T1484 Splunk · SPL

Detect Domain or Tenant Policy Modification in Splunk

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. This includes altering Group Policy Objects (GPOs) in Active Directory to push malicious configurations to domain-joined endpoints, modifying domain trust relationships to allow adversary-controlled domains to forge access tokens accepted by victim resources, and adding rogue federated identity providers to cloud tenants (Azure AD, Okta) to authenticate as any managed user. Nation-state actors including those behind the SolarWinds (SUNBURST) campaign abused federation trust settings to achieve persistent, stealthy access across cloud environments. Attackers may temporarily modify policy, complete their objective, and revert changes to remove indicators.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1484 Domain or Tenant Policy Modification
Canonical reference
https://attack.mitre.org/techniques/T1484/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=wineventlog sourcetype="WinEventLog:Security"
    (EventCode=5136 OR EventCode=5137 OR EventCode=5141)
  | eval ObjectClass=coalesce(ObjectClass, mvindex(split(_raw, "Object Class:"), 1))
  | where ObjectClass="groupPolicyContainer" OR searchmatch("Policies,System")
  | eval EventType=case(
      EventCode=5137, "GPO Created",
      EventCode=5136, "GPO Modified",
      EventCode=5141, "GPO Deleted",
      true(), "Unknown"
    )
  | eval Actor=coalesce(SubjectAccountName, src_user)
  | eval Source="AD Security Log - GPO"
  | table _time, host, EventCode, EventType, Actor, SubjectDomainName, ObjectDN, AttributeLDAPDisplayName, Source
]
[
  search index=wineventlog sourcetype="WinEventLog:Security"
    (EventCode=4706 OR EventCode=4707 OR EventCode=4716 OR EventCode=4865 OR EventCode=4866 OR EventCode=4867)
  | eval EventType=case(
      EventCode=4706, "Domain Trust Created",
      EventCode=4707, "Domain Trust Removed",
      EventCode=4716, "Domain Trust Modified",
      EventCode=4865, "Forest Trust Entry Added",
      EventCode=4866, "Forest Trust Entry Removed",
      EventCode=4867, "Forest Trust Entry Modified",
      true(), "Unknown"
    )
  | eval Actor=coalesce(SubjectAccountName, src_user)
  | eval Source="AD Security Log - Trust"
  | table _time, host, EventCode, EventType, Actor, SubjectDomainName, TargetDomainName, TrustType, TrustDirection, Source
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    (CommandLine="*New-GPO*" OR CommandLine="*Set-GPLink*" OR CommandLine="*Set-GPPermission*"
     OR CommandLine="*Set-GPRegistryValue*" OR CommandLine="*Import-GPO*" OR CommandLine="*Copy-GPO*"
     OR CommandLine="*Restore-GPO*" OR CommandLine="*New-GPLink*" OR CommandLine="*gpupdate*"
     OR CommandLine="*LDAP://CN=Policies*" OR CommandLine="*Set-ADObject*")
  | eval EventType="GPO PowerShell Cmdlet"
  | eval Actor=User
  | eval Source="Sysmon Process"
  | table _time, host, EventCode, EventType, Actor, Image, CommandLine, ParentImage, Source
]
| eval RiskScore=case(
    EventType="GPO Created", 70,
    EventType="GPO Modified", 60,
    EventType="GPO Deleted", 80,
    EventType="Domain Trust Created", 90,
    EventType="Domain Trust Removed", 85,
    EventType="Domain Trust Modified", 85,
    EventType="Forest Trust Entry Added", 90,
    EventType="Forest Trust Entry Removed", 80,
    EventType="Forest Trust Entry Modified", 85,
    EventType="GPO PowerShell Cmdlet", 65,
    true(), 50
  )
| where RiskScore >= 60
| sort - _time
| table _time, host, EventCode, EventType, Actor, Source, RiskScore, CommandLine, ObjectDN, TargetDomainName, AttributeLDAPDisplayName
high severity high confidence

Detects domain and tenant policy modification events across three signal categories using Windows Security event logs and Sysmon. The first branch monitors Event IDs 5136/5137/5141 for Active Directory Group Policy Container object changes. The second branch monitors Event IDs 4706/4707/4716 and 4865-4867 for domain and forest trust relationship changes. The third branch monitors Sysmon Event ID 1 for PowerShell process creation with Group Policy management cmdlets. Each event type is assigned a risk score (60-90) reflecting its severity, with trust creation events scoring highest due to their potential for enabling Golden SAML and pass-the-token attacks.

Data Sources

Active Directory: Active Directory Object ModificationActive Directory: Active Directory Object CreationProcess: Process CreationCommand: Command ExecutionWindows Security Event LogSysmon Event ID 1

Required Sourcetypes

WinEventLog:SecurityXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate Group Policy administration by IT staff using GPMC or PowerShell during maintenance windows
  • Domain infrastructure changes (new DC promotion, domain migration, forest functional level upgrades) generating expected trust events
  • Automated configuration management tools (DSC, Ansible) validating or applying GPO-based configurations
  • Disaster recovery procedures involving AD restoration from backup that replay GPO creation events
  • Third-party AD management tools (Quest, Netwrix) that enumerate GPO settings for reporting or auditing
Download portable Sigma rule (.yml)

Other platforms for T1484

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Link a Malicious GPO via PowerShell

    Expected signal: Windows Security Event ID 5137 on the domain controller: Directory Service Object Created, ObjectClass=groupPolicyContainer, ObjectDN=CN={<GUID>},CN=Policies,CN=System,DC=<domain>. Security Event ID 5136: gPCFileSysPath attribute set to \\<domain>\SYSVOL\<domain>\Policies\{<GUID>}. Sysmon Event ID 1 on the initiating workstation: powershell.exe with 'New-GPO' and 'New-GPLink' in CommandLine. PowerShell ScriptBlock Event ID 4104 with full cmdlet execution.

  2. Test 2Modify GPO to Deploy a Scheduled Task via XML Injection

    Expected signal: Sysmon Event ID 11 (File Create) on the DC or management host: ScheduledTasks.xml created in SYSVOL path. Windows Security Event ID 5136 on DC: gPCFileSysPath or versionNumber attribute of the groupPolicyContainer modified, SubjectAccountName=<modifying account>. Event ID 4104 (ScriptBlock) capturing Set-GPRegistryValue invocation. On domain clients, Sysmon Event ID 1 for schtasks.exe or Task Scheduler Event 106/200 for task registration/execution.

  3. Test 3Create New Domain Trust (Simulated via Set-ADObject)

    Expected signal: Windows Security Event ID 4706 on domain controllers: A new trust was created to a domain. SubjectAccountName=<admin account>, TargetDomainName=df00tech-test.local, TrustType=2 (Windows), TrustDirection=1 (Inbound), TrustAttributes=8. Active Directory Event ID 5137: trustedDomain object created in CN=System. Replication events (4928/4929) as the new object replicates to other DCs.

  4. Test 4Azure AD Federation Settings Modification via PowerShell

    Expected signal: Azure AD AuditLogs entry: OperationName='Set federation settings on domain', Category='Policy', Result='success', TargetResources=[{DisplayName: <domain>}], InitiatedBy.user.userPrincipalName=<admin UPN>, InitiatedBy.user.ipAddress=<source IP>. The modified IssuerUri appears in the ModifiedProperties array of the audit event. Azure AD Sign-in Logs may show subsequent authentication attempts using the modified federation settings.

  5. Test 5Enumerate and Identify Vulnerable GPO Permissions (Pre-Attack Reconnaissance)

    Expected signal: Sysmon Event ID 1: powershell.exe with 'Get-GPPermission' and 'Get-ACL' in CommandLine. PowerShell ScriptBlock Event ID 4104 capturing the enumeration loop. Sysmon Event ID 5 (Process Terminated) when enumeration completes. LDAP query telemetry visible in network captures — the GroupPolicy module issues LDAP searches for groupPolicyContainer objects against the domain controller.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1484 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1484.001Group Policy ModificationT1484.002Trust ModificationT1207Rogue Domain ControllerT1053.005Scheduled TaskT1037Boot or Logon Initialization ScriptsT1556.006Multi-Factor AuthenticationT1136.002Domain AccountT1098.001Additional Cloud CredentialsT1550.001Application Access TokenT1558.002Silver Ticket

Same Tactic: Defense Evasion

Popular Detections