Merge pull request #5 from coffeegist/fix/gpo-json-domainsid-prop

Fix/gpo json domainsid prop

CHANGELOG.md

@@ -1,4 +1,9 @@
 # Changelog
+## [0.3.1] - 1/25/2024
+### Fixed
+- GPO JSON file not matching JSON definition for BHCE
+    - `domainsid` property gets set on all GPO objects now (requires domain objects to be queried)
+
 ## [0.3.0] - 12/27/2023
 ### Added
 - ADDS model for AD crossRef objects (referrals)

README.md

@@ -1,21 +1,25 @@
 ```
- _____________________________ __    __    ______    __    __   __   __   _______
-|   _   /  /  __   / |   ____/|  |  |  |  /  __  \  |  |  |  | |  \ |  | |       \
-|  |_)  | |  |  |  | |  |__   |  |__|  | |  |  |  | |  |  |  | |   \|  | |  .--.  |
-|   _  <  |  |  |  | |   __|  |   __   | |  |  |  | |  |  |  | |  . `  | |  |  |  |
-|  |_)  | |  `--'  | |  |     |  |  |  | |  `--'  | |  `--'  | |  |\   | |  '--'  |
-|______/   \______/  |__|     |__|  |___\_\________\_\________\|__| \___\|_________\
-
-                            << @coffeegist | @Tw1sm >>
+                         _____________________________ __    __    ______    __    __   __   __   _______
+                        |   _   /  /  __   / |   ____/|  |  |  |  /  __  \  |  |  |  | |  \ |  | |       \
+                        |  |_)  | |  |  |  | |  |__   |  |__|  | |  |  |  | |  |  |  | |   \|  | |  .--.  |
+                        |   _  <  |  |  |  | |   __|  |   __   | |  |  |  | |  |  |  | |  . `  | |  |  |  |
+                        |  |_)  | |  `--'  | |  |     |  |  |  | |  `--'  | |  `--'  | |  |\   | |  '--'  |
+                        |______/   \______/  |__|     |__|  |___\_\________\_\________\|__| \___\|_________\
+           
+                                                    << @coffeegist | @Tw1sm >>
 ```
 
-# BOFHound
+<h1 align="center">
+
+![Python](https://img.shields.io/badge/python-3670A0?style=for-the-badge&logo=python&logoColor=ffdd54)
+![PyPi](https://img.shields.io/pypi/v/bofhound?style=for-the-badge)
+</h1>
 
 BOFHound is an offline BloodHound ingestor and LDAP result parser compatible with TrustedSec's [ldapsearch BOF](https://github.com/trustedsec/CS-Situational-Awareness-BOF), the Python adaptation, [pyldapsearch](https://github.com/fortalice/pyldapsearch) and Brute Ratel's [LDAP Sentinel](https://bruteratel.com/tabs/commander/badgers/#ldapsentinel).
 
 By parsing log files generated by the aforementioned tools, BOFHound allows operators to utilize BloodHound's beloved interface while maintaining full control over the LDAP queries being run and the spped at which they are executed. This leaves room for operator discretion to account for potential honeypot accounts, expensive LDAP query thresholds and other detection mechanisms designed with the traditional, automated BloodHound collectors in mind.
 
-Check out the [dedicated BOF repository](https://github.com/Tw1sm/bofhound-bof-kit) for BOFs that gather local group and session data for BOFHound parsing
+Check this [PR](https://github.com/trustedsec/CS-Situational-Awareness-BOF/pull/114) to the SA BOF repo for BOFs that collect session and local group membership data and can be parsed by BOFHound.
 
 ### Related Blogs
 
@@ -57,6 +61,12 @@ dn
 objectsid
 ```
 
+Some object classes rely on domain objects being populated within BOFHound. Domains can be queried with either of the following commands
+```
+ldapsearch (objectclass=domain) *,ntsecuritydescriptor
+ldapsearch (distinguishedname=DC=windomain,DC=local) *,ntsecuritydescriptor
+``` 
+
 ## Example ldapsearch Queries
 Get All the Data (Maybe Run BloodHound Instead?)
 ```
@@ -73,7 +83,7 @@ Retrieve Only the ms-Mcs-AdmPwd schemaIDGUID
 ldapsearch (name=ms-mcs-admpwd) name,schemaidguid 1 "" CN=Schema,CN=Configuration,DC=windomain,DC=local
 ```
 
-Retrieve Domain NetBIOS Names (useful if collecting data via `bofhound-netloggedon/netsession` BOFs)
+Retrieve Domain NetBIOS Names (useful if collecting data via `netsession2/netloggedon2` BOFs)
 ```
 ldapsearch (netbiosname=*) * 0 "" "CN=Partitions,CN=Configuration,DC=windomain,DC=local"
 ```

bofhound/ad/adds.py

@@ -432,6 +432,10 @@ def resolve_ou_members(self):
 
 
     def link_gpos(self):
+        # BHCE appears to now require domainsid prop on GPOs
+        for gpo in self.gpos:
+            self.add_domainsid_prop(gpo)
+
         for object in self.ous + self.domains:
             if object._entry_type == 'OU':
                 self.add_domainsid_prop(object) # since OUs don't have a SID to get a domainsid from

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "bofhound"
-version = "0.3.0"
+version = "0.3.1"
 description = "Parse output from common sources and transform it into BloodHound-ingestible data"
 authors = [
 	"Adam Brown",