T1484 CrowdStrike LogScale · LogScale

Detect Domain or Tenant Policy Modification in CrowdStrike LogScale

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. This includes altering Group Policy Objects (GPOs) in Active Directory to push malicious configurations to domain-joined endpoints, modifying domain trust relationships to allow adversary-controlled domains to forge access tokens accepted by victim resources, and adding rogue federated identity providers to cloud tenants (Azure AD, Okta) to authenticate as any managed user. Nation-state actors including those behind the SolarWinds (SUNBURST) campaign abused federation trust settings to achieve persistent, stealthy access across cloud environments. Attackers may temporarily modify policy, complete their objective, and revert changes to remove indicators.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1484 Domain or Tenant Policy Modification
Canonical reference
https://attack.mitre.org/techniques/T1484/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1484 - Domain or Tenant Policy Modification
// Branch 1: PowerShell executing Group Policy management cmdlets (Falcon ProcessRollup2)
union(
  {
    #event_simpleName = "ProcessRollup2"
    | ImageFileName = /\\(powershell|pwsh)\.exe$/i
    | CommandLine = /(New-GPO|Set-GPLink|Set-GPPermission|Set-GPRegistryValue|Import-GPO|Copy-GPO|Restore-GPO|New-GPLink|LDAP:\/\/CN=Policies|Set-ADObject|gpupdate)/i
    | EventType := "GPO PowerShell Cmdlet"
    | RiskScore := 65
    | DetectionSource := "Falcon Process Telemetry"
  },
  {
    // Branch 2: GPO object DS changes via Windows Security event forwarding
    #event_simpleName = "WinEvent"
    | EventCode in [5136, 5137, 5141]
    | ObjectClass = /groupPolicyContainer/i or ObjectDN = /CN=Policies/i
    | EventType := case {
        EventCode = "5137" => "GPO Created";
        EventCode = "5136" => "GPO Modified";
        EventCode = "5141" => "GPO Deleted";
        * => "GPO DS Event"
      }
    | RiskScore := case {
        EventCode = "5141" => 80;
        EventCode = "5137" => 70;
        * => 60
      }
    | DetectionSource := "Windows Security Log - GPO"
  },
  {
    // Branch 3: Domain and forest trust changes via Windows Security event forwarding
    #event_simpleName = "WinEvent"
    | EventCode in [4706, 4707, 4716, 4865, 4866, 4867]
    | EventType := case {
        EventCode = "4706" => "Domain Trust Created";
        EventCode = "4707" => "Domain Trust Removed";
        EventCode = "4716" => "Domain Trust Modified";
        EventCode = "4865" => "Forest Trust Entry Added";
        EventCode = "4866" => "Forest Trust Entry Removed";
        EventCode = "4867" => "Forest Trust Entry Modified";
        * => "Trust Event"
      }
    | RiskScore := case {
        EventCode in ["4706", "4865"] => 90;
        * => 80
      }
    | DetectionSource := "Windows Security Log - Trust"
  }
)
| RiskScore >= 60
| groupBy(
    [ComputerName, UserName, EventType, DetectionSource],
    function=[
      count(EventType, as=EventCount),
      collect(CommandLine, limit=5),
      collect(ObjectDN, limit=5),
      collect(TargetDomainName, limit=5),
      max(RiskScore, as=MaxRiskScore)
    ]
  )
| sort(MaxRiskScore, order=desc)
high severity medium confidence

Detects T1484 in CrowdStrike LogScale (NG-SIEM) using three parallel branches unified into a single result set. Branch 1 uses native Falcon ProcessRollup2 events to catch PowerShell invocations of Group Policy management cmdlets visible on any domain-joined endpoint with the Falcon sensor. Branches 2 and 3 require Windows Event Forwarding or a LogScale connector ingesting Windows Security logs from domain controllers, covering GPO DS object events (5136/5137/5141) and domain/forest trust modification events (4706/4707/4716/4865-4867). Results are grouped by host, user, and event type with aggregated counts and a max risk score for efficient triage. Branch 1 provides broad coverage without WEF; Branches 2–3 add high-fidelity atomic event coverage when WEF is deployed to domain controllers.

Data Sources

CrowdStrike Falcon sensor endpoint telemetry (ProcessRollup2 events from all domain-joined hosts)Windows Security Event Log via WEF or CrowdStrike LogScale connector deployed to Active Directory domain controllers (required for Branches 2 and 3)Active Directory DS Access audit subcategory enabled via Default Domain Controllers Policy

Required Tables

#event_simpleName = ProcessRollup2 (Falcon sensor)#event_simpleName = WinEvent (requires WEF or LogScale agent on DCs)

False Positives & Tuning

  • Automated patch deployment orchestration using MECM/SCCM or PDQ Deploy that invokes gpupdate.exe across the domain on a regular cadence as part of post-patch refresh cycles — triggers ProcessRollup2 events on thousands of endpoints simultaneously
  • Active Directory forest trust establishment during cloud lift-and-shift migrations where on-premises AD is federated with Azure AD DS or an AWS Managed AD instance, generating a cluster of 4706/4865 events over a short period from known admin accounts
  • Quarterly GPO audit and remediation scripts run by compliance teams using GroupPolicy PowerShell module cmdlets (Get-GPOReport, Set-GPPermission) to validate and correct broken ACLs on existing GPOs — these are scripted and run from jump servers but match GPO PowerShell cmdlet patterns
  • Red team or penetration test engagements with pre-approved scope that explicitly include AD policy modification as a test objective — coordinate with blue team to suppress alerts during authorized testing windows
  • Microsoft Defender for Identity or Sentinel automatic remediation playbooks that query and in some cases reset suspicious GPO permissions as part of automated incident response actions
Download portable Sigma rule (.yml)

Other platforms for T1484

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Link a Malicious GPO via PowerShell

    Expected signal: Windows Security Event ID 5137 on the domain controller: Directory Service Object Created, ObjectClass=groupPolicyContainer, ObjectDN=CN={<GUID>},CN=Policies,CN=System,DC=<domain>. Security Event ID 5136: gPCFileSysPath attribute set to \\<domain>\SYSVOL\<domain>\Policies\{<GUID>}. Sysmon Event ID 1 on the initiating workstation: powershell.exe with 'New-GPO' and 'New-GPLink' in CommandLine. PowerShell ScriptBlock Event ID 4104 with full cmdlet execution.

  2. Test 2Modify GPO to Deploy a Scheduled Task via XML Injection

    Expected signal: Sysmon Event ID 11 (File Create) on the DC or management host: ScheduledTasks.xml created in SYSVOL path. Windows Security Event ID 5136 on DC: gPCFileSysPath or versionNumber attribute of the groupPolicyContainer modified, SubjectAccountName=<modifying account>. Event ID 4104 (ScriptBlock) capturing Set-GPRegistryValue invocation. On domain clients, Sysmon Event ID 1 for schtasks.exe or Task Scheduler Event 106/200 for task registration/execution.

  3. Test 3Create New Domain Trust (Simulated via Set-ADObject)

    Expected signal: Windows Security Event ID 4706 on domain controllers: A new trust was created to a domain. SubjectAccountName=<admin account>, TargetDomainName=df00tech-test.local, TrustType=2 (Windows), TrustDirection=1 (Inbound), TrustAttributes=8. Active Directory Event ID 5137: trustedDomain object created in CN=System. Replication events (4928/4929) as the new object replicates to other DCs.

  4. Test 4Azure AD Federation Settings Modification via PowerShell

    Expected signal: Azure AD AuditLogs entry: OperationName='Set federation settings on domain', Category='Policy', Result='success', TargetResources=[{DisplayName: <domain>}], InitiatedBy.user.userPrincipalName=<admin UPN>, InitiatedBy.user.ipAddress=<source IP>. The modified IssuerUri appears in the ModifiedProperties array of the audit event. Azure AD Sign-in Logs may show subsequent authentication attempts using the modified federation settings.

  5. Test 5Enumerate and Identify Vulnerable GPO Permissions (Pre-Attack Reconnaissance)

    Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-GPPermission' and 'Get-ACL' in CommandLine. PowerShell ScriptBlock Event ID 4104 capturing the enumeration loop. Sysmon Event ID 5 (Process Terminated) when enumeration completes. LDAP query telemetry visible in network captures — the GroupPolicy module issues LDAP searches for groupPolicyContainer objects against the domain controller.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1484 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1484.001Group Policy ModificationT1484.002Trust ModificationT1207Rogue Domain ControllerT1053.005Scheduled TaskT1037Boot or Logon Initialization ScriptsT1556.006Multi-Factor AuthenticationT1136.002Domain AccountT1098.001Additional Cloud CredentialsT1550.001Application Access TokenT1558.002Silver Ticket

Same Tactic: Defense Evasion

Popular Detections