title: Domain or Tenant Policy Modification (T1484)
id: df00tech-t1484
status: experimental
description: "Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. This includes altering Group Policy Objects (GPOs) in Active Directory to push malicious configurations to domain-joined endpoints, modifying domain trust relationships to allow adversary-controlled domains to forge access tokens accepted by victim resources, and adding rogue federated identity providers to cloud tenants (Azure AD, Okta) to authenticate as any managed user. Nation-state actors including those behind the SolarWinds (SUNBURST) campaign abused federation trust settings to achieve persistent, stealthy access across cloud environments. Attackers may temporarily modify policy, complete their objective, and revert changes to remove indicators."
references:
  - https://attack.mitre.org/techniques/T1484/
  - https://df00tech.com/detections/T1484
author: df00tech
date: 2026/04/13
tags:
  - attack.t1484
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Group Policy administration by IT staff using GPMC or Group Policy PowerShell module during scheduled maintenance windows
  - Domain controllers joining or leaving forests creating legitimate trust modification events (4706/4716) during infrastructure changes
  - Azure AD Connect or ADFS deployment/reconfiguration generating federation settings events during sanctioned identity synchronization projects
  - "Automated configuration management tools (Desired State Configuration, Ansible, PingCastle) that enumerate or validate GPO settings as part of compliance checking"
  - "Domain trust events generated during disaster recovery exercises, domain migrations, or AD restructuring projects authorized by IT leadership"
level: high