Home
ATT&CK Techniques
T1484 Domain Policy Modification

T1484 Domain Policy Modification Mappings

Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.

With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a Rogue Domain Controller.

Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

View in MITRE ATT&CK®

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-2	Account Management	Protects	T1484	Domain Policy Modification
AC-3	Access Enforcement	Protects	T1484	Domain Policy Modification
AC-4	Information Flow Enforcement	Protects	T1484	Domain Policy Modification
AC-5	Separation of Duties	Protects	T1484	Domain Policy Modification
AC-6	Least Privilege	Protects	T1484	Domain Policy Modification
CA-8	Penetration Testing	Protects	T1484	Domain Policy Modification
CM-2	Baseline Configuration	Protects	T1484	Domain Policy Modification
CM-5	Access Restrictions for Change	Protects	T1484	Domain Policy Modification
CM-6	Configuration Settings	Protects	T1484	Domain Policy Modification
CM-7	Least Functionality	Protects	T1484	Domain Policy Modification
IA-2	Identification and Authentication (organizational Users)	Protects	T1484	Domain Policy Modification
RA-5	Vulnerability Monitoring and Scanning	Protects	T1484	Domain Policy Modification
SI-4	System Monitoring	Protects	T1484	Domain Policy Modification
azure_sentinel	Azure Sentinel	technique_scores	T1484	Domain Policy Modification
cloud_app_security_policies	Cloud App Security Policies	technique_scores	T1484	Domain Policy Modification

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1484.001	Group Policy Modification	2
T1484.002	Domain Trust Modification	2