP saved sessions # - Picasa stored password # Privilege Rights Analysis (dangerous privileges) # - SeDebugPrivilege -> CanPrivEsc # - SeBackupPrivilege -> CanPrivEsc # - SeRestorePrivilege -> CanPrivEsc # - SeAssignPrimaryTokenPrivilege -> CanPrivEsc # - SeImpersonatePrivilege -> CanPrivEsc # - SeTakeOwnershipPrivilege -> CanPrivEsc # - SeTcbPrivilege -> CanPrivEsc # - SeCreateTokenPrivilege -> CanPrivEsc # - SeLoadDriverPrivilege -> CanPrivEsc # - SeManageVolumePrivilege -> CanPrivEsc ``` ``` -------------------------------- ### Interact with BloodHound Database via BloodHoundConnector Source: https://context7.com/cogiceo/gpohound/llms.txt Perform direct queries and modifications on the BloodHound Neo4j database, including adding custom edges and properties. ```python from gpohound.utils.bloodhound import BloodHoundConnector # Initialize connector bh = BloodHoundConnector( host="127.0.0.1", user="neo4j", password="bloodhoundcommunityedition", port=7687 ) # Check connection and APOC availability print(f"Connected: {bh.connection}") print(f"APOC Available: {bh.apoc}") # Find domains domains = bh.find_domains() # Find GPO by GUID gpo = bh.find_by_gpo_guid("{21246D99-1426-495B-9E8E-556ABDD81F94}", "S-1-5-21-...") # Get containers affected by a GPO containers = bh.containers_affected_by_gpo("{21246D99-1426-495B-9E8E-556ABDD81F94}", "S-1-5-21-...") # Get GPO inheritance order for a container gpo_order = bh.get_gpo_inheritance("S-1-5-21-...-1234") # Add custom edge (requires APOC) bh.add_edges( domain_sid="S-1-5-21-...", container_ids=["S-1-5-21-...-1001", "S-1-5-21-...-1002"], trustee_sids=["S-1-5-21-...-1104"], edge="AdminTo" ) # Add computer property bh.add_extra_property( container_ids=["S-1-5-21-...-1001"], property_key="smbSigningEnabled", property_value=False ) # Execute custom Cypher query result = bh.query(""" MATCH (n:Computer) WHERE n.NTLMv1Support = True RETURN n.name """) bh.close() ``` -------------------------------- ### BloodHound Connector API Source: https://context7.com/cogiceo/gpohound/llms.txt Provides direct interaction with BloodHound's Neo4j database for custom queries and data manipulation. ```APIDOC ## BloodHound Connector API Direct interaction with BloodHound's Neo4j database for custom queries. ```python from gpohound.utils.bloodhound import BloodHoundConnector # Initialize connector bh = BloodHoundConnector( host="127.0.0.1", user="neo4j", password="bloodhoundcommunityedition", port=7687 ) # Check connection and APOC availability print(f"Connected: {bh.connection}") print(f"APOC Available: {bh.apoc}") # Find domains domains = bh.find_domains() # Find GPO by GUID gpo = bh.find_by_gpo_guid("{21246D99-1426-495B-9E8E-556ABDD81F94}", "S-1-5-21-...") # Get containers affected by a GPO containers = bh.containers_affected_by_gpo("{21246D99-1426-495B-9E8E-556ABDD81F94}", "S-1-5-21-...") # Get GPO inheritance order for a container gpo_order = bh.get_gpo_inheritance("S-1-5-21-...-1234") # Add custom edge (requires APOC) bh.add_edges( domain_sid="S-1-5-21-.", container_ids=["S-1-5-21-...-1001", "S-1-5-21-...-1002"], trustee_sids=["S-1-5-21-...-1104"], edge="AdminTo" ) # Add computer property bh.add_extra_property( container_ids=["S-1-5-21-...-1001"], property_key="smbSigningEnabled", property_value=False ) # Execute custom Cypher query result = bh.query(""" MATCH (n:Computer) WHERE n.NTLMv1Support = True RETURN n.name """) bh.close() ``` ``` -------------------------------- ### Analyze processed GPO objects Source: https://github.com/cogiceo/gpohound/blob/main/README.md Analyze specific GPO objects like 'group' or 'registry' after they have been processed. The --processed flag indicates that the analysis should be performed on processed data. ```bash gpohound analysis --processed --object group registry ``` -------------------------------- ### Exclude Attribute in GPOHound Configuration Source: https://github.com/cogiceo/gpohound/blob/main/CONFIG.md To exclude a specific attribute from being parsed, comment out the attribute line in the YAML configuration. ```yaml General: include: attributes: #- Version - displayName ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.