SpecterOps · ncha-syn · Oct 24, 2025 · Oct 24, 2025 · coderabbitai · Oct 24, 2025
diff --git a/src/CommonLib/Enums/CollectionMethod.cs b/src/CommonLib/Enums/CollectionMethod.cs
@@ -27,16 +27,17 @@ public enum CollectionMethod {
         WebClientService = 1 << 21,
         SmbInfo = 1 << 22,
         NTLMRegistry = 1 << 23,
+        GPOUserRights = 1 << 24,
         //TODO: Re-introduce this when we're ready for Event Log collection
         //EventLogs = 1 << 23,
         LocalGroups = DCOM | RDP | LocalAdmin | PSRemote,
         ComputerOnly = LocalGroups | Session | UserRights | CARegistry | DCRegistry | WebClientService | SmbInfo | NTLMRegistry,
-        DCOnly = ACL | Container | Group | ObjectProps | Trusts | GPOLocalGroup | CertServices,
+        DCOnly = ACL | Container | Group | ObjectProps | Trusts | GPOLocalGroup | GPOUserRights | CertServices,
 
         Default = Group | Session | Trusts | ACL | ObjectProps | LocalGroups | SPNTargets | Container | CertServices |
                   LdapServices | SmbInfo | WebClientService,
 
-        All = Default | LoggedOn | GPOLocalGroup | UserRights | CARegistry | DCRegistry | WebClientService |
+        All = Default | LoggedOn | GPOLocalGroup | GPOUserRights | UserRights | CARegistry | DCRegistry | WebClientService |
               LdapServices | NTLMRegistry
     }
 }
diff --git a/src/CommonLib/Enums/LSAPrivileges.cs b/src/CommonLib/Enums/LSAPrivileges.cs
@@ -47,6 +47,6 @@ public class LSAPrivileges
         public const string TrustedCredManAccess = "SeTrustedCredManAccessPrivilege";
         public const string Undock = "SeUndockPrivilege";
 
-        public static readonly string[] DesiredPrivileges = {RemoteInteractiveLogon};
+        public static readonly string[] DesiredPrivileges = {InteractiveLogon, RemoteInteractiveLogon, AssignPrimaryToken, Backup, CreateToken, Debug, Impersonate, LoadDriver, ManageVolume, Restore, TakeOwnership, Tcb};
     }
 }
diff --git a/src/CommonLib/LdapProducerQueryGenerator.cs b/src/CommonLib/LdapProducerQueryGenerator.cs
@@ -44,6 +44,9 @@ public static GeneratedLdapParameters GenerateDefaultPartitionParameters(Collect
             if (methods.HasFlag(CollectionMethod.GPOLocalGroup))
                 properties.AddRange(CommonProperties.GPOLocalGroupProps);
 
+            if (methods.HasFlag(CollectionMethod.GPOUserRights))
+                properties.AddRange(CommonProperties.GPOUserRights);
+
             if (methods.HasFlag(CollectionMethod.SPNTargets))
                 properties.AddRange(CommonProperties.SPNTargetProps);
 
@@ -80,6 +83,11 @@ public static GeneratedLdapParameters GenerateDefaultPartitionParameters(Collect
             properties.AddRange(CommonProperties.GPOLocalGroupProps);
         }
 
+        if (methods.HasFlag(CollectionMethod.GPOUserRights)) {
+            filter = filter.AddOUs();
+            properties.AddRange(CommonProperties.GPOUserRights);
+        }
+
         if (methods.HasFlag(CollectionMethod.DCRegistry) || methods.HasFlag(CollectionMethod.LdapServices)) {
             filter = filter.AddComputers(CommonFilters.DomainControllers);
             properties.AddRange(CommonProperties.ComputerMethodProps);

diff --git a/src/CommonLib/LdapQueries/CommonProperties.cs b/src/CommonLib/LdapQueries/CommonProperties.cs
@@ -86,6 +86,10 @@ public static class CommonProperties
             LDAPProperties.GPLink, LDAPProperties.Name
         };
 
+        public static readonly string[] GPOUserRights = {
+            LDAPProperties.GPLink, LDAPProperties.Name
+        };
+
         public static readonly string[] CertAbuseProps =
         {
             LDAPProperties.CertificateTemplates, LDAPProperties.Flags, LDAPProperties.DNSHostName, LDAPProperties.CACertificate, LDAPProperties.PKINameFlag,

diff --git a/src/CommonLib/OutputTypes/OU.cs b/src/CommonLib/OutputTypes/OU.cs
@@ -1,10 +1,12 @@
-using System;
+using SharpHoundCommonLib.Processors;
+using System;
 
 namespace SharpHoundCommonLib.OutputTypes
 {
     public class OU : OutputBase
     {
         public ResultingGPOChanges GPOChanges = new();
+        public ResultingGPOUserRights GPOUserRights = new();
         public GPLink[] Links { get; set; } = Array.Empty<GPLink>();
         public TypedPrincipal[] ChildObjects { get; set; } = Array.Empty<TypedPrincipal>();
         public string[] InheritanceHashes { get; set; } = Array.Empty<string>();

diff --git a/src/CommonLib/OutputTypes/ResultingGPOUserRights.cs b/src/CommonLib/OutputTypes/ResultingGPOUserRights.cs
@@ -0,0 +1,14 @@
+using System;
+using System.Collections.Generic;
+
+namespace SharpHoundCommonLib.OutputTypes
+{
+    public class ResultingGPOUserRights
+    {
+        public TypedPrincipal[] AffectedComputers { get; set; } = Array.Empty<TypedPrincipal>();
+
+        // Dictionary mapping privilege name to array of principals that have that privilege
+        public Dictionary<string, TypedPrincipal[]> UserRightAssignments { get; set; } =
+            new Dictionary<string, TypedPrincipal[]>();
+    }
+}
diff --git a/src/CommonLib/Processors/GPOLocalGroupProcessor.cs b/src/CommonLib/Processors/GPOLocalGroupProcessor.cs
@@ -57,7 +57,7 @@ public Task<ResultingGPOChanges> ReadGPOLocalGroups(IDirectoryObject entry) {
             return Task.FromResult(new ResultingGPOChanges());
         }
 
-        public async Task<ResultingGPOChanges> ReadGPOLocalGroups(string gpLink, string distinguishedName) {
+        public async Task<ResultingGPOChanges> ReadGPOLocalGroups(string gpLink, string distinguishedName) {    
             var ret = new ResultingGPOChanges();
             //If the gplink property is null, we don't need to process anything
             if (gpLink == null)