Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ingest GPOLocalGroup data #1147

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Ingest GPOLocalGroup data #1147

wants to merge 2 commits into from
+103 −0

Conversation

martanne
Copy link

Description

This pull requests ingests the GPOChanges JSON object as collected by SharpHound's GPOLocalGroup collector and adds the required nodes for the local groups and corresponding edges for the membership relation.

This in turn enables the existing analysis algorithm to create the previously missing AdminTo, CanRDP, CanPSRemote and ExecuteDCOM edges for principals assigned to local groups by means of GPOs.

Motivation and Context

This PR addresses GitHub issues #280 (and #240).

How Has This Been Tested?

Tested in a local Ludus lab instance.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist:

  • I have met the contributing prerequisites
  • I have ensured that related documentation is up-to-date
  • I have followed proper test practices

@martanne
feat: parse GPO changes for local group membership
7e9edc2 
While collected by SharpHound, the GPOChanges node of OUs was not taken
into account to generate local group membership relations.

For every affected computer, new ADLocalGroup nodes with corresponding
LocalToComputer and MemberOfLocalGroup edges are generated.

This should fix issue SpecterOps#280.
@martanne
test: add tests for AdminTo relationship based on GPOs
350ad50
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 12, 2025
edited
Loading

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

@martanne
Copy link
Author

I have read the CLA Document and I hereby sign the CLA

@martanne martanne mentioned this pull request Feb 13, 2025
Open
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@martanne