GPOAnalyzer

GPOAnalyzer is a tool designed for penetration testers and red teamers to assist in analyzing domain Group Policy Object (GPO) files located in the SYSVOL directory.

GPOAnalyzer is valuable for quickly identifying critical information such as domain configuration, registry keys, policies, web targets, network shares, and more. Additionally, it provides easily interpretable outputs and supports data export in JSON format for seamless integration with complementary tools like jq.

Installation

Executable

Download the executable from the release page.

Python Module

Alternatively, you can install GPOAnalyzer using Python 3.6 or higher. Clone the repository and install the required dependencies:

git clone https://github.com/safedv/GPOAnalyzer.git
cd GPOAnalyzer
pip install .

Usage

Run the tool from the command line using the following syntax:

Python Module

python -m gpoanalyzer --help

Executable

gpoanalyzer.exe --help

Output

usage: python -m gpoanalyzer [-h] [--json | --find FIND] [--output OUTPUT] [--shortcuts] [--scheduledtasks] [--drives] [--groups] [--printers] [--registryxml] [--envvars] [--files] [--services]
                             [--folders] [--internetsettings] [--registrypol] [--gpttmpl]
                             gpopath

GPO Analyzer parses and enumerates Domain Group Policy Object (GPO) files.

options:
  -h, --help            show this help message and exit

General Options:
  gpopath               Path to the GPO data directory
  --json, -jq           Output data in JSON format
  --find FIND, -f FIND  Search for a specific string or pattern
  --output OUTPUT, -o OUTPUT
                        Output results to a specified file path

Supported Files:
  --shortcuts           Extract shortcut configurations from Shortcuts XML files
  --scheduledtasks      Extract scheduled tasks from ScheduledTasks XML files
  --drives              Extract network drive mappings from Drives XML files
  --groups              Extract group membership settings from Groups XML files
  --printers            Extract printer configurations from Printers.xml
  --registryxml         Extract settings from Registry.xml
  --envvars             Extract env variable settings from EnvironmentVariables.xml
  --files               Extract file policies from Files.xml
  --services            Extract service configurations from Services.xml
  --folders             Extract folder settings from Folders.xml
  --internetsettings    Extract internet settings from InternetSettings XML files
  --registrypol         Extract registry settings from Registry.pol
  --gpttmpl             Extract group policy template data from GptTmpl.inf files

Examples

Find Module

Search for a string in all parsed data

python -m gpoanalyzer "<GPO_FILES_PATH>" --find "AdmPwd"

Search for a pattern in all parsed data

python -m gpoanalyzer "<GPO_FILES_PATH>" --find "^(\\)(\\[\w\.-_]+){2,}(\\?)$"

Report Module

Output all data to a file

python -m gpoanalyzer "<GPO_FILES_PATH>" --shortcuts --drives --folders --scheduledtasks -o output.txt

Output registry data to a file in json format:

python -m gpoanalyzer "<GPO_FILES_PATH>" --registrypol --json -o registry.pol.json

JSON Module

Export targetPath value from shortcuts XML files configuration with jq

python -m gpoanalyzer "<GPO_FILES_PATH>" --shortcuts --json | jq '[.. | objects | select(has("targetPath")) | .targetPath]' | sort -u

Output

"http://example1.com"
"https://example2.com"
"http://example3.com"
"10.10.12.120"
"\\SHARE\\LOL"

Contributing

Contributions are welcome! Please fork the repository and submit a pull request with your improvements.

License

GPOAnalyzer is released under the MIT License. See LICENSE file for details.