1. Home
  2. Techniques
  3. Enterprise
  4. Domain or Tenant Policy Modification

Domain or Tenant Policy Modification

ID Name
T1484.001 Group Policy Modification
T1484.002 Trust Modification

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.

With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:

  • modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment[1][2][3]
  • modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources[4]
  • changing configuration settings within the AD environment to implement a Rogue Domain Controller.
  • adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant [5]

Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

ID: T1484
Sub-techniques:  T1484.001, T1484.002
Platforms: Identity Provider, Windows
Permissions Required: Administrator, User
Defense Bypassed: File system access controls, System access controls
Contributors: Obsidian Security
Version: 3.1
Created: 07 March 2019
Last Modified: 15 October 2024
Version Permalink

Mitigations

ID Mitigation Description
M1047 Audit

Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later)[6].
M1026 Privileged Account Management

Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.
M1018 User Account Management

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.[2][7][8]

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Creation

Monitor for newly constructed active directory objects, such as Windows EID 5137.
Active Directory Object Deletion

Monitor for unexpected deletion of an active directory object, such as Windows EID 5141.
Active Directory Object Modification

Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.).
DS0015 Application Log Application Log Content

Monitor changes to cloud-based directory services and identity tenants, especially regarding the addition of new federated identity providers. In Okta environments, the event system.idp.lifecycle.create will trigger on the creation of an identity provider, while sign-ins from a third-party identity provider will create the event user.authentication.auth_via_IDP.[9]
DS0017 Command Command Execution

Monitor executed commands and arguments for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.[10][11]

References

  1. Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.
  2. Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.
  3. Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.
  4. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  5. Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.
  6. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  1. Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019.
  2. Microsoft. (2018, May 30). Filtering the Scope of a GPO. Retrieved March 13, 2019.
  3. Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.
  4. Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.
  5. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.