1. Home
  2. ATT&CK Techniques
  3. T1484 Domain or Tenant Policy Modification

T1484 Domain or Tenant Policy Modification

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.

With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:

  • modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)
  • modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)
  • changing configuration settings within the AD environment to implement a Rogue Domain Controller.
  • adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant (Citation: Okta Cross-Tenant Impersonation 2023)

Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1484 Domain or Tenant Policy Modification
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.03 Service accounts Mitigates T1484 Domain or Tenant Policy Modification
    Comments
    This diagnostic statement is for the implementation of security controls for service accounts (i.e., accounts used by systems to access other systems). Restrict administrative privileges to mitigate this technique.
    References
      PR.AA-05.02 Privileged system access Mitigates T1484 Domain or Tenant Policy Modification
      Comments
      This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-06.02 Third-party access monitoring Mitigates T1484 Domain or Tenant Policy Modification
        Comments
        This diagnostic statement protects against Domain or Tenant Policy Modification through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
        References
          PR.AA-05.01 Access privilege limitation Mitigates T1484 Domain or Tenant Policy Modification
          Comments
          This diagnostic statement describes the implementation of least privilege principle, which can be applied to limiting permissions through role-based access controls, file and directory permissions, and the execution of systems and services. Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server.
          References
            PR.AA-01.01 Identity and credential management Mitigates T1484 Domain or Tenant Policy Modification
            Comments
            This diagnostic statement protects against Domain or Tenant Policy Modification through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
            References

              NIST 800-53 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              CM-06 Configuration Settings mitigates T1484 Domain or Tenant Policy Modification
              CM-05 Access Restrictions for Change mitigates T1484 Domain or Tenant Policy Modification
              RA-05 Vulnerability Monitoring and Scanning mitigates T1484 Domain or Tenant Policy Modification
              CM-02 Baseline Configuration mitigates T1484 Domain or Tenant Policy Modification
              CM-02 Baseline Configuration mitigates T1484 Domain or Tenant Policy Modification
              IA-02 Identification and Authentication (Organizational Users) mitigates T1484 Domain or Tenant Policy Modification
              CM-07 Least Functionality mitigates T1484 Domain or Tenant Policy Modification
              SI-04 System Monitoring mitigates T1484 Domain or Tenant Policy Modification
              AC-02 Account Management mitigates T1484 Domain or Tenant Policy Modification
              AC-03 Access Enforcement mitigates T1484 Domain or Tenant Policy Modification
              AC-04 Information Flow Enforcement mitigates T1484 Domain or Tenant Policy Modification
              AC-05 Separation of Duties mitigates T1484 Domain or Tenant Policy Modification
              AC-06 Least Privilege mitigates T1484 Domain or Tenant Policy Modification

              VERIS Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              attribute.integrity.variety.Modify configuration Modified configuration or services related-to T1484 Domain or Tenant Policy Modification

              Azure Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              microsoft_sentinel Microsoft Sentinel technique_scores T1484 Domain or Tenant Policy Modification
              Comments
              This control provides minimal to partial coverage of both of this technique's sub-techniques, resulting in an overall score of Partial.
              References
              1. https://learn.microsoft.com/en-us/azure/sentinel/overview
              2. https://learn.microsoft.com/en-us/azure/sentinel/hunting

              GCP Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              google_secops Google Security Operations technique_scores T1484 Domain or Tenant Policy Modification
              Comments
              Google Security Ops is able to trigger an alert based off suspicious system events, such as modifications to Windows password policies (event ID 643 or 4739). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/detect_windows_password_policy_changes.yaral
              References
              1. ['https://cloud.google.com/security/products/security-operations'
              2. 'https://cloud.google.com/chronicle/docs/secops/secops-overview'
              3. 'https://github.com/chronicle/detection-rules']
              security_command_center Security Command Center technique_scores T1484 Domain or Tenant Policy Modification
              Comments
              SCC ingests admin activity from Cloud Audit logs to detect when an external member is added to a privileged group with sensitive permissions or roles. This security solution protects against adversary created accounts used to establish or maintain persistence. Because of the temporal factor to detect this attack, the control was graded as significant.
              References
              1. ['https://cloud.google.com/security-command-center/docs/concepts-security-command-center-overview'
              2. 'https://github.com/GoogleCloudPlatform/security-analytics']

              M365 Mappings

              Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
              DEF-SECA-E3 Security Alerts Technique Scores T1484 Domain or Tenant Policy Modification
              Comments
              Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.
              References
              1. https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts
              DEF-SECA-E3 Security Alerts Technique Scores T1484 Domain or Tenant Policy Modification
              Comments
              Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct. Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links: Reconnaissance and discovery alerts Persistence and privilege escalation alerts Credential access alerts Lateral movement alerts Other alerts License: A Microsoft 365 security product license entitles customer use of Microsoft Defender XDR.
              References
              1. https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts
              DEF-CAPP-E5 Defender for Cloud Apps Technique Scores T1484 Domain or Tenant Policy Modification
              Comments
              This control can detect admin activity from risky IP addresses.
              References
              1. https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery
              2. https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection
              3. https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts
              EID-RBAC-E3 Role Based Access Control Technique Scores T1484 Domain or Tenant Policy Modification
              Comments
              The RBAC control can be used to implement the principle of least privilege to limit administrative accounts. This scores Partial for its ability to minimize the overall accounts that can modify domain policies. License Requirements: ME-ID Built-in Roles (Free)
              References
              1. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/concept-understand-roles
              2. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices
              3. https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview

              ATT&CK Subtechniques

              Technique ID Technique Name Number of Mappings
              T1484.002 Trust Modification 10
              T1484.001 Group Policy Modification 6