{"id":30356592,"url":"https://github.com/specterops/1passhound","last_synced_at":"2025-08-19T06:13:10.834Z","repository":{"id":307147957,"uuid":"1025197001","full_name":"SpecterOps/1PassHound","owner":"SpecterOps","description":null,"archived":false,"fork":false,"pushed_at":"2025-07-29T16:42:38.000Z","size":974,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-29T19:29:00.567Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SpecterOps.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-23T22:13:08.000Z","updated_at":"2025-07-29T16:42:42.000Z","dependencies_parsed_at":"2025-07-29T19:43:42.804Z","dependency_job_id":null,"html_url":"https://github.com/SpecterOps/1PassHound","commit_stats":null,"previous_names":["specterops/1passhound"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/SpecterOps/1PassHound","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2F1PassHound","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2F1PassHound/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2F1PassHound/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2F1PassHound/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SpecterOps","download_url":"https://codeload.github.com/SpecterOps/1PassHound/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SpecterOps%2F1PassHound/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271108837,"owners_count":24700584,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-19T02:00:09.176Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-08-19T06:13:06.920Z","updated_at":"2025-08-19T06:13:10.823Z","avatar_url":"https://github.com/SpecterOps.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 1PassHound\n\n![Vault Access](./images/vaultaccess.png)\n\n## Overview\n\nThe **1Password for Business OpenGraph** extension lets you bring your 1Password ACL data into BloodHound’s graph‑analysis framework. With this extension, you can:\n\n- **Model Your 1Password Estate** \n Represent your business account as a graph of nodes—accounts, users, groups, vaults and every kind of item (logins, secure notes, cards, etc.)—each decorated with its own Font Awesome icon and color.\n\n- **Map Every Permission \u0026 Membership** \n Capture all relationships with edges like `OPContains`, `OPMemberOf`, `OPViewItems`, `OPManageVault`, `OPHasItem`, `OPManageGroups` and `OPRecoverAccounts`.\n\n- **Collect via the 1Password CLI** \n Use the PowerShell script (`Invoke-1PassHound`) to wrap the `op` CLI, fetch Users, Groups, Vaults and Items from your local 1Password session, and emit a BloodHound‑compatible JSON file (`1pass_\u003caccountid\u003e.json`).\n\n- **Visualize \u0026 Analyze in BloodHound** \n Once imported, you’ll be able to:\n - **Audit \u0026 Compliance**: Verify who really has access to which vaults or items. \n - **Incident Response**: Trace potential exposure paths and remediate unintended permissions. \n - **Security Reviews**: Explore group memberships, vault structures and item distribution at a glance.\n\nWhether you’re auditing permissions, responding to incidents, or simply exploring your 1Password configuration, this extension brings clarity, control and rich visualization to your vaults and items. \n\n## Collector Setup \u0026 Usage\n\n1. **PowerShell Prerequisite** \n - Requires **PowerShell 3.0+** on any platform where both PowerShell and the `op` CLI run.\n\n2. **Install the 1Password CLI** \n - Follow the official guide to install `op` and ensure it’s in your `PATH`: \n https://developer.1password.com/docs/cli/get-started/#step-1-install-1password-cli\n\n3. **Enable Desktop‑App Integration** \n - Turn on the 1Password desktop‑app integration so the CLI can authenticate via your signed‑in app: \n https://developer.1password.com/docs/cli/get-started/#step-2-turn-on-the-1password-desktop-app-integration\n\n NOTE: You will only be able to collect information about Groups and Vaults that you have access to. There may be ways to reduce the necessary permissions, but for now we've only verified full visibility via an account in the Administrators group.\n\n4. **Authenticate** \n - From your macOS or Windows PowerShell session, run: \n ```powershell\n op signin \u003cyour-subdomain\u003e\n ``` \n - This exports an `OP_SESSION_\u003caccount\u003e` environment variable that the collector uses.\n\n5. **Load \u0026 Run the Collector** \n - In the repo root (where `1passhound.ps1` lives), dot‑source the script so its functions become available: \n ```powershell\n . .\\1passhound.ps1\n ``` \n - Then execute the main function: \n ```powershell\n Invoke-1PassHound\n ``` \n - By default, this will emit a BloodHound‑compatible JSON graph named: \n ```\n 1pass_\u003caccountid\u003e.json\n ```\n\n6. **Dependencies** \n - No extra PowerShell modules are required—just built‑in cmdlets plus the `op` CLI.\n\n7. **Platform Support** \n - Verified on **macOS** (PowerShell Core) and expected to work on **Windows PowerShell 3.0+** (and PowerShell Core on Linux).\n\n#### Required Permissions\n\n## Schema\n\n![1Password OpenGraph Schema](./images/schema.png)\n\nBelow is the complete set of nodes and edges as defined in the [model](./model.json).\n\n### Nodes\n\nNodes correspond to each object type (accounts, vaults, users, groups, and all item sub‑types).\n\n| Node | Description | Icon | Color |\n|--------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|-------------|---------|\n| \u003cimg src=\"./images/black_OPAccount.png\" width=\"30\"/\u003e OPAccount | Top‑level account resource | building | #5A8FDC |\n| \u003cimg src=\"./images/black_OPUser.png\" width=\"30\"/\u003e OPUser | A user belonging to an account | user | #F4CA70 |\n| \u003cimg src=\"./images/black_OPGroup.png\" width=\"30\"/\u003e OPGroup | A group of users within an account | user-group | #FF8369 |\n| \u003cimg src=\"./images/black_OPVault.png\" width=\"30\"/\u003e OPVault | A vault/container that holds items | vault | #6AE4A9 |\n| \u003cimg src=\"./images/black_OPItem.png\" width=\"30\"/\u003e OPItem | Abstract item resource (parent of specific item types) | passport | #C04EA0 |\n| \u003cimg src=\"./images/black_OPApiCredential.png\" width=\"30\"/\u003e OPApiCredential | An API key, token, or secret used by applications or services to authenticate against an API | code | #FFF6EB |\n| \u003cimg src=\"./images/black_OPCreditCard.png\" width=\"30\"/\u003e OPCreditCard | A stored payment card record, including card number, expiration date, and billing details | credit-card | #FFF6EB |\n| \u003cimg src=\"./images/black_OPDocument.png\" width=\"30\"/\u003e OPDocument | An arbitrary file or document (PDF, Word, spreadsheet, etc.) attached to a vault | file | #FFF6EB |\n| \u003cimg src=\"./images/black_OPLogin.png\" width=\"30\"/\u003e OPLogin | A website or service login record containing a username and password pair | user-lock | #FFF6EB |\n| \u003cimg src=\"./images/black_OPPassport.png\" width=\"30\"/\u003e OPPassport | A secure note formatted for passport information (number, issue/expiry dates, etc.) | passport | #FFF6EB |\n| \u003cimg src=\"./images/black_OPPassword.png\" width=\"30\"/\u003e OPPassword | A standalone password entry, not tied to a specific login record. | key | #FFF6EB |\n| \u003cimg src=\"./images/black_OPSecureNote.png\" width=\"30\"/\u003e OPSecureNote | A free‑form secure note for storing text, URLs, or other free‑form data | note-sticky | #FFF6EB |\n| \u003cimg src=\"./images/black_OPServer.png\" width=\"30\"/\u003e OPServer | Credentials for server access (SSH password, IP address, etc.) | server | #FFF6EB |\n| \u003cimg src=\"./images/black_OPSoftwareLicense.png\" width=\"30\"/\u003e OPSoftwareLicense | A software license key or file, optionally with purchase/expiry metadata | key | #FFF6EB |\n| \u003cimg src=\"./images/black_OPSshKey.png\" width=\"30\"/\u003e OPSshKey | An SSH key pair (public + private) for authenticating to servers | terminal | #FFF6EB |\n| \u003cimg src=\"./images/black_OPWirelessRouter.png\" width=\"30\"/\u003e OPWirelessRouter | Wi‑Fi network credentials (SSID, passphrase, encryption type) | wifi | #FFF6EB |\n\n### Edges\n\nEdges capture every relationship; who contains what, membership, view vs. manage permissions, etc.\n\n| Edge Type | Source | Target | Description | Travesable |\n|--------------------|------------------|-------------------|----------------------------------------------| ---------- |\n| `OPContains` | `OPAccount` | `OPItem` | Account contains items | n |\n| `OPContains` | `OPAccount` | `OPUser` | Account contains users | n |\n| `OPContains` | `OPAccount` | `OPVault` | Account contains vaults | n |\n| `OPContains` | `OPAccount` | `OPGroup` | Account contains groups | n |\n| `OPHasItem` | `OPVault` | `OPItem` | Vault holds items | y |\n| `OPViewItems` | `OPUser` | `OPVault` | User can view items in the vault | y |\n| `OPViewItems` | `OPGroup` | `OPVault` | Group can view items in the vault | y |\n| `OPManageVault` | `OPUser` | `OPVault` | User can manage the vault | y |\n| `OPManageVault` | `OPGroup` | `OPVault` | Group can manage the vault | y |\n| `OPMemberOf` | `OPUser` | `OPGroup` | User is a member of a group | y |\n| `OPManageGroups` | `OPGroup` | `OPAccount` | Group can manage other groups in the account | y |\n| `OPRecoverAccounts`| `OPGroup` | `OPAccount` | Group can recover accounts | y |\n\n## Contributing\n\nWe welcome and appreciate your contributions! To make the process smooth and efficient, please follow these steps:\n\n1. **Discuss Your Idea** \n - If you’ve found a bug or want to propose a new feature, please start by opening an issue in this repo. Describe the problem or enhancement clearly so we can discuss the best approach.\n\n2. **Fork \u0026 Create a Branch** \n - Fork this repository to your own account. \n - Create a topic branch for your work:\n ```bash\n git checkout -b feat/my-new-feature\n ```\n\n3. **Implement \u0026 Test** \n - Follow the existing style and patterns in the repo. \n - Add or update any tests/examples to cover your changes. \n - Verify your code runs as expected:\n ```bash\n # e.g. dot-source the collector and run it, or load the model.json in BloodHound\n ```\n\n4. **Submit a Pull Request** \n - Push your branch to your fork:\n ```bash\n git push origin feat/my-new-feature\n ``` \n - Open a Pull Request against the `main` branch of this repository. \n - In your PR description, please include:\n - **What** you’ve changed and **why**. \n - **How** to reproduce/test your changes.\n\n5. **Review \u0026 Merge** \n - I’ll review your PR, give feedback if needed, and merge once everything checks out. \n - For larger or more complex changes, review may take a little longer—thanks in advance for your patience!\n\nThank you for helping improve this extension! 🎉 \n\n## Licensing\n\n```\nCopyright 2025 Jared Atkinson\n\nLicensed under the Apache License, Version 2.0\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n\nUnless otherwise annotated by a lower-level LICENSE file or license header, all files in this repository are released\nunder the `Apache-2.0` license. A full copy of the license may be found in the top-level [LICENSE](LICENSE) file.\n\n##### Default Group Permissions\n\n| Permission Name | Owners | Administrators | Recovery | Provision Managers |\n| --------------------------- | ------ | -------------- | -------- | ------------------ |\n| ADD_PERSON | x | x | | |\n| CHANGE_PERSON_NAME | x | x | | |\n| CHANGE_TEAM_ATTRIBUTES | x | x | | |\n| CHANGE_TEAM_DOMAIN | x | x | | |\n| CHANGE_TEAM_SETTINGS | x | x | | |\n| CREATE_VAULTS | x | x | | |\n| DELETE_PERSON | x | x | | |\n| DELETE_TEAM | x | | | |\n| MANAGE_BILLING | x | | | |\n| MANAGE_GROUPS | x | x | | |\n| MANAGE_TEMPLATES | x | x | | |\n| MANAGE_VAULTS | x | | | |\n| PROVISION_PEOPLE | | | | x |\n| SUSPEND_PERSON | x | x | | |\n| SUSPEND_TEAM | x | | | |\n| RECOVER_ACCOUNTS | x | x | x | |\n| VIEW_ACTIVITY_LOGS | x | x | | |\n| VIEW_ADMINISTRATIVE_SIDEBAR | x | x | x | |\n| VIEW_BILLING | x | | | |\n| VIEW_PEOPLE | x | x | x | |\n| VIEW_TEAM_SETTINGS | x | x | | |\n| VIEW_TEMPLATES | x | x | | |\n| VIEW_VAULTS | x | x | | |\n\n##### Group Permission Categories\n\n| Permission Name | View Administrative Sidebar | Manage Settings | Manage Billings | Delete Account | Suspend People | Invite \u0026 Remove People | Manage People | Create Vaults | Recover Accounts | Manage All Groups |\n| --------------------------- | --------------------------- | --------------- | --------------- | -------------- | -------------- | ---------------------- | ------------- | ------------- | ---------------- | ----------------- |\n| ADD_PERSON | | | | | | *6* | | | | |\n| CHANGE_PERSON_NAME | | | | | | | *7* | | | |\n| CHANGE_TEAM_ATTRIBUTES | | *2* | | 2 | | | | | | |\n| CHANGE_TEAM_DOMAIN | | *2* | | 2 | | | | | | |\n| CHANGE_TEAM_SETTINGS | | *2* | | 2 | | | | | | |\n| CREATE_VAULTS | | | | | | | | *8* | | |\n| DELETE_PERSON | | | | | | *6* | | | | |\n| DELETE_TEAM | | | | *4* | | | | | | |\n| MANAGE_BILLING | | | *3* | 3 | | | | | | |\n| MANAGE_GROUPS | | | | | | | | | | *10* |\n| MANAGE_TEMPLATES | | *2* | | 2 | | | | | | |\n| MANAGE_VAULTS | | | | | | | | | | |\n| PROVISION_PEOPLE | | | | | | | | | | |\n| SUSPEND_PERSON | | | | | *5* | 5 | | | | |\n| SUSPEND_TEAM | | | | *4* | | | | | | |\n| RECOVER_ACCOUNTS | | | | | | | | | | |\n| VIEW_ACTIVITY_LOGS | *1* | 1 | | | | | | | *9* | |\n| VIEW_ADMINISTRATIVE_SIDEBAR | *1* | 1 | | 1 | 1 | 1 | 1 | | 1 | 1 |\n| VIEW_BILLING | | | *3* | 3 | | | | | | |\n| VIEW_PEOPLE | *1* | 1 | | 1 | 1 | 1 | 1 | | 1 | 1 |\n| VIEW_TEAM_SETTINGS | *1* | 1 | | 1 | 1 | 1 | 1 | | 1 | 1 |\n| VIEW_TEMPLATES | *1* | 1 | | 1 | 1 | 1 | 1 | | 1 | 1 |\n| VIEW_VAULTS | *1* | 1 | | 1 | 1 | 1 | 1 | | 1 | 1 |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspecterops%2F1passhound","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspecterops%2F1passhound","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspecterops%2F1passhound/lists"}