Adversary modifies Group Policy Objects (GPOs), domain trust, or directory service objects via GUI, CLI, or programmatic APIs. Behavior includes creation/modification of GPOs, delegation permissions, trust objects, or rogue domain controller registration.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Object Modification (DC0066) | WinEventLog:Security | EventCode=5136,5137,5138,5139,5141 |
| File Modification (DC0061) | WinEventLog:Security | EventCode=4670 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| ObjectDN | Filter to specific AD containers (e.g., CN=Policies,CN=System,DC=domain,DC=com) for GPOs. |
| AttributeModified | Focus on high-risk attributes such as gPCFileSysPath, ntSecurityDescriptor. |
| TimeWindow | Correlate changes with suspicious process creation or privileged user logon. |
| UserContext | Alert on unexpected user or service account modifying domain policy. |
Adversary modifies tenant policy through changes to federation configuration, trust settings, or identity provider additions in Microsoft 365/AzureAD via Portal, PowerShell, or Graph API. Includes setting authentication to federated or updating federated domains.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Set federation settings on domain|Set domain authentication|Add federated identity provider |
| User Account Authentication (DC0002) | azure:signinlogs | OperationName=SetDomainAuthentication OR Set-FederatedDomain |
| Field | Description |
|---|---|
| OperationName | Identify rare modification operations that are not part of standard admin lifecycle. |
| InitiatedBy | Filter by known administrators or service principals. Flag unknown initiators. |
| UserAgent | Detect scripted modifications (e.g., PowerShell/Graph API vs Azure Portal). |
| TimeWindow | Correlate tenant policy changes with new sign-ins or token forgery attempts. |