1. Home
  2. ATT&CK Techniques
  3. T1484 Domain or Tenant Policy Modification

T1484 Domain or Tenant Policy Modification

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.

With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:

  • modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)
  • modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)
  • changing configuration settings within the AD environment to implement a Rogue Domain Controller.
  • adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant (Citation: Okta Cross-Tenant Impersonation 2023)

Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

View in MITRE ATT&CK®

CSA CCM Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
IAM-16 Authorization Mechanisms mitigates T1484 Domain or Tenant Policy Modification
Comments
This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.
References
    IAM-11 CSCs Approval for Agreed Privileged Access Roles mitigates T1484 Domain or Tenant Policy Modification
    Comments
    This control requires both CSP and CSC to collaboratively identify high-risk data and privileged roles, enforce formal CSC approval workflows for CSP user access, use secure PAM systems, and implement comprehensive monitoring and reporting to ensure privileged access to sensitive CSC data is tightly controlled and traceable. Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through account permissions and roles, PAM solutions, or just-In-Time access.
    References
      IAM-10 Management of Privileged Access Roles mitigates T1484 Domain or Tenant Policy Modification
      Comments
      This control requires both CSP and CSC to independently manage privileged access by enforcing time-bound approvals, formal request and justification processes, automated revocation, session restrictions, credential vaulting and rotation, continuous monitoring, and periodic reviews, ensuring privileged access is tightly controlled, monitored, and limited to only what is necessary for specific roles and timeframes. Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through account permissions and roles, PAM solutions, or just-In-Time access.
      References
        IAM-09 Segregation of Privileged Access Roles mitigates T1484 Domain or Tenant Policy Modification
        Comments
        This control describes the periodic, risk-based, and reviews of privileged accounts and high-risk access configurations, ensuring these are accounts are managed and scrutinized to prevent unauthorized access or excessive privileges. Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through account permissions and roles, PAM solutions, or just-In-Time access.
        References
          IAM-06 User Access Provisioning mitigates T1484 Domain or Tenant Policy Modification
          Comments
          This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.
          References

            ATT&CK Subtechniques

            Technique ID Technique Name Number of Mappings
            T1484.002 Trust Modification 6
            T1484.001 Group Policy Modification 1