-
Notifications
You must be signed in to change notification settings - Fork 32
03_Usage
The goal of this section is not to describe every available command (to this end, see 06_Commands and Cheatsheet), but to present and explain a typical exploitation scenario of a writable GPO using GroupPolicyBackdoor.
Before performing any modification on a GPO, it is recommended to use the restore > backup command in order to produce a backup of the target GPO. Such a command stores all the LDAP entries of the Group Policy Container (serialized in base64) to a file, and downloads all the files of the GPO's Group Policy Template to a folder.
$ python3 gpb.py restore backup -d 'corp.com' -o './my_backups' --dc ad01-dc.corp.com -u 'john' -p 'Password1!' -n 'TARGET_GPO'The gpo > inject command allows to inject one or several configuration(s) into the target GPO. The configurations to inject are described by INI files constituted of 3 sections (generic options, options related to the injected configuration, and target filters). Examples are provided in the modules_templates folder of the repository, and a full description of the expected format and available options is provided in 05_Modules configurations.
For instance, the following command injects two configurations into the target GPO.
python3 gpb.py gpo inject --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --module modules_templates/Files_create.ini --module modules_templates/ScheduledTask_create.ini --gpo-name 'TARGET_GPO'
After running the gpo > inject command, you may notice that GroupPolicyBackdoor created a state folder (in state_folders/), with a name based on the current time. A state folder contains various files with information regarding the GroupPolicyBackdoor command execution:
-
gpo_guid.json: stores the target GPO GUID. -
clean.json: stores identifiers associated with injected configurations. Used by thegpo > cleancommand (see below). -
actions.json: lists all the actions performed byGroupPolicyBackdoor. Used by therestore > undocommand (see below). -
revert/*: folder containing revert files (see below).
Note that state folders are not only created when injecting configurations, but more generally for any GroupPolicyBackdoor command that modifies something on the target environment.
After client objects executed the injected configuration(s), you might want to remove the configuration(s) from the GPO. Note that this is not only a good idea for stealth purposes, but also to avoid generating additional network trafic by leaving unused extension names in the GPO.
To do so, simply run the gpo > clean command, and provide the state folder generated by the gpo > inject command.
$ python3 gpb.py gpo clean --domain 'corp.com' --dc 'ad01-dc.corp.com' -k --state-folder 'state_folders/2025_07_15_125059'It is important to note that removing a configuration from a GPO prevents client objects from re-applying it. It does not, however, revert the action performed by said client objects. For instance, if you added a Scheduled Task to a computer, removing the corresponding configuration from the GPO will not delete the Scheduled Task from the computer.
If you want to properly revert the actions you performed (for stealth considerations or to clean after exploitation), you will need to apply a new configuration to the GPO that reverses said actions (in our example, a configuration that deletes the Scheduled Task).
Upon execution of the gpo > inject command, GroupPolicyBackdoor will generate when possible a module INI file that reverses the action performed by client devices. In the example above, we injected two configurations via the gpo > inject command: one that creates a file, and another one that creates a Scheduled Task. In the associated state folder (revert/ subfolder), you will find two reverse files that you can use to define configurations that will remove the file, and delete the Scheduled Task.
$ python3 gpb.py gpo inject -d 'corp.com' --dc 'ad01-dc.corp.com' -k -m 'state_folders/2025_07_15_125059/revert/reverse_Scheduled_Task_create_LNgKmt.ini' -m 'state_folders/2025_07_15_125059/revert/reverse_Files_create_mNSKvX.ini' --gpo-name 'TARGET_GPO'Do not forget to perform a final gpo > clean command after your reverse configurations were applied by client objects!
GPO modifications often involve multiple steps through distinct protocols (SMB / LDAP). If something goes wrong during a command execution (unexpected error, network disruption etc.), the GPO could end up in an unwanted state (e.g. orphan extension names, LDAP version different from SMB version).
The state folders allow you to know precisely what action have been performed by GroupPolicyBackdoor before the issue by reading the actions.json file. You can then fix it manually, or use the restore > undo command. Such a command will undo any action described by the actions.json file.
$ python3 gpb.py restore undo -d corp.com -k --state-folder 'state_folders/2025_07_15_125059'