T1484 Domain or Tenant Policy Modification Mappings

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.

With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:

  • modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)
  • modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)
  • changing configuration settings within the AD environment to implement a Rogue Domain Controller.
  • adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant (Citation: Okta Cross-Tenant Impersonation 2023)

Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

View in MITRE ATT&CK®

VERIS Mappings

Loading, please wait
Capability ID
Capability Description
Mapping Type
ATT&CK ID
ATT&CK Name
Notes
attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1484 Domain or Tenant Policy Modification
Showing 1 to 1 of 1 rows

GCP Mappings

Loading, please wait
Capability ID
Capability Description
Mapping Type
ATT&CK ID
ATT&CK Name
Notes
google_secops Google Security Operations technique_scores T1484 Domain or Tenant Policy Modification
Comments
Google Security Ops is able to trigger an alert based off suspicious system events, such as modifications to Windows password policies (event ID 643 or 4739). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_windows_password_policy_changes.yaral
References
security_command_center Security Command Center technique_scores T1484 Domain or Tenant Policy Modification
Comments
SCC ingests admin activity from Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against adversary created accounts used to establish or maintain persistence. Because of the temporal factor to detect this attack, the control was graded as significant.
References
Showing 1 to 2 of 2 rows

ATT&CK Subtechniques

Loading, please wait
Technique ID
Technique Name
Number of Mappings
T1484.002 Trust Modification 1
T1484.001 Group Policy Modification 1
Showing 1 to 2 of 2 rows