Weaponizing Group Policy: Custom Client-Side Extensions as a Stealthy Backdoor into Active Directory

A newly published report by Antoine Cauchois, Staff Research Engineer at Tenable, reveals a stealthy persistence technique in Active Directory (AD) that has gone largely undetected: the abuse of custom client-side extensions (CSEs) in Group Policy Objects (GPOs). Unlike previously known GPO abuse techniques relying on built-in features such as Scheduled Tasks or Startup Scripts, this method uses custom-crafted CSE DLLs that run with SYSTEM-level privileges on every Group Policy refresh cycle.

Group Policy Objects define system configurations, but it’s the client-side extensions (CSEs) that actually apply those settings on the endpoint.

Each CSE is:

• A DLL file that runs code during GPO processing.
• Identified by a Globally Unique Identifier (GUID).
• Registered in the Windows registry under the HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions path.

“Each CSE is essentially a dynamic link library (DLL) file on the client Windows machine responsible for processing a particular type of Group Policy setting,” Antoine explains.

This architecture offers a dangerous opportunity: if an attacker can register their own CSE, they gain persistent SYSTEM-level code execution across all machines applying the GPO.

The report provides a full working example where an attacker:

1. Creates a custom DLL (advshcore.dll) pretending to be a legitimate CSE named “Group Policy Shell Configuration.”
2. Registers it using regsvr32.exe, adding a unique GUID to the system registry.
3. Updates a GPO’s gPCMachineExtensionNames attribute to load the custom CSE during each refresh cycle.
4. Gains stealthy and persistent access, running as SYSTEM without triggering common GPO detection mechanisms.

“This technique represents a novel persistence method, effectively creating a backdoor in the domain on targeted workstations and servers,” the report states.

The technique supports multiple deployment methods:

• High reliability: Copy the DLL locally via Group Policy Preferences (e.g., Files or Startup Scripts). Downside: more likely to be detected.
• High stealth: Host the DLL on a share (e.g., SYSVOL) and register the path in the registry directly. Downside: won’t survive registry wipe or GPO refresh loss.
• GUID hijacking: Replace the DLL path of a legitimate but unused built-in CSE, allowing attackers to use a “trusted” GUID to load malicious code.

“This obscurity is valuable to an attacker, offering inherent discretion through an unknown CSE GUID, plus the benefit of SYSTEM code execution capability.”

Antoine Cauchois highlights multiple strategies for defenders:

• Monitor Event ID 5145 (file access to SYSVOL) and 4688 (process creation).
• Watch for registry changes under GPExtensions or modifications to GPO attributes like gPCMachineExtensionNames.
• Flag unknown or unsanctioned CSE GUIDs in your AD environment.

“Traditional detections often focus on famously abused CSEs… registering and deploying a custom CSE can be achieved without these easily identifiable actions.”

This method:

• Leverages trusted Windows functionality, not malware binaries.
• Persists silently through GPO updates and machine reboots.
• Bypasses common detection tools, especially if custom GUIDs and stealthy deployment are used.

“The CSE code runs with SYSTEM privileges during each Group Policy refresh cycle, offering persistent and potentially long-term control to an attacker,” the report concludes.

Related Posts:

• ME Analyzer: Intel Engine Firmware Analysis Tool
• CSE CybSec ZLAB releases Malware Analysis Report: Dark Caracal APT
• 10,000 WordPress Websites Compromised to Deliver macOS and Windows Malware