T1484

Domain or Tenant Policy Modification

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. This includes altering Group Policy Objects (GPOs) in Active Directory to push malicious configurations to domain-joined endpoints, modifying domain trust relationships to allow adversary-controlled domains to forge access tokens accepted by victim resources, and adding rogue federated identity providers to cloud tenants (Azure AD, Okta) to authenticate as any managed user. Nation-state actors including those behind the SolarWinds (SUNBURST) campaign abused federation trust settings to achieve persistent, stealthy access across cloud environments. Attackers may temporarily modify policy, complete their objective, and revert changes to remove indicators.

Microsoft Sentinel / Defender

kusto

// T1484 — Domain or Tenant Policy Modification
// Covers: GPO creation/modification, domain trust changes, Azure AD federation abuse
let GPOModificationEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (5136, 5137, 5141)
| extend ObjectClass_ = tostring(EventData.ObjectClass)
| extend ObjectDN_ = tostring(EventData.ObjectDN)
| extend AttributeName_ = tostring(EventData.AttributeLDAPDisplayName)
| extend AttributeValue_ = tostring(EventData.AttributeValue)
| extend SubjectAccount = tostring(EventData.SubjectUserName)
| extend SubjectDomain = tostring(EventData.SubjectDomainName)
| where ObjectClass_ =~ "groupPolicyContainer" or ObjectDN_ has "Policies"
| extend EventType = case(
    EventID == 5137, "GPO Created",
    EventID == 5136, "GPO Modified",
    EventID == 5141, "GPO Deleted",
    "Unknown"
  )
| project TimeGenerated, EventID, EventType, SubjectAccount, SubjectDomain,
          ObjectDN_, ObjectClass_, AttributeName_, AttributeValue_, Computer;
let DomainTrustEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4706, 4707, 4716, 4865, 4866, 4867)
| extend TargetDomain_ = tostring(EventData.TargetDomainName)
| extend TrustType_ = tostring(EventData.TrustType)
| extend TrustDirection_ = tostring(EventData.TrustDirection)
| extend TrustAttributes_ = tostring(EventData.TrustAttributes)
| extend SubjectAccount = tostring(EventData.SubjectUserName)
| extend SubjectDomain = tostring(EventData.SubjectDomainName)
| extend EventType = case(
    EventID == 4706, "Trust Created",
    EventID == 4707, "Trust Removed",
    EventID == 4716, "Trust Modified",
    EventID == 4865, "Forest Trust Entry Added",
    EventID == 4866, "Forest Trust Entry Removed",
    EventID == 4867, "Forest Trust Entry Modified",
    "Unknown"
  )
| project TimeGenerated, EventID, EventType, SubjectAccount, SubjectDomain,
          TargetDomain_, TrustType_, TrustDirection_, TrustAttributes_, Computer;
let AzureADFederationEvents = AuditLogs
| where TimeGenerated > ago(24h)
| where Category in ("Policy", "Application", "DirectoryManagement")
| where OperationName in (
    "Set federation settings on domain",
    "Set domain authentication",
    "Add unverified domain to company",
    "Add verified domain to company",
    "Remove verified domain from company",
    "Update domain",
    "Set company information",
    "Add policy to service principal",
    "Delete policy from service principal",
    "Update policy"
  )
| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorApp = tostring(InitiatedBy.app.displayName)
| extend ActorIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend EventType = strcat("Azure AD: ", OperationName)
| project TimeGenerated, OperationName, EventType, Result, ActorUPN, ActorApp,
          ActorIP, TargetResource, CorrelationId;
// GPO Modification via PowerShell (process-based detection)
let GPOPowerShellEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any (
    "New-GPO", "Set-GPLink", "Set-GPPermission", "Set-GPRegistryValue",
    "Import-GPO", "Copy-GPO", "Restore-GPO", "New-GPLink",
    "Set-ADObject", "New-ADObject",
    "gpupdate", "gpscript",
    "LDAP://CN=Policies"
  )
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          EventType = "GPO PowerShell Activity";
union isfuzzy=true
    (GPOModificationEvents | extend Source = "Windows Security Log"),
    (DomainTrustEvents | extend Source = "Windows Security Log - Trust"),
    (AzureADFederationEvents | extend Source = "Azure AD Audit Log"),
    (GPOPowerShellEvents | extend Source = "MDE Process Events")
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Active Directory: Active Directory Object Modification Active Directory: Active Directory Object Creation Active Directory: Active Directory Object Deletion Cloud Service: Cloud Service Modification Process: Process Creation Command: Command Execution Windows Security Event Log Azure Active Directory Audit Logs

Required Tables

SecurityEvent AuditLogs DeviceProcessEvents

False Positives

Legitimate Group Policy administration by IT staff using GPMC or Group Policy PowerShell module during scheduled maintenance windows
Domain controllers joining or leaving forests creating legitimate trust modification events (4706/4716) during infrastructure changes
Azure AD Connect or ADFS deployment/reconfiguration generating federation settings events during sanctioned identity synchronization projects
Automated configuration management tools (Desired State Configuration, Ansible, PingCastle) that enumerate or validate GPO settings as part of compliance checking
Domain trust events generated during disaster recovery exercises, domain migrations, or AD restructuring projects authorized by IT leadership

Splunk

spl

| union
[
  search index=wineventlog sourcetype="WinEventLog:Security"
    (EventCode=5136 OR EventCode=5137 OR EventCode=5141)
  | eval ObjectClass=coalesce(ObjectClass, mvindex(split(_raw, "Object Class:"), 1))
  | where ObjectClass="groupPolicyContainer" OR searchmatch("Policies,System")
  | eval EventType=case(
      EventCode=5137, "GPO Created",
      EventCode=5136, "GPO Modified",
      EventCode=5141, "GPO Deleted",
      true(), "Unknown"
    )
  | eval Actor=coalesce(SubjectAccountName, src_user)
  | eval Source="AD Security Log - GPO"
  | table _time, host, EventCode, EventType, Actor, SubjectDomainName, ObjectDN, AttributeLDAPDisplayName, Source
]
[
  search index=wineventlog sourcetype="WinEventLog:Security"
    (EventCode=4706 OR EventCode=4707 OR EventCode=4716 OR EventCode=4865 OR EventCode=4866 OR EventCode=4867)
  | eval EventType=case(
      EventCode=4706, "Domain Trust Created",
      EventCode=4707, "Domain Trust Removed",
      EventCode=4716, "Domain Trust Modified",
      EventCode=4865, "Forest Trust Entry Added",
      EventCode=4866, "Forest Trust Entry Removed",
      EventCode=4867, "Forest Trust Entry Modified",
      true(), "Unknown"
    )
  | eval Actor=coalesce(SubjectAccountName, src_user)
  | eval Source="AD Security Log - Trust"
  | table _time, host, EventCode, EventType, Actor, SubjectDomainName, TargetDomainName, TrustType, TrustDirection, Source
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    (CommandLine="*New-GPO*" OR CommandLine="*Set-GPLink*" OR CommandLine="*Set-GPPermission*"
     OR CommandLine="*Set-GPRegistryValue*" OR CommandLine="*Import-GPO*" OR CommandLine="*Copy-GPO*"
     OR CommandLine="*Restore-GPO*" OR CommandLine="*New-GPLink*" OR CommandLine="*gpupdate*"
     OR CommandLine="*LDAP://CN=Policies*" OR CommandLine="*Set-ADObject*")
  | eval EventType="GPO PowerShell Cmdlet"
  | eval Actor=User
  | eval Source="Sysmon Process"
  | table _time, host, EventCode, EventType, Actor, Image, CommandLine, ParentImage, Source
]
| eval RiskScore=case(
    EventType="GPO Created", 70,
    EventType="GPO Modified", 60,
    EventType="GPO Deleted", 80,
    EventType="Domain Trust Created", 90,
    EventType="Domain Trust Removed", 85,
    EventType="Domain Trust Modified", 85,
    EventType="Forest Trust Entry Added", 90,
    EventType="Forest Trust Entry Removed", 80,
    EventType="Forest Trust Entry Modified", 85,
    EventType="GPO PowerShell Cmdlet", 65,
    true(), 50
  )
| where RiskScore >= 60
| sort - _time
| table _time, host, EventCode, EventType, Actor, Source, RiskScore, CommandLine, ObjectDN, TargetDomainName, AttributeLDAPDisplayName

high severity high confidence

Data Sources

Active Directory: Active Directory Object Modification Active Directory: Active Directory Object Creation Process: Process Creation Command: Command Execution Windows Security Event Log Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Group Policy administration by IT staff using GPMC or PowerShell during maintenance windows
Domain infrastructure changes (new DC promotion, domain migration, forest functional level upgrades) generating expected trust events
Automated configuration management tools (DSC, Ansible) validating or applying GPO-based configurations
Disaster recovery procedures involving AD restoration from backup that replay GPO creation events
Third-party AD management tools (Quest, Netwrix) that enumerate GPO settings for reporting or auditing

Elastic Security (EQL)

eql

any where
  // GPO object creation, modification, and deletion via AD Directory Services audit
  (
    event.code in ("5136", "5137", "5141") and
    event.provider == "Microsoft-Windows-Security-Auditing" and
    (
      winlog.event_data.ObjectClass == "groupPolicyContainer" or
      winlog.event_data.ObjectDN like "*CN=Policies*"
    )
  ) or
  // Domain and forest trust configuration changes
  (
    event.code in ("4706", "4707", "4716", "4865", "4866", "4867") and
    event.provider == "Microsoft-Windows-Security-Auditing"
  ) or
  // PowerShell-based GPO and AD policy manipulation
  (
    event.category == "process" and
    event.type == "start" and
    (process.name like~ "powershell.exe" or process.name like~ "pwsh.exe") and
    (
      process.command_line like~ "*New-GPO*" or
      process.command_line like~ "*Set-GPLink*" or
      process.command_line like~ "*Set-GPPermission*" or
      process.command_line like~ "*Set-GPRegistryValue*" or
      process.command_line like~ "*Import-GPO*" or
      process.command_line like~ "*Restore-GPO*" or
      process.command_line like~ "*Copy-GPO*" or
      process.command_line like~ "*LDAP://CN=Policies*" or
      process.command_line like~ "*Set-ADObject*" or
      process.command_line like~ "*gpupdate*"
    )
  )

high severity high confidence

Data Sources

Windows Security Event Log via Winlogbeat or Elastic Agent (domain controllers) Elastic Endpoint Security agent (process telemetry) Active Directory Domain Services — DS Access audit subcategory enabled

Required Tables

winlog-* logs-endpoint.events.process-* logs-windows.security-*

False Positives

Scheduled Group Policy administrative changes performed by domain admins during approved change windows — gpupdate.exe runs periodically on all joined systems and New-GPLink is used in routine Tier 0 AD management
Active Directory migration tooling (ADMT, Quest Migration Manager, Semperis DSP) that programmatically modifies GPO structures and establishes cross-forest trusts during M&A onboarding or domain consolidation projects
Azure AD Connect writeback configuration and AD FS certificate rotation that triggers federation-related domain setting changes on a scheduled basis without adversarial intent
Privileged identity management platforms such as CyberArk Privileged Cloud or BeyondTrust that automate GPO permission delegation and may emit 5136 events during session provisioning
Automated baseline hardening scripts (CIS benchmark automation, LGPO.exe deployments) that create or modify GPOs in bulk during OS image updates or quarterly security reviews

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  username AS actor,
  hostname AS device_hostname,
  "EventID" AS windows_event_id,
  CASE
    WHEN "EventID" = '5137' THEN 'GPO Created'
    WHEN "EventID" = '5136' THEN 'GPO Modified'
    WHEN "EventID" = '5141' THEN 'GPO Deleted'
    WHEN "EventID" = '4706' THEN 'Domain Trust Created'
    WHEN "EventID" = '4707' THEN 'Domain Trust Removed'
    WHEN "EventID" = '4716' THEN 'Domain Trust Modified'
    WHEN "EventID" = '4865' THEN 'Forest Trust Entry Added'
    WHEN "EventID" = '4866' THEN 'Forest Trust Entry Removed'
    WHEN "EventID" = '4867' THEN 'Forest Trust Entry Modified'
    ELSE 'Unknown Policy Event'
  END AS event_type,
  "ObjectClass" AS object_class,
  "ObjectDN" AS object_dn,
  "AttributeLDAPDisplayName" AS ldap_attribute,
  "TargetDomainName" AS target_domain,
  "TrustType" AS trust_type,
  "TrustDirection" AS trust_direction,
  CASE
    WHEN "EventID" IN ('4706', '4865') THEN 90
    WHEN "EventID" IN ('5141', '4707', '4716', '4866', '4867') THEN 80
    WHEN "EventID" = '5137' THEN 70
    WHEN "EventID" = '5136' THEN 60
    ELSE 50
  END AS risk_score
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) = 12
  AND "EventID" IN ('5136', '5137', '5141', '4706', '4707', '4716', '4865', '4866', '4867')
  AND (
    "EventID" IN ('4706', '4707', '4716', '4865', '4866', '4867')
    OR (
      "EventID" IN ('5136', '5137', '5141')
      AND (
        "ObjectClass" = 'groupPolicyContainer'
        OR LOWER("ObjectDN") LIKE '%cn=policies%'
      )
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY risk_score DESC, starttime DESC
LIMIT 500

high severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM ID 12) deployed on Active Directory domain controllers Active Directory audit policy: Audit Directory Service Changes and Audit Policy Change subcategories enabled

Required Tables

events

False Positives

Domain controller promotion and demotion procedures that automatically create and modify trust relationships as part of the AD DS installation wizard — these are expected in environments running dcpromo-equivalent operations
Routine GPO modifications by Windows administration teams using Group Policy Management Console (GPMC) for patch deployment, software distribution, or security baseline enforcement during weekly change windows
Forest trust creation during disaster recovery testing or failover exercises where secondary AD forests are connected to validate backup authentication infrastructure
Automated AD lifecycle management tools (Saviynt, SailPoint, Microsoft Identity Manager) that modify GPO permissions as part of joiner-mover-leaver workflows for privileged accounts
SCCM/MECM and Intune co-management configuration changes that modify GPO precedence and linking during hybrid management transitions

Sumo Logic CSE

sql

_sourceCategory=*windows*security* OR _sourceCategory=*wineventlog* OR _sourceCategory=*WinEventLog*
| where num(EventCode) in (5136, 5137, 5141, 4706, 4707, 4716, 4865, 4866, 4867)
| parse regex "(?:Object\s+Class|ObjectClass):\s*(?<ObjectClass>[^\r\n]+)" nodrop
| parse regex "(?:Object\s+DN|ObjectDN):\s*(?<ObjectDN>[^\r\n]+)" nodrop
| parse regex "(?:Attribute\s+LDAP\s+Display\s+Name|AttributeLDAPDisplayName):\s*(?<LDAPAttribute>[^\r\n]+)" nodrop
| parse regex "(?:Target\s+Domain\s+Name|TargetDomainName):\s*(?<TargetDomainName>[^\r\n]+)" nodrop
| parse regex "(?:Subject\s+Account\s+Name|SubjectAccountName):\s*(?<Actor>[^\r\n]+)" nodrop
| parse regex "(?:Trust\s+Type|TrustType):\s*(?<TrustType>[^\r\n]+)" nodrop
| where num(EventCode) in (4706, 4707, 4716, 4865, 4866, 4867)
    OR (num(EventCode) in (5136, 5137, 5141)
        AND (ObjectClass = "groupPolicyContainer" OR ObjectDN matches "*CN=Policies*"))
| eval EventType = if(num(EventCode) = 5137, "GPO Created",
    if(num(EventCode) = 5136, "GPO Modified",
    if(num(EventCode) = 5141, "GPO Deleted",
    if(num(EventCode) = 4706, "Domain Trust Created",
    if(num(EventCode) = 4707, "Domain Trust Removed",
    if(num(EventCode) = 4716, "Domain Trust Modified",
    if(num(EventCode) = 4865, "Forest Trust Entry Added",
    if(num(EventCode) = 4866, "Forest Trust Entry Removed",
    if(num(EventCode) = 4867, "Forest Trust Entry Modified", "Unknown")))))))))
| eval RiskScore = if(num(EventCode) in (4706, 4865), 90,
    if(num(EventCode) in (5141, 4707, 4716, 4866, 4867), 80,
    if(num(EventCode) = 5137, 70,
    if(num(EventCode) = 5136, 60, 50))))
| where RiskScore >= 60
| fields _messageTime, _sourceHost, EventCode, EventType, Actor, ObjectDN, ObjectClass, LDAPAttribute, TargetDomainName, TrustType, RiskScore
| sort by RiskScore desc, _messageTime desc

high severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector (Windows Event Log source type) on domain controllers Active Directory DS Access and Policy Change audit subcategories enabled via Default Domain Controllers Policy

Required Tables

_sourceCategory routing to Windows Security logs

False Positives

Group Policy Object creation during monthly Windows security baseline rollouts using LGPO.exe or PolicyAnalyzer — these emit 5137 events for each new GPO applied to the domain controllers OU
Domain trust establishment when onboarding acquired subsidiaries into the corporate AD forest as part of M&A integration, which produces clustered 4706 and 4865 events from domain admin accounts over a short window
Automated certificate authority renewal workflows that modify GPO-deployed certificate templates and autoenrollment settings, generating a burst of 5136 events against the Default Domain Policy
DevOps pipeline automation (Ansible, DSC, Puppet) that manages GPO state declaratively and triggers modification events on every convergence run even when no net change occurs
Active Directory health check tools (ADtidy, PingCastle, Bloodhound enterprise scanners) that enumerate and in some cases remediate GPO permission inconsistencies

Google Chronicle / SecOps

yaral

rule t1484_gpo_object_modification {
  meta:
    author = "Detection Engineering"
    description = "T1484: GPO container creation, modification, and deletion via AD Directory Services audit events 5136/5137/5141"
    mitre_attack_technique = "T1484"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1484/"
    platform = "Windows"

  events:
    $gpo.metadata.vendor_name = "Microsoft"
    $gpo.metadata.product_event_type in ("5136", "5137", "5141")
    (
      $gpo.target.resource.attribute.labels["ObjectClass"] = "groupPolicyContainer" or
      re.regex($gpo.target.resource.name, `(?i)CN=Policies`)
    )
    $actor = $gpo.principal.user.userid
    $host = $gpo.principal.hostname

  match:
    $actor, $host over 1h

  outcome:
    $event_count = count($gpo.metadata.id)
    $event_types = array_distinct($gpo.metadata.product_event_type)
    $modified_objects = array_distinct($gpo.target.resource.name)
    $risk_score = max(if($gpo.metadata.product_event_type = "5141", 80,
                      if($gpo.metadata.product_event_type = "5137", 70, 60)))

  condition:
    #gpo > 0
}

rule t1484_domain_trust_modification {
  meta:
    author = "Detection Engineering"
    description = "T1484: Domain and forest trust creation, removal, and modification via Windows Security events 4706/4707/4716/4865-4867"
    mitre_attack_technique = "T1484"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1484/"
    platform = "Windows"

  events:
    $trust.metadata.vendor_name = "Microsoft"
    $trust.metadata.product_event_type in ("4706", "4707", "4716", "4865", "4866", "4867")
    $actor = $trust.principal.user.userid
    $host = $trust.principal.hostname

  match:
    $actor over 4h

  outcome:
    $event_count = count($trust.metadata.id)
    $event_types = array_distinct($trust.metadata.product_event_type)
    $target_domains = array_distinct($trust.target.administrative_domain)
    $source_hosts = array_distinct($trust.principal.hostname)
    $risk_score = max(if($trust.metadata.product_event_type in ("4706", "4865"), 90, 80))

  condition:
    #trust > 0
}

rule t1484_azure_ad_federation_abuse {
  meta:
    author = "Detection Engineering"
    description = "T1484.002: Azure AD federation settings, domain authentication, and service principal policy changes indicating cloud tenant policy modification"
    mitre_attack_technique = "T1484.002"
    mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1484/002/"
    platform = "Azure AD"

  events:
    $aad.metadata.vendor_name = "Microsoft"
    $aad.metadata.product_name = "Azure Active Directory"
    (
      $aad.metadata.description = "Set federation settings on domain" or
      $aad.metadata.description = "Set domain authentication" or
      $aad.metadata.description = "Add unverified domain to company" or
      $aad.metadata.description = "Add verified domain to company" or
      $aad.metadata.description = "Remove verified domain from company" or
      $aad.metadata.description = "Update domain" or
      $aad.metadata.description = "Add policy to service principal" or
      $aad.metadata.description = "Delete policy from service principal" or
      $aad.metadata.description = "Update policy"
    )
    $actor = $aad.principal.user.userid

  match:
    $actor over 4h

  outcome:
    $event_count = count($aad.metadata.id)
    $operations = array_distinct($aad.metadata.description)
    $target_resources = array_distinct($aad.target.resource.name)
    $source_ips = array_distinct($aad.principal.ip)
    $app_actors = array_distinct($aad.principal.application)

  condition:
    #aad > 0
}

critical severity high confidence

Data Sources

Microsoft Windows Event Logs ingested via Chronicle Forwarder or Google Cloud SIEM ingestion pipeline (domain controllers) Azure Active Directory audit logs via the Chronicle Azure AD ingestion feed Active Directory DS Access and Policy Change audit subcategories enabled on domain controllers

Required Tables

UDM events (Chronicle unified data model)

False Positives

Planned AD forest trust extensions when corporate IT establishes resource forest trust relationships with partner organizations or cloud service provider AD tenants during new SaaS onboarding
Azure AD Connect delta sync operations that update domain federation properties during scheduled certificate renewal for AD FS token-signing certificates — these produce 'Set federation settings on domain' audit entries on a predictable schedule
GPO policy replication and version increment events during SYSVOL replication catch-up on newly promoted domain controllers, which generates 5136 modification events for every GPO in the domain without any deliberate admin action
Tier 0 jump server hardening automation that applies CIS Level 2 GPO baselines to domain controller OUs as part of quarterly compliance remediation cycles
Microsoft Entra ID domain verification during initial M365 tenant setup or custom domain addition, which generates 'Add unverified domain' followed by 'Add verified domain' in rapid succession

CrowdStrike LogScale (CQL)

cql

// T1484 - Domain or Tenant Policy Modification
// Branch 1: PowerShell executing Group Policy management cmdlets (Falcon ProcessRollup2)
union(
  {
    #event_simpleName = "ProcessRollup2"
    | ImageFileName = /\\(powershell|pwsh)\.exe$/i
    | CommandLine = /(New-GPO|Set-GPLink|Set-GPPermission|Set-GPRegistryValue|Import-GPO|Copy-GPO|Restore-GPO|New-GPLink|LDAP:\/\/CN=Policies|Set-ADObject|gpupdate)/i
    | EventType := "GPO PowerShell Cmdlet"
    | RiskScore := 65
    | DetectionSource := "Falcon Process Telemetry"
  },
  {
    // Branch 2: GPO object DS changes via Windows Security event forwarding
    #event_simpleName = "WinEvent"
    | EventCode in [5136, 5137, 5141]
    | ObjectClass = /groupPolicyContainer/i or ObjectDN = /CN=Policies/i
    | EventType := case {
        EventCode = "5137" => "GPO Created";
        EventCode = "5136" => "GPO Modified";
        EventCode = "5141" => "GPO Deleted";
        * => "GPO DS Event"
      }
    | RiskScore := case {
        EventCode = "5141" => 80;
        EventCode = "5137" => 70;
        * => 60
      }
    | DetectionSource := "Windows Security Log - GPO"
  },
  {
    // Branch 3: Domain and forest trust changes via Windows Security event forwarding
    #event_simpleName = "WinEvent"
    | EventCode in [4706, 4707, 4716, 4865, 4866, 4867]
    | EventType := case {
        EventCode = "4706" => "Domain Trust Created";
        EventCode = "4707" => "Domain Trust Removed";
        EventCode = "4716" => "Domain Trust Modified";
        EventCode = "4865" => "Forest Trust Entry Added";
        EventCode = "4866" => "Forest Trust Entry Removed";
        EventCode = "4867" => "Forest Trust Entry Modified";
        * => "Trust Event"
      }
    | RiskScore := case {
        EventCode in ["4706", "4865"] => 90;
        * => 80
      }
    | DetectionSource := "Windows Security Log - Trust"
  }
)
| RiskScore >= 60
| groupBy(
    [ComputerName, UserName, EventType, DetectionSource],
    function=[
      count(EventType, as=EventCount),
      collect(CommandLine, limit=5),
      collect(ObjectDN, limit=5),
      collect(TargetDomainName, limit=5),
      max(RiskScore, as=MaxRiskScore)
    ]
  )
| sort(MaxRiskScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor endpoint telemetry (ProcessRollup2 events from all domain-joined hosts) Windows Security Event Log via WEF or CrowdStrike LogScale connector deployed to Active Directory domain controllers (required for Branches 2 and 3) Active Directory DS Access audit subcategory enabled via Default Domain Controllers Policy

Required Tables

#event_simpleName = ProcessRollup2 (Falcon sensor) #event_simpleName = WinEvent (requires WEF or LogScale agent on DCs)

False Positives

Automated patch deployment orchestration using MECM/SCCM or PDQ Deploy that invokes gpupdate.exe across the domain on a regular cadence as part of post-patch refresh cycles — triggers ProcessRollup2 events on thousands of endpoints simultaneously
Active Directory forest trust establishment during cloud lift-and-shift migrations where on-premises AD is federated with Azure AD DS or an AWS Managed AD instance, generating a cluster of 4706/4865 events over a short period from known admin accounts
Quarterly GPO audit and remediation scripts run by compliance teams using GroupPolicy PowerShell module cmdlets (Get-GPOReport, Set-GPPermission) to validate and correct broken ACLs on existing GPOs — these are scripted and run from jump servers but match GPO PowerShell cmdlet patterns
Red team or penetration test engagements with pre-approved scope that explicitly include AD policy modification as a test objective — coordinate with blue team to suppress alerts during authorized testing windows
Microsoft Defender for Identity or Sentinel automatic remediation playbooks that query and in some cases reset suspicious GPO permissions as part of automated incident response actions

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1484 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Domain or Tenant Policy Modification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Defense Evasion

Popular Detections