ATT&CK coverage › Technique

Domain or Tenant Policy Modification `T1484`

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Events covered

2 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Security-Auditing	5136	A directory service object was modified.
Security-Auditing	5145	A network share object was checked to see whether client can be granted desired access.

Authoring guide

Patterns shared across the 14 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (12 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`EventID`	10	`eq` 10	`5136`
`ObjectClass`	7	`eq` 7	`domainDNS`, `group`, `user`, `organizationalUnit`
`AttributeLDAPDisplayName`	4	`eq` 4	`gPCMachineExtensionNames`, `gPCUserExtensionNames`, `dSHeuristics`
`AttributeValue`	4	`match` 4	`[0-9]{15}([1-9a-f]).*`, `803E14A0-B4FB-11D0-A0D0-00A0C90F574B`, `827D319E-6EAC-11D2-A4EA-00C04F79F83A`, `CAB54552-DEEA-4691-817E-ED4A4D1AFC72`, `AADCED64-746C-4633-A97C-D61349046527`
`aceAccessRights`	4	`in` 4	`"Modify owner"`, `"All extended rights"`, `WP`, `RC`, `"Read permissions"`
`RelativeTargetName`	2	`ends_with` 2	`ScheduledTasks.xml`, `\scripts.ini`, `\psscripts.ini`
`AccessList`	2	`match` 2	`%%4417`
`ShareName`	2	`wildcard` 2	`\\*\SYSVOL`
`aceType`	2	`in` 2	`D`, `"Access denied"`
`aceObjectGuid`	2	`in` 2	`"1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"`, `"1131f6ac-9c07-11d1-f79f-00c04fc2dcd2"`, `"9923a32a-3607-11d2-b9be-0000f87a36b2"`, `"89e95b76-444d-4c62-991a-0facbeda640c"`, `"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"`
`aceControlAccessRights`	2	`eq` 2	`"1131f6ab-9c07-11d1-f79f-00c04fc2dcd2"`, `"Manage Replication Topology"`, `"9923a32a-3607-11d2-b9be-0000f87a36b2"`, `"Replicating Directory Changes"`, `"Replicating Directory Changes All"`
`old_owner`	1	`ne` 1

Top indicator values (64 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`EventID`	`eq`	`5136`	10	22
`ObjectClass`	`eq`	`domainDNS`	4	4
`AttributeLDAPDisplayName`	`eq`	`gPCMachineExtensionNames`	3	4
`aceAccessRights`	`in`	`"Full control"`	3	4
`ShareName`	`wildcard`	`\\*\SYSVOL`	2	2
`AttributeLDAPDisplayName`	`eq`	`gPCUserExtensionNames`	2	2
`AccessList`	`match`	`%%4417`	2	3
`aceType`	`in`	`"Access denied"`	2	2
`aceType`	`in`	`D`	2	2
`aceAccessRights`	`in`	`"Modify permissions"`	2	3
`aceAccessRights`	`in`	`CR`	2	3
`aceAccessRights`	`in`	`"Delete all child objects"`	2	3
`aceAccessRights`	`in`	`CC`	2	3
`aceAccessRights`	`in`	`"Create all child objects"`	2	3
`aceAccessRights`	`in`	`"All extended rights"`	2	3
`aceAccessRights`	`in`	`"Write all properties"`	2	3
`aceAccessRights`	`in`	`WO`	2	3
`aceAccessRights`	`in`	`"Modify owner"`	2	3
`aceAccessRights`	`in`	`"Delete"`	2	3
`aceAccessRights`	`in`	`DT`	2	3

Common exclusions (10 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

Field	Kind	Value	Rules excluding
`new_ace`	`eq`	`old_values`	8
`aceType`	`in`	`"OD"`	1
`aceType`	`in`	`"XD"`	1
`aceType`	`in`	`"denied"`	1
`aceType`	`in`	`"D"`	1
`aceType`	`in`	`OD`	1
`aceType`	`in`	`XD`	1
`aceType`	`in`	`denied`	1
`aceType`	`in`	`D`	1
`old_values`	`eq`	`new_values`	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Elastic 4 rules

AdminSDHolder SDProp Exclusion Added 1 event, 2 indicators, 0 exclusions
Group Policy Abuse for Privilege Addition 1 event, 3 indicators, 0 exclusions
Scheduled Task Execution at Scale via GPO 2 events, 7 indicators, 0 exclusions
Startup/Logon Script added to Group Policy Object 2 events, 9 indicators, 0 exclusions

Splunk 10 rules

Windows AD Dangerous Deny ACL Modification 1 event, 6 indicators, 1 exclusion
Windows AD Dangerous Group ACL Modification 1 event, 21 indicators, 2 exclusions
Windows AD Dangerous User ACL Modification 1 event, 21 indicators, 2 exclusions
Windows AD DCShadow Privileges ACL Addition 1 event, 11 indicators, 1 exclusion
Windows AD Domain Replication ACL Addition 1 event, 9 indicators, 1 exclusion
Windows AD Domain Root ACL Deletion 1 event, 2 indicators, 1 exclusion
Windows AD Domain Root ACL Modification 1 event, 2 indicators, 1 exclusion
Windows AD Hidden OU Creation 1 event, 8 indicators, 1 exclusion
Windows AD Object Owner Updated 1 event, 1 indicator, 0 exclusions
Windows AD Self DACL Assignment 1 event, 1 indicator, 1 exclusion

Domain or Tenant Policy Modification T1484