Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
Examples of the kinds of stuff it finds in GPOs:
+ GPOs which grant modify permissions on the GPO itself to non-default users.
+ Startup and shutdown scripts
+-+ arguments and script themselves often include creds.
+-+ scripts are often stored with permissions that allow you to modify them.
+ MSI installers being automatically deployed
+-+ again, often stored somewhere that will grant you modify permissions.
+ Good old fashioned Group Policy Preferences passwords.
+ Autologon registry entries containing credentials.
+ Other creds being stored in the registry for fun stuff like VNC.
+ Scheduled tasks with stored credentials.
+-+ Also often run stuff from poorly secured file shares.
+ User Rights
+-+ Handy to spot where admins accidentally granted ‘Domain Users’ RDP access or those fun rights that let you run mimikatz even without full admin privs.
+ Tweaks to local file permissions
+-+ Good for finding those machines where the admins just stamped “Full Control” for “Everyone” on “C:\Program Files”.
+ File Shares
+ INI Files
+ Environment Variables
+ … and much more! (well, not very much, but some)
Yes it’s pretty rough, but it saves me an enormous amount of time reading through those awful 150MB HTML GPO reports, and if it works for me it might work for you.
Note: While some function names might include the word audit, Groper is explicitly NOT meant to be an exhaustive audit for best practice configurations etc. If you want that, you should be using Microsoft SCT and LGPO.exe or something.
– Add explanations to each check function to provide guidance on what to look for to see if a thing is vulnerable, how to exploit vulnerable configs, etc.
– Remove reliance on RSAT/Group Policy cmdlets to generate the initial report or fold the required code into this script so it can be run on any machine with PS installed.
– Implement more checks to separate ‘could be bad’ configurations from ‘almost certainly bad’.
– Implement checks for some of the more common non-default Group Policy templates, e.g. MS Office, Citrix, etc.
Use and download:
git clone https://github.com/l0ss/Grouper && cd Grouper
Invoke-AuditGPReport test_report.xml -showDisabled