1. Home
  2. Techniques
  3. Enterprise
  4. Domain Policy Modification

Domain Policy Modification

ID Name
T1484.001 Group Policy Modification
T1484.002 Domain Trust Modification

Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.

With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment[1][2][3] or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.[4] Adversaries can also change configuration settings within the AD environment to implement a Rogue Domain Controller.

Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

ID: T1484
Sub-techniques:  T1484.001, T1484.002
Platforms: Azure AD, Windows
Permissions Required: Administrator, User
Defense Bypassed: File system access controls, System access controls
Version: 2.0
Created: 07 March 2019
Last Modified: 09 February 2021

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.[5][6]

Mitigations

ID Mitigation Description
M1047 Audit

Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later)[7].
M1026 Privileged Account Management

Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.
M1018 User Account Management

Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.[2][8][9]

Detection

ID Data Source Data Component
DS0026 Active Directory Active Directory Object Creation
Active Directory Object Deletion
Active Directory Object Modification
DS0017 Command Command Execution

It may be possible to detect domain policy modifications using Windows event logs. Group policy modifications, for example, may be logged under a variety of Windows event IDs for modifying, creating, undeleting, moving, and deleting directory service objects (Event ID 5136, 5137, 5138, 5139, 5141 respectively). Monitor for modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain or updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.[10][11] This may also include monitoring for Event ID 307 which can be correlated to relevant Event ID 510 with the same Instance ID for change details.[12][13]

Consider monitoring for commands/cmdlets and command-line arguments that may be leveraged to modify domain policy settings.[14] Some domain policy modifications, such as changes to federation settings, are likely to be rare.[11]

References

  1. Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.
  2. Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.
  3. Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved March 5, 2019.
  4. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  5. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  6. Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.
  7. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  1. Microsoft. (2008, September 11). Fun with WMI Filters in Group Policy. Retrieved March 13, 2019.
  2. Microsoft. (2018, May 30). Filtering the Scope of a GPO. Retrieved March 13, 2019.
  3. Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.
  4. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  5. Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021.
  6. CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021.
  7. Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.