Q QA210
Home/ Research/ GPO
GPO Security Research

Group Policy Object
Exploitation & Defense

Research on Group Policy Object attack surfaces in Active Directory environments. Focused on GPO Preference XML injection, SYSVOL delivery channel abuse, scheduled task state modification, and comprehensive defensive architectures with DSC hardening, SACL auditing, and SIEM detection.

State-Injection SYSVOL Scheduled Tasks SACL Auditing DSC Hardening
GPO Attack Surface
4
Logic Flaws
2
XML Vectors
0
Perimeter Detect
9
DSC Resources
About
QA210
QA210
10th Grade • Vietnam

High school student from Vietnam passionate about offensive security, binary exploitation, and Active Directory attacks. Member of W4LLZ CTF team.

“Nothing is secure, everything has bugs, and humans are the biggest vulnerability.”
GPO Research Tags
ScheduledTasks.xml action="R" SYSVOL DFS-R Registry.xml LOLBin mshta.exe SACL Event 4702 DSC KQL Sigma MITRE T1484.001 MITRE T1053.005 Credential Guard PowerShell Logging GPO CSE
Attack Vectors
ScheduledTasks.xml Injection Primary
Registry.xml Persistence Alt
action="R" Replace Mode Flaw #1
Unsigned XML Content Flaw #2
4702 vs 4698 Detection Gap Flaw #3
Microsoft Namespace Trust Flaw #4
LOLBin Execution Chain Payload
ShadowPolicy Attack Flow
Step 01
XML Injection
Attacker modifies ScheduledTasks.xml on SYSVOL — action="U" → action="R", replaces Command
Step 02
DFS-R Replication
SYSVOL replicates to all DCs in 15-60s. No content inspection — only byte sync
Step 03
GPO Apply
gpsvc reads modified XML, CSE registers new task via ITaskFolder::RegisterTask()
Step 04
SYSTEM RCE
Task trigger fires — mshta.exe or any executable runs under SYSTEM across entire domain
Filter:
GPO Preference State-Injection
State-Injection Blue Team Critical 2026

ShadowPolicy — GPO Preference State-Injection

Advanced detection and auditing framework for the ShadowPolicy threat model: exploiting GPO Preference Scheduled Task XML injection via SYSVOL state modification in Windows Server 2022 / Active Directory environments. Covers the complete attack chain from GPO Editor access through DFS-R replication to SYSTEM-level RCE across the entire domain — bypassing all perimeter security. Identifies four critical logic flaws in GPO Preference design, two XML attack vectors (ScheduledTasks.xml + Registry.xml), alternative LOLBin execution paths, and provides a full defensive architecture with PowerShell DSC hardening, SACL auditing, integrity baseline monitoring, and SIEM detection rules (KQL + Sigma).

GPO AbuseScheduled TasksSYSVOLSACLDSCBlue TeamLOLBinMITRE T1484.001MITRE T1053.005KQLSigmaDefensive Architecture