T1484: Domain or Tenant Policy Modification
Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.
Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.
With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:
- modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment
- modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources
- changing configuration settings within the AD environment to implement a Rogue Domain Controller.
- adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant
Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
Subtechniques
Detection
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Creation | Description | Monitor for newly constructed active directory objects, such as Windows EID 5137. |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes |
---|
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Modification | Description | Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.). |
---|
ID | DS0015 | Data source and component | Application Log: Application Log Content | Description | Monitor changes to cloud-based directory services and identity tenants, especially regarding the addition of new federated identity providers. In Okta environments, the event |
---|
ID | DS0026 | Data source and component | Active Directory: Active Directory Object Deletion | Description | Monitor for unexpected deletion of an active directory object, such as Windows EID 5141. |
---|
Mitigation
ID | M1047 | Name | Audit | Description | Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later). |
---|
ID | M1026 | Name | Privileged Account Management | Description | Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges. |
---|
ID | M1018 | Name | User Account Management | Description | Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to. |
---|