Domain or Tenant Policy Modification T1484

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Events covered

10 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 33 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (33 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID20eq 205136, 5137, 4662, 4688, 5138
Channel16eq 16, in 16
eventtype16eq 16
AttributeLDAPDisplayName13eq 13gpcmachineextensionnames, gpcuserextensionnames, versionnumber, displayname, dsheuristics
ObjectClass13eq 13groupPolicyContainer, domainDNS, group, organizationalUnit, user
AttributeValue9contains 5, ne 2, eq 1, length_compare 1, match 10, 40b6664f-4972-11d1-a7ca-0000f87571e3, 40b66650-4972-11d1-a7ca-0000f87571e3, 42b5faae-6536-11d2-ae5a-0000f87571e3, 803e14a0-b4fb-11d0-a0d0-00a0c90f574b
AccessList4contains 3, in 1%%4417, *%%4417*, *%%4418*
CommandLine4contains 431b2f340-016d-11d2-945f-00c04fb984f9, 6ac1786c-016f-11d2-945f-00c04fb984f9, gpme.msc, -encodedcommand, \software\policies\microsoft\windows\system
OperationType4eq 4%%14674
RelativeTargetName4ends_with 4, contains 1\psscripts.ini, \scripts.ini, ScheduledTasks.xml, \\policies\\, \\scheduledtasks\\scheduledtasks.xml
ShareName4wildcard 2, ends_with 1, eq 1\\*\SYSVOL, \SYSVOL, \\*\\SYSVOL
aceAccessRights4in 4All extended rights, All validated writes, CC, Full control, LC
admonEventType3eq 3Update
objectCategory3starts_with 3cn=group-policy-container
AlertName2contains 20275, 0297

Top indicator values (136 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
5136
1729
EventIDeq
5137
25
AttributeLDAPDisplayNameeq
gpcmachineextensionnames
67
AttributeLDAPDisplayNameeq
gpcuserextensionnames
34
AttributeLDAPDisplayNameeq
versionnumber
22
ObjectClasseq
groupPolicyContainer
66
ObjectClasseq
domainDNS
44
OperationTypeeq
%%14674
417
AccessListcontains
%%4417
311
aceAccessRightsin
Full control
34
aceAccessRightsin
All extended rights
23
aceAccessRightsin
All validated writes
23
aceAccessRightsin
CC
23
aceAccessRightsin
CR
23
aceAccessRightsin
Create all child objects
23
aceAccessRightsin
DC
23
admonEventTypeeq
Update
33
objectCategorystarts_with
cn=group-policy-container
33
AttributeValuecontains
40b6664f-4972-11d1-a7ca-0000f87571e3
22
AttributeValuecontains
40b66650-4972-11d1-a7ca-0000f87571e3
22
AttributeValuecontains
42b5faae-6536-11d2-ae5a-0000f87571e3
22
AttributeValuecontains
803e14a0-b4fb-11d0-a0d0-00a0c90f574b
22
AttributeValuecontains
827d319e-6eac-11d2-a4ea-00c04f79f83a
22
CommandLinecontains
31b2f340-016d-11d2-945f-00c04fb984f9
22
CommandLinecontains
6ac1786c-016f-11d2-945f-00c04fb984f9
22
CommandLinecontains
gpme.msc
22
ProviderNamecontains
asi
24
RelativeTargetNameends_with
\psscripts.ini
22
RelativeTargetNameends_with
\scripts.ini
22
ShareNamewildcard
\\*\SYSVOL
22

Exclusions (18 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
new_aceeq
old_values
8
aceTypein
*denied*
2
aceTypein
D
2
aceTypein
OD
2
aceTypein
XD
2
AttributeValueeq
0
1
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
ParentImagecontains
gc_service.exe
1
ParentImagecontains
gc_worker.exe
1
SubjectUserNameeq
SRVAGPM01$
1
SubjectUserNameeq
SRVAGPM02$
1
Userends_with
$
1
new_valuesin
old_values
1
new_valuesin
policy_guid
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 8 rules

Elastic 4 rules

Splunk 18 rules

Kusto 3 rules