### Install gpoParser via pipx Source: https://github.com/synacktiv/gpoparser/blob/main/README.md Installs the gpoParser tool using pipx. Note that the gssapi dependency requires system-level libraries like libkrb5-dev. ```bash sudo apt install libkrb5-dev pipx install git+https://github.com/synacktiv/gpoParser ``` -------------------------------- ### LDAP Connection and Querying Source: https://context7.com/synacktiv/gpoparser/llms.txt Provides examples of establishing LDAP connections to Active Directory using various authentication methods including password, NTLM hash, and LDAPS with channel binding. It shows how to perform LDAP queries, resolve SIDs to names, and access connection properties. ```python from gpoParser.core.ldap import LDAP # Password authentication ldap = LDAP( server="ldap://192.168.57.5", domain="corp", username="bob", password="password" ) # NTLM hash authentication ldap = LDAP( server="ldap://192.168.57.5", domain="corp", username="bob", password=None, lm_hash="aad3b435b51404eeaad3b435b51404ee", nt_hash="e19ccf75ee54e06b06a5907af13cef42" ) # LDAPS with channel binding ldap = LDAP( server="ldaps://dc.corp.local", domain="corp", username="admin", password="SecurePass" ) # Query for GPO containers search_filter = "(objectCategory=groupPolicyContainer)" attributes = ["cn", "displayName", "flags"] results = ldap.query(search_filter, attributes) for entry in results: print(f"GPO: {entry['displayName']} - GUID: {entry['cn']}") # Resolve SID to name name = ldap.resolve_sid("S-1-5-21-123456789-123456789-123456789-1001") print(f"Resolved: {name}") # Access connection properties print(f"Base DN: {ldap.base_dn}") print(f"Domain FQDN: {ldap.domain_fqdn}") ``` -------------------------------- ### BloodHound Neo4j Integration for GPO Analysis Source: https://context7.com/synacktiv/gpoparser/llms.txt Demonstrates how to connect to a BloodHound Neo4j database and create relationship edges based on GPO analysis. It includes examples of running custom Cypher queries and creating specific edges like 'AdminTo' and others based on group memberships. ```python from gpoParser.core.enrich import BloodHoundConnector, create_edges, create_admin_edges # Connect to Neo4j bh = BloodHoundConnector( uri="bolt://localhost:7687", user="neo4j", password="bloodhoundcommunityedition" ) # Run custom Cypher query results = bh.run_query( "MATCH (n:User) WHERE n.name CONTAINS 'ADMIN' RETURN n.name LIMIT 10" ) for record in results: print(record["n.name"]) # Create AdminTo edge between principal and computer create_admin_edges( bh, source_principal=("S-1-5-21-xxx-1001", "sid"), target_principal="CN=SRV01,OU=Servers,DC=CORP,DC=LOCAL" ) # The create_edges function processes all GPOs and creates: # - AdminTo edges for Administrators group membership # - CanRDP edges for Remote Desktop Users group membership # - CanPSRemote edges for Remote Management Users group membership create_edges(args, ou_objects, gpo_objects, sid_cache, dn_cache) ``` -------------------------------- ### Display GPO Configurations with gpoParser Source: https://github.com/synacktiv/gpoparser/blob/main/README.md This command displays configuration changes applied by GPOs. It supports filtering by GPO name or GUID and uses a cache file for storing parsed data. The output shows modifications to computer configurations, including group memberships and administrative privileges. ```bash $ gpoParser display -h usage: gpoParser display [-h] [-g GPO] [-c CACHE] options: -h, --help show this help message and exit -g GPO, --gpo GPO Filter by GPO name or GUID -c CACHE, --cache CACHE Cache file location (default: ./cache_gpoParser_.json) $ gpoParser display Cache file found, using it {6F3821B3-89B2-496D-82A5-58092D3EA588}: AddAdmin Computer configuration Groups The following principals are added to BUILTIN\Administrators CORP\admin {ADC96BD4-86D3-4516-BCF2-F7BDD5A76366}: AddRDP Computer configuration Groups The following principals are added to BUILTIN\Remote Desktop Users CORP\bob [...] $ gpoParser display -g work Cache file found, using it {474D47E2-2B77-4E37-9744-A3CF6AB04449}: Workstation admins Computer configuration Groups The following principals are added to BUILTIN\Administrators CORP\Admin - All Workstations ``` -------------------------------- ### Display GPO Configuration Changes Source: https://context7.com/synacktiv/gpoparser/llms.txt Lists configuration changes applied by GPOs, such as group memberships and registry modifications. Supports filtering by GPO name or GUID. ```bash gpoParser display gpoParser display -g work gpoParser display -g 6F3821B3-89B2-496D-82A5-58092D3EA588 gpoParser display -c ./cache_gpoParser_1234567890.json -g admin ``` -------------------------------- ### GPO Class Structure and Content Source: https://context7.com/synacktiv/gpoparser/llms.txt Demonstrates the structure of the GPO class, which holds parsed policy information including group memberships, registry settings, and user configurations for both computer and user policies. Shows how to create a GPO object and restore it from a dictionary. ```python from gpoParser.core.gpo import GPO, load_gpos # GPO object structure gpo = GPO("{6F3821B3-89B2-496D-82A5-58092D3EA588}") gpo.name = "AddAdmin" gpo.flags = 0 # GPO status flags # Content structure contains parsed configurations gpo.content = { "computer": { "groups": [ { "group_name": "Administrators (built-in)", "group_sid": "S-1-5-32-544", "action": "ADD", "members_added": [ {"name": "CORP\admin", "sid": "S-1-5-21-xxx-1001"} ], "members_removed": [], "delete_all_users": False, "delete_all_groups": False } ], "users": [ { "action": "U", # U=Update, C=Create, D=Delete, R=Replace "username": "Administrator", "cpassword": "", # GPP password if present "account_disable": False } ], "registry": [ { "action": "C", # Create "hive": "HKEY_LOCAL_MACHINE", "path": "SYSTEM\CurrentControlSet\Control\Lsa", "name": "NoLMHash", "value": "1" } ], "privileges": [ { "privilege_name": "SeDebugPrivilege", "members": ["S-1-5-32-544", "CORP\DebugUsers"] } ] }, "user": { "groups": [], "users": [], "registry": [], "privileges": [] } } # Restore GPO from cache dict gpo_restored = GPO.from_dict({ "guid": "{6F3821B3-89B2-496D-82A5-58092D3EA588}", "name": "AddAdmin", "flags": 0, "content": gpo.content }) ``` -------------------------------- ### OU Class and GPO Inheritance Processing Source: https://context7.com/synacktiv/gpoparser/llms.txt Illustrates the OU class for managing organizational units and their GPO linkages, including inheritance blocking and enforcement. Shows how to process GPO inheritance across the OU hierarchy to determine effective GPOs. ```python from gpoParser.core.ou import OU, load_ous from gpoParser.core.processor import process_gpos # OU object structure ou = OU("OU=Servers,DC=CORP,DC=LOCAL") ou.gplink = "[LDAP://CN={6F3821B3-89B2-496D-82A5-58092D3EA588},CN=Policies,CN=System,DC=CORP,DC=LOCAL;0]" ou.block_inheritance = False # After processing, these lists are populated: # ou.gpos_guids - GPOs directly linked (non-enforced) # ou.enforced_gpos_guids - GPOs linked with enforcement # ou.effective_gpos_guids - All GPOs that apply (including inherited) # Process GPO inheritance across OU hierarchy # This resolves inheritance, enforcement, and blocking process_gpos(ou_objects, gpo_objects) # Example effective GPOs after processing for ou in ou_objects: print(f"OU: {ou.dn}") print(f" Direct GPOs: {ou.gpos_guids}") print(f" Enforced GPOs: {ou.enforced_gpos_guids}") print(f" Effective GPOs (including inherited): {ou.effective_gpos_guids}") ``` -------------------------------- ### gpoParser - Local Mode Source: https://github.com/synacktiv/gpoparser/blob/main/README.md Parses GPOs from local files, requiring a dump of the LDAP directory and SYSVOL share. ```APIDOC ## gpoParser local ### Description Parses GPOs from local files. Requires a dump of the LDAP directory (using tools like ldeep or ADExplorerSnapshot) and the content of the SYSVOL share. ### Method `gpoParser local` ### Endpoint `gpoParser local [-f {ldeep,adexplorer}] [-o OUTPUT] sysvol_folder ldap_folder` ### Parameters #### Path Parameters - **sysvol_folder** (string) - Required - Path to the SYSVOL folder containing the policies. - **ldap_folder** (string) - Required - Path to the folder containing the LDAP dump. #### Query Parameters - **-f, --format** (string) - Optional - JSON files input format (default: ldeep). Options: `ldeep`, `adexplorer`. - **-o, --output** (string) - Optional - Output filename and location (default: ./cache_gpoParser_.json). ### Request Example ```bash mkdir sysvol && cd sysvol && echo -e 'prompt\nrecurse\nmget *' | smbclient -W CORP -U bob%password //192.168.57.5/SYSVOL mkdir ldap && ldeep ldap -u bob -p password -d corp.local -s 192.168.57.5 all ldap/corp gpoParser local sysvol/ ldap/ ``` ### Response #### Success Response (200) Information saved to cache, now use display / query features. #### Response Example ``` Information saved to cache, now use display / query features ``` ``` -------------------------------- ### SID Resolution with Cache Source: https://context7.com/synacktiv/gpoparser/llms.txt Illustrates how to resolve Windows Security Identifiers (SIDs) to human-readable names. It covers the use of built-in well-known SIDs and how to build and utilize a SID cache derived from LDAP data for efficient resolution. ```python from gpoParser.core.resolver import resolv_sid, build_sid_cache, WELL_KNOWN_SIDS # Well-known SIDs are automatically resolved print(WELL_KNOWN_SIDS["S-1-5-32-544"]) print(WELL_KNOWN_SIDS["S-1-5-32-555"]) print(WELL_KNOWN_SIDS["S-1-5-32-580"]) print(WELL_KNOWN_SIDS["S-1-1-0"]) # Build SID cache from LDAP data sid_cache = build_sid_cache(args) # Resolve SID using cache resolved = resolv_sid(args, "S-1-5-21-123456789-123456789-123456789-1001", sid_cache) print(resolved) # Built-in SIDs resolve without cache resolved = resolv_sid(args, "S-1-5-32-544", sid_cache) print(resolved) ``` -------------------------------- ### Retrieve GPOs in Online Mode Source: https://github.com/synacktiv/gpoparser/blob/main/README.md Connects to the LDAP directory and SYSVOL share to gather GPO attributes and configuration files. Requires domain credentials or hashes for authentication. ```bash gpoParser remote -u bob -p password -d corp -s 192.168.57.5 ``` -------------------------------- ### Query GPO Relationships with gpoParser Source: https://github.com/synacktiv/gpoparser/blob/main/README.md This command queries the relationships between GPOs and computers. It allows filtering by GPO name/GUID or computer name/distinguishedName. The output lists which computers a specific GPO affects or details the changes applied to a given computer, including registry modifications. ```bash $ gpoParser query -h usage: gpoParser query [-h] [-g GPO] [-C COMPUTER] [-c CACHE] options: -h, --help show this help message and exit -g GPO, --gpo GPO Filter by GPO name or GUID -C COMPUTER, --computer COMPUTER Computer name or distinguishedName to filter on -c CACHE, --cache CACHE Cache file location (default: ./cache_gpoParser_.json) $ gpoParser query Cache file found, using it {6F3821B3-89B2-496D-82A5-58092D3EA588}: AddAdmin This GPO affects the following computers: CN=SRV55,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL CN=SRV54,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL CN=SRV53,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL CN=SRV52,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL {6AC1786C-016F-11D2-945F-00C04FB984F9}: Default Domain Controllers Policy This GPO affects the following computers: CN=DC01,OU=Domain Controllers,DC=CORP,DC=LOCAL {31B2F340-016D-11D2-945F-00C04FB984F9}: Default Domain Policy This GPO affects the following computers: CN=SRV51,OU=SUBSUB,OU=SUB,DC=CORP,DC=LOCAL CN=SRV49,OU=SUB,DC=CORP,DC=LOCAL CN=SRV50,OU=SUB,DC=CORP,DC=LOCAL CN=SRV55,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL [...] $ gpoParser query -C wks Cache file found, using it CN=WKS01,OU=ADMIN,OU=WORKSTATIONS,DC=CORP,DC=LOCAL {31B2F340-016D-11D2-945F-00C04FB984F9}: Default Domain Policy Computer configuration Registry The following registry key changes have been made Action: Create Path: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash Value: 4,1 The following registry key changes have been made Action: Update Hive: HKEY_LOCAL_MACHINE Path: SYSTEM\CurrentControlSet\Services\Dnscache\Parameters Name: EnableMDNS Value: 00000000 ``` -------------------------------- ### gpoParser - Display Mode Source: https://github.com/synacktiv/gpoparser/blob/main/README.md Displays the parsed GPO contents from a cache file. ```APIDOC ## gpoParser display ### Description Displays the parsed GPO contents from a previously generated cache file. ### Method `gpoParser display` ### Endpoint `gpoParser display [-h] [-i INPUT]` ### Parameters #### Query Parameters - **-i, --input** (string) - Optional - Input cache file (default: ./cache_gpoParser_*.json) ### Request Example ```bash gpoParser display -i ./cache_gpoParser_1678886400.json ``` ### Response #### Success Response (200) Displays the GPO contents in a human-readable format. #### Response Example ``` [Parsed GPO content displayed here] ``` ``` -------------------------------- ### gpoParser - Query Mode Source: https://github.com/synacktiv/gpoparser/blob/main/README.md Queries the parsed GPO results to display affected computers. ```APIDOC ## gpoParser query ### Description Queries the parsed GPO results to identify and display computers affected by specific policies. ### Method `gpoParser query` ### Endpoint `gpoParser query [-h] [-i INPUT] [-q QUERY]` ### Parameters #### Query Parameters - **-i, --input** (string) - Optional - Input cache file (default: ./cache_gpoParser_*.json) - **-q, --query** (string) - Required - Query to filter GPO results (e.g., "users.username = 'admin'") ### Request Example ```bash gpoParser query -i ./cache_gpoParser_1678886400.json -q "computers.name = 'DC01'" ``` ### Response #### Success Response (200) Lists the computers that match the query criteria. #### Response Example ``` [List of affected computers] ``` ``` -------------------------------- ### gpoParser - Remote Mode Source: https://github.com/synacktiv/gpoparser/blob/main/README.md Parses GPOs by connecting to the Active Directory LDAP and SYSVOL share remotely. ```APIDOC ## gpoParser remote ### Description Parses GPOs by connecting to the Active Directory LDAP and SYSVOL share remotely to gather GPO-related information and configuration files. ### Method `gpoParser remote` ### Endpoint `gpoParser remote [-s SERVER] [-d DOMAIN] [-u USER] [-p PASSWORD] [-H HASH] [-k] [-o OUTPUT]` ### Parameters #### Query Parameters - **-s, --server** (string) - Required - LDAP server IP or FQDN (ex: ldap://192.168.57.5 or ldaps://dc.corp.local) - **-d, --domain** (string) - Required - Domain name tied to the user - **-u, --user** (string) - Required - Username - **-p, --password** (string) - Optional - Password - **-H, --hash** (string) - Optional - NTLM authentication, format is [LM:]NT - **-k, --kerberos** (boolean) - Optional - Use Kerberos authentication - **-o, --output** (string) - Optional - Output filename and location (default ./cache_gpoParser_.json) ### Request Example ```bash gpoParser remote -u bob -p password -d corp -s 192.168.57.5 ``` ### Response #### Success Response (200) Information saved to cache, now use display / query features. #### Response Example ``` Retrieving \CORP.LOCAL\Policies\{008B0634-C0B9-443A-A06A-E2BAD875E27F}\Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf Retrieving \CORP.LOCAL\Policies\{008B0634-C0B9-443A-A06A-E2BAD875E27F}\Machine/Preferences/Groups/Groups.xml Retrieving \CORP.LOCAL\Policies\{008B0634-C0B9-443A-A06A-E2BAD875E27F}\Machine/Preferences/Registry/Registry.xml ... Information saved to cache, now use display / query features ``` ``` -------------------------------- ### Enrich BloodHound with GPO Data using gpoParser Source: https://github.com/synacktiv/gpoparser/blob/main/README.md This command enriches BloodHound data by parsing GPO information and creating additional edges like AdminTo, CanRDP, and CanPSRemote. It connects directly to the Neo4j database to identify lateral movement opportunities not natively detected by BloodHound. Authentication and server details for Neo4j can be provided. ```bash $ gpoParser enrich -h usage: gpoParser enrich [-h] [-u USER] [-p PASSWORD] [-s SERVER] [-c CACHE] options: -h, --help show this help message and exit -u USER, --user USER Username for neo4j authentication (default: neo4j) -p PASSWORD, --password PASSWORD Password for neo4j authentication (default: bloodhoundcommunityedition) -s SERVER, --server SERVER Neo4j server URI (default: bolt://localhost:7687) -c CACHE, --cache CACHE Cache file location (default: ./cache_gpoParser_.json) ``` -------------------------------- ### Cache Operations for GPO Parsing Source: https://context7.com/synacktiv/gpoparser/llms.txt Demonstrates how to load and save cached GPO and OU objects. The cache is used to store parsing results to avoid redundant computations. It supports loading from a specified file pattern and saving the processed objects. ```python import argparse args = argparse.Namespace( cache="./cache_gpoParser_*.json", output="./cache_gpoParser_1234567890.json" ) is_cached, ou_objects, gpo_objects, sid_cache, dn_cache = load_cache(args) if is_cached: print(f"Loaded {len(gpo_objects)} GPOs and {len(ou_objects)} OUs") print(f"SID cache entries: {len(sid_cache)}") print(f"DN cache entries: {len(dn_cache)}") else: print("No cache found, run local or remote parsing first") save_cache(args, ou_objects, gpo_objects) ``` -------------------------------- ### Query GPO-to-Computer Relationships Source: https://context7.com/synacktiv/gpoparser/llms.txt Identifies which computers are affected by specific GPOs, helping to determine the scope of security policies within the directory. ```bash gpoParser query gpoParser query -g AddAdmin ``` -------------------------------- ### Parse Local GPO Data Source: https://context7.com/synacktiv/gpoparser/llms.txt Parses GPO configurations from offline data collected via tools like ldeep or ADExplorerSnapshot. Requires access to SYSVOL and LDAP dump files. ```bash mkdir sysvol && cd sysvol echo -e 'prompt\nrecurse\nmget *' | smbclient -W CORP -U bob%password //192.168.57.5/SYSVOL mkdir ldap ldeep ldap -u bob -p password -d corp.local -s 192.168.57.5 all ldap/corp gpoParser local sysvol/ ldap/ gpoParser local -f adexplorer sysvol/ adexplorer_dump/ gpoParser local sysvol/ ldap/ -o analysis_results.json ``` -------------------------------- ### Analyze GPOs in Offline Mode Source: https://github.com/synacktiv/gpoparser/blob/main/README.md Parses local copies of the LDAP directory and SYSVOL Policies folder. This mode is useful when direct connectivity to the domain controller is restricted or when working with exported snapshots. ```bash mkdir sysvol && cd sysvol && echo -e 'prompt\nrecurse\nmget *' | smbclient -W CORP -U bob%password //192.168.57.5/SYSVOL mkdir ldap && ldeep ldap -u bob -p password -d corp.local -s 192.168.57.5 all ldap/corp gpoParser local sysvol/ ldap/ ``` -------------------------------- ### Cache Management for GPO Data Source: https://context7.com/synacktiv/gpoparser/llms.txt Provides functions for saving and loading parsed GPO data to a cache file. This avoids redundant domain queries and stores GPOs, OUs, SID mappings, and computer-to-OU relationships. ```python from gpoParser.core.exporter import save_cache, load_cache import argparse ``` -------------------------------- ### Query GPOs Affecting a Computer Source: https://context7.com/synacktiv/gpoparser/llms.txt Query GPOs that affect a specific computer using partial or full distinguished names. Supports using a specific cache file for faster lookups. ```bash gpoParser query -C wks gpoParser query -C "CN=SRV55,OU=PROD,OU=Servers,DC=CORP,DC=LOCAL" gpoParser query -c /path/to/cache.json -C srv ``` -------------------------------- ### LDAP Connection Class Source: https://context7.com/synacktiv/gpoparser/llms.txt Establishes direct LDAP operations for querying Active Directory using various authentication methods like NTLM, password, and Kerberos. ```APIDOC ## LDAP Connection Class Direct LDAP operations for querying Active Directory. Supports NTLM, password, and Kerberos authentication with automatic encryption. ### Method Instantiate the `LDAP` class with connection and authentication details. ### Parameters - **server** (string) - Required - The LDAP server URI (e.g., "ldap://192.168.57.5"). - **domain** (string) - Required - The domain name (e.g., "corp"). - **username** (string) - Required - The username for authentication. - **password** (string) - Optional - The user's password. Required if not using hash authentication. - **lm_hash** (string) - Optional - The LM hash for NTLM authentication. - **nt_hash** (string) - Optional - The NT hash for NTLM authentication. ### Request Example (Password Authentication) ```python from gpoParser.core.ldap import LDAP ldap = LDAP( server="ldap://192.168.57.5", domain="corp", username="bob", password="password" ) ``` ### Request Example (NTLM Hash Authentication) ```python ldap = LDAP( server="ldap://192.168.57.5", domain="corp", username="bob", password=None, lm_hash="aad3b435b51404eeaad3b435b51404ee", nt_hash="e19ccf75ee54e06b06a5907af13cef42" ) ``` ### Request Example (LDAPS with Channel Binding) ```python ldap = LDAP( server="ldaps://dc.corp.local", domain="corp", username="admin", password="SecurePass" ) ``` ### Querying Data #### Method `ldap.query(search_filter, attributes)` #### Parameters - **search_filter** (string) - Required - The LDAP filter to apply (e.g., "(objectCategory=groupPolicyContainer)"). - **attributes** (list of strings) - Required - A list of attributes to retrieve (e.g., ["cn", "displayName", "flags"]). #### Response Example ```python search_filter = "(objectCategory=groupPolicyContainer)" attributes = ["cn", "displayName", "flags"] results = ldap.query(search_filter, attributes) for entry in results: print(f"GPO: {entry['displayName']} - GUID: {entry['cn']}") ``` ### SID Resolution #### Method `ldap.resolve_sid(sid)` #### Parameters - **sid** (string) - Required - The Security Identifier to resolve. #### Response Example ```python name = ldap.resolve_sid("S-1-5-21-123456789-123456789-123456789-1001") print(f"Resolved: {name}") # Output: bob ``` ### Connection Properties #### Response Example ```python print(f"Base DN: {ldap.base_dn}") # DC=CORP,DC=LOCAL print(f"Domain FQDN: {ldap.domain_fqdn}") # corp.local ``` ``` -------------------------------- ### Perform Remote GPO Collection Source: https://context7.com/synacktiv/gpoparser/llms.txt Connects to a domain controller via LDAP/SYSVOL to retrieve GPO information. Supports various authentication methods including password, NTLM hash, and Kerberos. ```bash gpoParser remote -u bob -p password -d corp -s 192.168.57.5 gpoParser remote -u admin -p 'SecurePass123!' -d corp.local -s ldaps://dc.corp.local gpoParser remote -u bob -H aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 -d corp -s 192.168.57.5 export KRB5CCNAME=/tmp/bob.ccache gpoParser remote -u bob -k -d corp -s dc.corp.local gpoParser remote -u bob -p password -d corp -s 192.168.57.5 -o /tmp/corp_gpos.json ``` -------------------------------- ### BloodHound Neo4j Integration Source: https://context7.com/synacktiv/gpoparser/llms.txt Connects to BloodHound's Neo4j database to create relationship edges based on GPO analysis. ```APIDOC ## BloodHound Neo4j Integration Connect to BloodHound's Neo4j database and create relationship edges based on GPO analysis. ### Connecting to Neo4j #### Method Instantiate the `BloodHoundConnector` class. #### Parameters - **uri** (string) - Required - The Neo4j connection URI (e.g., "bolt://localhost:7687"). - **user** (string) - Required - The Neo4j username. - **password** (string) - Required - The Neo4j password. #### Request Example ```python from gpoParser.core.enrich import BloodHoundConnector bh = BloodHoundConnector( uri="bolt://localhost:7687", user="neo4j", password="bloodhoundcommunityedition" ) ``` ### Running Custom Cypher Queries #### Method `bh.run_query(cypher_query)` #### Parameters - **cypher_query** (string) - Required - The Cypher query to execute. #### Response Example ```python results = bh.run_query( "MATCH (n:User) WHERE n.name CONTAINS 'ADMIN' RETURN n.name LIMIT 10" ) for record in results: print(record["n.name"]) ``` ### Creating AdminTo Edges #### Method `create_admin_edges(bh, source_principal, target_principal)` #### Parameters - **bh** (BloodHoundConnector) - Required - An instance of the BloodHoundConnector. - **source_principal** (tuple) - Required - A tuple `(identifier, type)` where `identifier` is the SID or name, and `type` is either "sid" or "name". - **target_principal** (string) - Required - The distinguished name (DN) of the target computer. #### Request Example ```python create_admin_edges( bh, source_principal=("S-1-5-21-xxx-1001", "sid"), target_principal="CN=SRV01,OU=Servers,DC=CORP,DC=LOCAL" ) ``` ### Creating Various Relationship Edges #### Method `create_edges(args, ou_objects, gpo_objects, sid_cache, dn_cache)` #### Description This function processes all GPOs and creates the following edges in BloodHound: - `AdminTo` edges for Administrators group membership. - `CanRDP` edges for Remote Desktop Users group membership. - `CanPSRemote` edges for Remote Management Users group membership. #### Parameters - **args** (object) - Required - An object containing necessary arguments. - **ou_objects** (list) - Required - A list of Organizational Unit objects. - **gpo_objects** (list) - Required - A list of GPO objects. - **sid_cache** (dict) - Required - The SID to name cache. - **dn_cache** (dict) - Required - The DN to computer DN cache. #### Request Example ```python # Assuming all required objects and caches are populated create_edges(args, ou_objects, gpo_objects, sid_cache, dn_cache) ``` ``` -------------------------------- ### gpoParser - Enrich Mode Source: https://github.com/synacktiv/gpoparser/blob/main/README.md Enriches BloodHound with new edges derived from parsed GPO data. ```APIDOC ## gpoParser enrich ### Description Enriches BloodHound with new edges generated from the parsed GPO data, providing additional insights into the Active Directory environment. ### Method `gpoParser enrich` ### Endpoint `gpoParser enrich [-h] [-i INPUT] [-o OUTPUT]` ### Parameters #### Query Parameters - **-i, --input** (string) - Optional - Input cache file (default: ./cache_gpoParser_*.json) - **-o, --output** (string) - Optional - Output file for BloodHound compatible data (default: bloodhound_edges.json) ### Request Example ```bash gpoParser enrich -i ./cache_gpoParser_1678886400.json -o bloodhound_custom_edges.json ``` ### Response #### Success Response (200) Generates a JSON file containing new edges for BloodHound. #### Response Example ``` [BloodHound compatible JSON edges output] ``` ``` -------------------------------- ### Enrich BloodHound with GPO Data Source: https://context7.com/synacktiv/gpoparser/llms.txt Enrich BloodHound's Neo4j database with additional relationships like AdminTo, CanRDP, and CanPSRemote derived from GPO analysis. Supports custom Neo4j connection details and cache files. ```bash gpoParser enrich gpoParser enrich -u neo4j -p MyPassword123 gpoParser enrich -s bolt://bloodhound.internal:7687 -u neo4j -p password gpoParser enrich -s bolt://192.168.1.100:7687 -u neo4j -p secret -c ./corp_cache.json ``` -------------------------------- ### Close GPOParser Connection Source: https://context7.com/synacktiv/gpoparser/llms.txt Closes the active connection to the GPOParser instance. This should be called after completing analysis tasks to ensure resources are properly released. ```python bh.close() ``` -------------------------------- ### SID Resolution Source: https://context7.com/synacktiv/gpoparser/llms.txt Resolves Windows Security Identifiers (SIDs) to human-readable names using cached mappings and built-in lookups. ```APIDOC ## SID Resolution Resolve Windows Security Identifiers (SIDs) to human-readable names using cached mappings and well-known SID lookups. ### Well-Known SIDs Well-known SIDs are automatically resolved without needing a cache. #### Response Example ```python from gpoParser.core.resolver import WELL_KNOWN_SIDS print(WELL_KNOWN_SIDS["S-1-5-32-544"]) # BUILTIN\Administrators print(WELL_KNOWN_SIDS["S-1-5-32-555"]) # BUILTIN\Remote Desktop Users print(WELL_KNOWN_SIDS["S-1-5-32-580"]) # BUILTIN\Remote Management Users print(WELL_KNOWN_SIDS["S-1-1-0"]) # Everyone ``` ### Building SID Cache #### Method `build_sid_cache(args)` #### Parameters - **args** (object) - Required - An object containing necessary arguments, typically from `argparse`. #### Response Example ```python # Assuming 'args' is an argparse.Namespace object sid_cache = build_sid_cache(args) # Returns: {"S-1-5-21-xxx-1001": "bob", "S-1-5-21-xxx-512": "Domain Admins", ...} ``` ### Resolving SIDs with Cache #### Method `resolv_sid(args, sid, sid_cache)` #### Parameters - **args** (object) - Required - An object containing necessary arguments. - **sid** (string) - Required - The Security Identifier to resolve. - **sid_cache** (dict) - Required - The pre-built SID cache. #### Response Example ```python # Assuming 'args' and 'sid_cache' are already defined resolved = resolv_sid(args, "S-1-5-21-123456789-123456789-123456789-1001", sid_cache) print(resolved) # "bob" if in cache, otherwise returns original SID # Built-in SIDs resolve without cache resolved = resolv_sid(args, "S-1-5-32-544", sid_cache) print(resolved) # "BUILTIN\Administrators" ``` ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.