Detect Domain or Tenant Policy Modification in Google Chronicle
Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. This includes altering Group Policy Objects (GPOs) in Active Directory to push malicious configurations to domain-joined endpoints, modifying domain trust relationships to allow adversary-controlled domains to forge access tokens accepted by victim resources, and adding rogue federated identity providers to cloud tenants (Azure AD, Okta) to authenticate as any managed user. Nation-state actors including those behind the SolarWinds (SUNBURST) campaign abused federation trust settings to achieve persistent, stealthy access across cloud environments. Attackers may temporarily modify policy, complete their objective, and revert changes to remove indicators.
MITRE ATT&CK
- Canonical reference
- https://attack.mitre.org/techniques/T1484/
YARA-L Detection Query
rule t1484_gpo_object_modification {
meta:
author = "Detection Engineering"
description = "T1484: GPO container creation, modification, and deletion via AD Directory Services audit events 5136/5137/5141"
mitre_attack_technique = "T1484"
mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1484/"
platform = "Windows"
events:
$gpo.metadata.vendor_name = "Microsoft"
$gpo.metadata.product_event_type in ("5136", "5137", "5141")
(
$gpo.target.resource.attribute.labels["ObjectClass"] = "groupPolicyContainer" or
re.regex($gpo.target.resource.name, `(?i)CN=Policies`)
)
$actor = $gpo.principal.user.userid
$host = $gpo.principal.hostname
match:
$actor, $host over 1h
outcome:
$event_count = count($gpo.metadata.id)
$event_types = array_distinct($gpo.metadata.product_event_type)
$modified_objects = array_distinct($gpo.target.resource.name)
$risk_score = max(if($gpo.metadata.product_event_type = "5141", 80,
if($gpo.metadata.product_event_type = "5137", 70, 60)))
condition:
#gpo > 0
}
rule t1484_domain_trust_modification {
meta:
author = "Detection Engineering"
description = "T1484: Domain and forest trust creation, removal, and modification via Windows Security events 4706/4707/4716/4865-4867"
mitre_attack_technique = "T1484"
mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
severity = "CRITICAL"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1484/"
platform = "Windows"
events:
$trust.metadata.vendor_name = "Microsoft"
$trust.metadata.product_event_type in ("4706", "4707", "4716", "4865", "4866", "4867")
$actor = $trust.principal.user.userid
$host = $trust.principal.hostname
match:
$actor over 4h
outcome:
$event_count = count($trust.metadata.id)
$event_types = array_distinct($trust.metadata.product_event_type)
$target_domains = array_distinct($trust.target.administrative_domain)
$source_hosts = array_distinct($trust.principal.hostname)
$risk_score = max(if($trust.metadata.product_event_type in ("4706", "4865"), 90, 80))
condition:
#trust > 0
}
rule t1484_azure_ad_federation_abuse {
meta:
author = "Detection Engineering"
description = "T1484.002: Azure AD federation settings, domain authentication, and service principal policy changes indicating cloud tenant policy modification"
mitre_attack_technique = "T1484.002"
mitre_attack_tactic = "Defense Evasion, Privilege Escalation"
severity = "CRITICAL"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1484/002/"
platform = "Azure AD"
events:
$aad.metadata.vendor_name = "Microsoft"
$aad.metadata.product_name = "Azure Active Directory"
(
$aad.metadata.description = "Set federation settings on domain" or
$aad.metadata.description = "Set domain authentication" or
$aad.metadata.description = "Add unverified domain to company" or
$aad.metadata.description = "Add verified domain to company" or
$aad.metadata.description = "Remove verified domain from company" or
$aad.metadata.description = "Update domain" or
$aad.metadata.description = "Add policy to service principal" or
$aad.metadata.description = "Delete policy from service principal" or
$aad.metadata.description = "Update policy"
)
$actor = $aad.principal.user.userid
match:
$actor over 4h
outcome:
$event_count = count($aad.metadata.id)
$operations = array_distinct($aad.metadata.description)
$target_resources = array_distinct($aad.target.resource.name)
$source_ips = array_distinct($aad.principal.ip)
$app_actors = array_distinct($aad.principal.application)
condition:
#aad > 0
}Three YARA-L 2.0 rules covering the full T1484 detection surface in Google Chronicle UDM. Rule 1 (t1484_gpo_object_modification) fires on GPO container DS audit events grouped by actor and host over 1 hour. Rule 2 (t1484_domain_trust_modification) fires on any domain/forest trust change event grouped by actor over 4 hours with critical severity. Rule 3 (t1484_azure_ad_federation_abuse) targets T1484.002 cloud-specific federation abuse via Azure AD audit log operation names. All three rules use UDM normalized fields and compute outcome metrics including distinct event types, target objects, and risk scores for downstream SOAR triage.
Data Sources
Required Tables
False Positives & Tuning
- Planned AD forest trust extensions when corporate IT establishes resource forest trust relationships with partner organizations or cloud service provider AD tenants during new SaaS onboarding
- Azure AD Connect delta sync operations that update domain federation properties during scheduled certificate renewal for AD FS token-signing certificates — these produce 'Set federation settings on domain' audit entries on a predictable schedule
- GPO policy replication and version increment events during SYSVOL replication catch-up on newly promoted domain controllers, which generates 5136 modification events for every GPO in the domain without any deliberate admin action
- Tier 0 jump server hardening automation that applies CIS Level 2 GPO baselines to domain controller OUs as part of quarterly compliance remediation cycles
- Microsoft Entra ID domain verification during initial M365 tenant setup or custom domain addition, which generates 'Add unverified domain' followed by 'Add verified domain' in rapid succession
Other platforms for T1484
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Link a Malicious GPO via PowerShell
Expected signal: Windows Security Event ID 5137 on the domain controller: Directory Service Object Created, ObjectClass=groupPolicyContainer, ObjectDN=CN={<GUID>},CN=Policies,CN=System,DC=<domain>. Security Event ID 5136: gPCFileSysPath attribute set to \\<domain>\SYSVOL\<domain>\Policies\{<GUID>}. Sysmon Event ID 1 on the initiating workstation: powershell.exe with 'New-GPO' and 'New-GPLink' in CommandLine. PowerShell ScriptBlock Event ID 4104 with full cmdlet execution.
- Test 2Modify GPO to Deploy a Scheduled Task via XML Injection
Expected signal: Sysmon Event ID 11 (File Create) on the DC or management host: ScheduledTasks.xml created in SYSVOL path. Windows Security Event ID 5136 on DC: gPCFileSysPath or versionNumber attribute of the groupPolicyContainer modified, SubjectAccountName=<modifying account>. Event ID 4104 (ScriptBlock) capturing Set-GPRegistryValue invocation. On domain clients, Sysmon Event ID 1 for schtasks.exe or Task Scheduler Event 106/200 for task registration/execution.
- Test 3Create New Domain Trust (Simulated via Set-ADObject)
Expected signal: Windows Security Event ID 4706 on domain controllers: A new trust was created to a domain. SubjectAccountName=<admin account>, TargetDomainName=df00tech-test.local, TrustType=2 (Windows), TrustDirection=1 (Inbound), TrustAttributes=8. Active Directory Event ID 5137: trustedDomain object created in CN=System. Replication events (4928/4929) as the new object replicates to other DCs.
- Test 4Azure AD Federation Settings Modification via PowerShell
Expected signal: Azure AD AuditLogs entry: OperationName='Set federation settings on domain', Category='Policy', Result='success', TargetResources=[{DisplayName: <domain>}], InitiatedBy.user.userPrincipalName=<admin UPN>, InitiatedBy.user.ipAddress=<source IP>. The modified IssuerUri appears in the ModifiedProperties array of the audit event. Azure AD Sign-in Logs may show subsequent authentication attempts using the modified federation settings.
- Test 5Enumerate and Identify Vulnerable GPO Permissions (Pre-Attack Reconnaissance)
Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-GPPermission' and 'Get-ACL' in CommandLine. PowerShell ScriptBlock Event ID 4104 capturing the enumeration loop. Sysmon Event ID 5 (Process Terminated) when enumeration completes. LDAP query telemetry visible in network captures — the GroupPolicy module issues LDAP searches for groupPolicyContainer objects against the domain controller.
References (13)
- https://attack.mitre.org/techniques/T1484/
- https://adsecurity.org/?p=2716
- https://wald0.com/?p=179
- https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
- https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md
Unlock Pro Content
Get the full detection package for T1484 including response playbook, investigation guide, and atomic red team tests.