T1484: Domain or Tenant Policy Modification

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.

With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:

  • modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment
  • modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources
  • changing configuration settings within the AD environment to implement a Rogue Domain Controller.
  • adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant

Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

Subtechniques

Detection

IDDS0026Data source and componentActive Directory: Active Directory Object CreationDescription

Monitor for newly constructed active directory objects, such as Windows EID 5137.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.

IDDS0026Data source and componentActive Directory: Active Directory Object ModificationDescription

Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.).

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Monitor changes to cloud-based directory services and identity tenants, especially regarding the addition of new federated identity providers. In Okta environments, the event system.idp.lifecycle.create will trigger on the creation of an identity provider, while sign-ins from a third-party identity provider will create the event user.authentication.auth_via_IDP.

IDDS0026Data source and componentActive Directory: Active Directory Object DeletionDescription

Monitor for unexpected deletion of an active directory object, such as Windows EID 5141.

Mitigation

IDM1047NameAuditDescription

Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later).

IDM1026NamePrivileged Account ManagementDescription

Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.

IDM1018NameUser Account ManagementDescription

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.