Grouper2 – Find Vulnerabilities in AD Group Policy

Grouper2 is a tool for pentesters to help find security-related misconfigurations in Active Directory Group Policy. It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an audit tool. If you want to check your policy configs against some particular standard, you probably want Microsoft’s Security and Compliance Toolkit, not Grouper or Grouper2.

Grouper2 - Find vulnerabilities in AD Group Policy
Grouper2 – Find vulnerabilities in AD Group Policy

Literally just run the EXE on a domain joined machine in the context of a domain user, and JSON will fall out. some of the features:

  • Have GPMC/RSAT/whatever installed on a domain-joined computer
  • Generate an xml report with the Get-GPOReport PowerShell cmdlet
  • Feed the report to Grouper
  • a bunch of gibberish falls out and hopefully there’s some good stuff in there.
  • better file permission checks that don’t involve writing to disk.
    doesn’t miss those GPP passwords that Grouper 1 did.
  • HTML output option so you can preserve console colours.
  • It’s multithreaded!

In the screenshot above we can see an “Assigned Application” policy that is still being pushed to computers, but the MSI file to install is missing, and the directory it’s being installed from is writable by the current user.

If you created a hacked up MSI (e.g. with msfvenom) and then modified it to match the UIDs at the bottom of the picture, it would get executed on machines targeted by the GPO. Sweet!

You can read more and download this tool over here: https://github.com/l0ss/Grouper2

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments