Detect Domain or Tenant Policy Modification in Microsoft Sentinel
Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. This includes altering Group Policy Objects (GPOs) in Active Directory to push malicious configurations to domain-joined endpoints, modifying domain trust relationships to allow adversary-controlled domains to forge access tokens accepted by victim resources, and adding rogue federated identity providers to cloud tenants (Azure AD, Okta) to authenticate as any managed user. Nation-state actors including those behind the SolarWinds (SUNBURST) campaign abused federation trust settings to achieve persistent, stealthy access across cloud environments. Attackers may temporarily modify policy, complete their objective, and revert changes to remove indicators.
MITRE ATT&CK
- Canonical reference
- https://attack.mitre.org/techniques/T1484/
KQL Detection Query
// T1484 — Domain or Tenant Policy Modification
// Covers: GPO creation/modification, domain trust changes, Azure AD federation abuse
let GPOModificationEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (5136, 5137, 5141)
| extend ObjectClass_ = tostring(EventData.ObjectClass)
| extend ObjectDN_ = tostring(EventData.ObjectDN)
| extend AttributeName_ = tostring(EventData.AttributeLDAPDisplayName)
| extend AttributeValue_ = tostring(EventData.AttributeValue)
| extend SubjectAccount = tostring(EventData.SubjectUserName)
| extend SubjectDomain = tostring(EventData.SubjectDomainName)
| where ObjectClass_ =~ "groupPolicyContainer" or ObjectDN_ has "Policies"
| extend EventType = case(
EventID == 5137, "GPO Created",
EventID == 5136, "GPO Modified",
EventID == 5141, "GPO Deleted",
"Unknown"
)
| project TimeGenerated, EventID, EventType, SubjectAccount, SubjectDomain,
ObjectDN_, ObjectClass_, AttributeName_, AttributeValue_, Computer;
let DomainTrustEvents = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4706, 4707, 4716, 4865, 4866, 4867)
| extend TargetDomain_ = tostring(EventData.TargetDomainName)
| extend TrustType_ = tostring(EventData.TrustType)
| extend TrustDirection_ = tostring(EventData.TrustDirection)
| extend TrustAttributes_ = tostring(EventData.TrustAttributes)
| extend SubjectAccount = tostring(EventData.SubjectUserName)
| extend SubjectDomain = tostring(EventData.SubjectDomainName)
| extend EventType = case(
EventID == 4706, "Trust Created",
EventID == 4707, "Trust Removed",
EventID == 4716, "Trust Modified",
EventID == 4865, "Forest Trust Entry Added",
EventID == 4866, "Forest Trust Entry Removed",
EventID == 4867, "Forest Trust Entry Modified",
"Unknown"
)
| project TimeGenerated, EventID, EventType, SubjectAccount, SubjectDomain,
TargetDomain_, TrustType_, TrustDirection_, TrustAttributes_, Computer;
let AzureADFederationEvents = AuditLogs
| where TimeGenerated > ago(24h)
| where Category in ("Policy", "Application", "DirectoryManagement")
| where OperationName in (
"Set federation settings on domain",
"Set domain authentication",
"Add unverified domain to company",
"Add verified domain to company",
"Remove verified domain from company",
"Update domain",
"Set company information",
"Add policy to service principal",
"Delete policy from service principal",
"Update policy"
)
| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorApp = tostring(InitiatedBy.app.displayName)
| extend ActorIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend EventType = strcat("Azure AD: ", OperationName)
| project TimeGenerated, OperationName, EventType, Result, ActorUPN, ActorApp,
ActorIP, TargetResource, CorrelationId;
// GPO Modification via PowerShell (process-based detection)
let GPOPowerShellEvents = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "powershell.exe" or FileName =~ "pwsh.exe"
| where ProcessCommandLine has_any (
"New-GPO", "Set-GPLink", "Set-GPPermission", "Set-GPRegistryValue",
"Import-GPO", "Copy-GPO", "Restore-GPO", "New-GPLink",
"Set-ADObject", "New-ADObject",
"gpupdate", "gpscript",
"LDAP://CN=Policies"
)
| project Timestamp, DeviceName, AccountName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
EventType = "GPO PowerShell Activity";
union isfuzzy=true
(GPOModificationEvents | extend Source = "Windows Security Log"),
(DomainTrustEvents | extend Source = "Windows Security Log - Trust"),
(AzureADFederationEvents | extend Source = "Azure AD Audit Log"),
(GPOPowerShellEvents | extend Source = "MDE Process Events")
| sort by TimeGenerated descDetects domain and tenant policy modifications across four signal sources: (1) Windows Security Event IDs 5136/5137/5141 for Group Policy Object creation, modification, and deletion in Active Directory; (2) Windows Security Event IDs 4706/4707/4716/4865-4867 for domain and forest trust relationship changes; (3) Azure AD AuditLogs for federation trust configuration changes including 'Set federation settings on domain' and identity provider additions; (4) Microsoft Defender for Endpoint DeviceProcessEvents for PowerShell cmdlets that modify Group Policy (New-GPO, Set-GPLink, Import-GPO). The union of all four sources provides broad coverage of on-premises AD and cloud identity policy abuse.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Group Policy administration by IT staff using GPMC or Group Policy PowerShell module during scheduled maintenance windows
- Domain controllers joining or leaving forests creating legitimate trust modification events (4706/4716) during infrastructure changes
- Azure AD Connect or ADFS deployment/reconfiguration generating federation settings events during sanctioned identity synchronization projects
- Automated configuration management tools (Desired State Configuration, Ansible, PingCastle) that enumerate or validate GPO settings as part of compliance checking
- Domain trust events generated during disaster recovery exercises, domain migrations, or AD restructuring projects authorized by IT leadership
Other platforms for T1484
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create and Link a Malicious GPO via PowerShell
Expected signal: Windows Security Event ID 5137 on the domain controller: Directory Service Object Created, ObjectClass=groupPolicyContainer, ObjectDN=CN={<GUID>},CN=Policies,CN=System,DC=<domain>. Security Event ID 5136: gPCFileSysPath attribute set to \\<domain>\SYSVOL\<domain>\Policies\{<GUID>}. Sysmon Event ID 1 on the initiating workstation: powershell.exe with 'New-GPO' and 'New-GPLink' in CommandLine. PowerShell ScriptBlock Event ID 4104 with full cmdlet execution.
- Test 2Modify GPO to Deploy a Scheduled Task via XML Injection
Expected signal: Sysmon Event ID 11 (File Create) on the DC or management host: ScheduledTasks.xml created in SYSVOL path. Windows Security Event ID 5136 on DC: gPCFileSysPath or versionNumber attribute of the groupPolicyContainer modified, SubjectAccountName=<modifying account>. Event ID 4104 (ScriptBlock) capturing Set-GPRegistryValue invocation. On domain clients, Sysmon Event ID 1 for schtasks.exe or Task Scheduler Event 106/200 for task registration/execution.
- Test 3Create New Domain Trust (Simulated via Set-ADObject)
Expected signal: Windows Security Event ID 4706 on domain controllers: A new trust was created to a domain. SubjectAccountName=<admin account>, TargetDomainName=df00tech-test.local, TrustType=2 (Windows), TrustDirection=1 (Inbound), TrustAttributes=8. Active Directory Event ID 5137: trustedDomain object created in CN=System. Replication events (4928/4929) as the new object replicates to other DCs.
- Test 4Azure AD Federation Settings Modification via PowerShell
Expected signal: Azure AD AuditLogs entry: OperationName='Set federation settings on domain', Category='Policy', Result='success', TargetResources=[{DisplayName: <domain>}], InitiatedBy.user.userPrincipalName=<admin UPN>, InitiatedBy.user.ipAddress=<source IP>. The modified IssuerUri appears in the ModifiedProperties array of the audit event. Azure AD Sign-in Logs may show subsequent authentication attempts using the modified federation settings.
- Test 5Enumerate and Identify Vulnerable GPO Permissions (Pre-Attack Reconnaissance)
Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-GPPermission' and 'Get-ACL' in CommandLine. PowerShell ScriptBlock Event ID 4104 capturing the enumeration loop. Sysmon Event ID 5 (Process Terminated) when enumeration completes. LDAP query telemetry visible in network captures — the GroupPolicy module issues LDAP searches for groupPolicyContainer objects against the domain controller.
References (13)
- https://attack.mitre.org/techniques/T1484/
- https://adsecurity.org/?p=2716
- https://wald0.com/?p=179
- https://blog.harmj0y.net/redteaming/abusing-gpo-permissions/
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
- https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md
Unlock Pro Content
Get the full detection package for T1484 including response playbook, investigation guide, and atomic red team tests.