SpecterOps · ncha-syn · Oct 24, 2025 · Oct 24, 2025
diff --git a/README.md b/README.md
@@ -35,7 +35,7 @@ dotnet build
 # CLI Arguments
 The listing below details the CLI arguments SharpHound supports. Additional details about these options can be found in the [BloodHound CE Collection documentation](https://bloodhound.specterops.io/collect-data/ce-collection/sharphound-flags).
 ```
-  -c, --collectionmethods    (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup,
+  -c, --collectionmethods    (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup, GPOUserRights
                              Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly, UserRights, 
                              CARegistry, DCRegistry, CertServices, WebClientService, NTLMRegistry,SMBInfo,LdapServices
 

diff --git a/src/Client/Enums.cs b/src/Client/Enums.cs
@@ -19,6 +19,7 @@ public enum CollectionMethodOptions
         SPNTargets,
         Container,
         GPOLocalGroup,
+        GPOUserRights,
         LocalGroup,
         UserRights,
         Default,

diff --git a/src/Options.cs b/src/Options.cs
@@ -14,7 +14,7 @@ public class Options
         // Options that affect what is collected
         [Option('c', "collectionmethods", Default = new[] { "Default" },
             HelpText =
-                "Collection Methods: Group, LocalGroup, LocalAdmin, RDP, DCOM, PSRemote, Session, Trusts, ACL, Container, ComputerOnly, GPOLocalGroup, LoggedOn, ObjectProps, SPNTargets, UserRights, Default, DCOnly, CARegistry, DCRegistry, CertServices, WebClientService, LdapServices, SmbInfo, NTLMRegistry, All")]
+                "Collection Methods: Group, LocalGroup, LocalAdmin, RDP, DCOM, PSRemote, Session, Trusts, ACL, Container, ComputerOnly, GPOLocalGroup, GPOUserRights, LoggedOn, ObjectProps, SPNTargets, UserRights, Default, DCOnly, CARegistry, DCRegistry, CertServices, WebClientService, LdapServices, SmbInfo, NTLMRegistry, All")]
         public IEnumerable<string> CollectionMethods { get; set; }
 
         [Option('d', "domain", Default = null, HelpText = "Specify domain to enumerate")]
@@ -196,6 +196,7 @@ internal bool ResolveCollectionMethods(ILogger logger, out CollectionMethod reso
                     CollectionMethodOptions.SPNTargets => CollectionMethod.SPNTargets,
                     CollectionMethodOptions.Container => CollectionMethod.Container,
                     CollectionMethodOptions.GPOLocalGroup => CollectionMethod.GPOLocalGroup,
+                    CollectionMethodOptions.GPOUserRights => CollectionMethod.GPOUserRights,
                     CollectionMethodOptions.LocalGroup => CollectionMethod.LocalGroups,
                     CollectionMethodOptions.UserRights => CollectionMethod.UserRights,
                     CollectionMethodOptions.Default => CollectionMethod.Default,

diff --git a/src/PowerShell/Template.ps1 b/src/PowerShell/Template.ps1
@@ -27,6 +27,7 @@
             Container - Collect GPO/OU Data
             ComputerOnly - Collect Local Group, Session data, User Rights, CA Registry, and DC Registry
             GPOLocalGroup - Collect Local Group information using GPO (Group Policy Objects)
+            GPOUserRights - Collect Local User Rights information using GPO (Group Policy Objects)
             LoggedOn - Collect session information using privileged methods (needs admin!)
             ObjectProps - Collect node property information for users and computers
             SPNTargets - Collect SPN targets (currently only MSSQL)

diff --git a/src/Runtime/ObjectProcessors.cs b/src/Runtime/ObjectProcessors.cs
@@ -32,6 +32,7 @@ public class ObjectProcessors {
         private readonly GroupProcessor _groupProcessor;
         private readonly LdapPropertyProcessor _ldapPropertyProcessor;
         private readonly GPOLocalGroupProcessor _gpoLocalGroupProcessor;
+        private readonly GPOUserRightsAssignmentProcessor _gpoUserRightsAssignmentProcessor;
         private readonly UserRightsAssignmentProcessor _userRightsAssignmentProcessor;
         private readonly LocalGroupProcessor _localGroupProcessor;
         private readonly ILogger _log;
@@ -56,6 +57,7 @@ public ObjectProcessors(IContext context, ILogger log) {
             _groupProcessor = new GroupProcessor(context.LDAPUtils);
             _containerProcessor = new ContainerProcessor(context.LDAPUtils);
             _gpoLocalGroupProcessor = new GPOLocalGroupProcessor(context.LDAPUtils);
+            _gpoUserRightsAssignmentProcessor = new GPOUserRightsAssignmentProcessor(context.LDAPUtils);
             _userRightsAssignmentProcessor = new UserRightsAssignmentProcessor(context.LDAPUtils);
             _localGroupProcessor = new LocalGroupProcessor(context.LDAPUtils);
             _webClientProcessor = new WebClientServiceProcessor(log);
@@ -360,6 +362,7 @@ await compStatusChannel.Writer.WriteAsync(new CSVComputerStatus {
 
             if (_methods.HasFlag(CollectionMethod.SmbInfo)) {
                 ret.SmbInfo = await _smbProcessor.Scan(apiName, resolvedSearchResult.DomainSid);
+                //ret.SmbInfo = await _smbProcessor.Scan(apiName);
             }
 
             // Re-introduce this when we're ready for Event Log collection
@@ -425,6 +428,16 @@ private async void ProcessDomainController(ResolvedSearchResult resolvedSearchRe
                 if (ldapServices.IsSigningRequired.Collected) {
                     ret.Properties.Add("ldapsigning", ldapServices.IsSigningRequired.Result);
                 }
+                //var ldapServices = await dcLdapProcessor.Scan(resolvedSearchResult.DisplayName);
+                //ret.Properties.Add("ldapavailable", ldapServices.HasLdap);
+                //ret.Properties.Add("ldapsavailable", ldapServices.HasLdaps);
+                //if (ldapServices.IsChannelBindingDisabled.Collected) {
+                //    ret.Properties.Add("ldapsepa", !ldapServices.IsChannelBindingDisabled.Result);    
+                //}
+
+                //if (ldapServices.IsSigningRequired.Collected) {
+                //    ret.Properties.Add("ldapsigning", ldapServices.IsSigningRequired.Result);    
+                //}
             }
         }
 
@@ -599,6 +612,9 @@ private async Task<OU> ProcessOUObject(IDirectoryObject entry,
                 ret.GPOChanges = await _gpoLocalGroupProcessor.ReadGPOLocalGroups(entry);
             }
 
+            if (_methods.HasFlag(CollectionMethod.GPOUserRights)) {
+                ret.GPOUserRights = await _gpoUserRightsAssignmentProcessor.ReadGPOUserRights(entry);
+            }
 
             return ret;
         }
@@ -927,4 +943,4 @@ private async Task<IssuancePolicy> ProcessIssuancePolicy(IDirectoryObject entry,
             return ret;
         }
     }
-}
+}