detection.wiki

Domain or Tenant Policy Modification T1484

Tactics: Defense Impairment, Privilege Escalation

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4662An operation was performed on an object.
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 5136A directory service object was modified.
Security-AuditingEvent ID 5137A directory service object was created.
Security-AuditingEvent ID 5138A directory service object was undeleted.
Security-AuditingEvent ID 5139A directory service object was moved.
Security-AuditingEvent ID 5141A directory service object was deleted.
Security-AuditingEvent ID 5145A network share object was checked to see whether client can be granted desired access.
PowerShellEvent ID 4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 88 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (104 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventType28eq 22, in 5, ne 1CHANGE_APPLICATION_SETTING, ADD_TRUSTED_DOMAINS, Add-FederatedDomain, CREATE_APPLICATION_SETTING, CreateOpenIDConnectProvider
data_stream.dataset25eq 25o365.audit, google_workspace.admin, okta.system, aws.cloudtrail, azure.auditlogs
EventID21eq 215136, 5137, 4662, 4688, 5138
Channel16eq 16, in 16
eventtype16eq 16
Provider_Name15eq 12, in 3Exchange, MicrosoftTeams, admin, iam.amazonaws.com, SkypeForBusiness
event.category15eq 13, in 2web, iam, configuration, ADMINISTRATOR_MANAGEMENT
AttributeLDAPDisplayName13eq 13gpcmachineextensionnames, gpcuserextensionnames, versionnumber, displayname, dsheuristics
ObjectClass13eq 13groupPolicyContainer, domainDNS, group, organizationalUnit, user
event.outcome13eq 13success
Action12contains 11, starts_with 6, eq 1dynamodb:create, *, cloudformation:, cloudformation:create, cloudformation:createstack
Effect12eq 12Allow
Resource12eq 12*
aws::eventName12in 12AttachGroupPolicy, AttachRolePolicy, AttachUserPolicy
Condition11eq 11

Top indicator values (374 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
EventIDeq
5136
1730
event.outcomeeq
success
13251
Effecteq
Allow
1227
Resourceeq
*
1223
aws::eventNamein
AttachGroupPolicy
1217
aws::eventNamein
AttachRolePolicy
1217
aws::eventNamein
AttachUserPolicy
1217
aws::eventNamein
CreatePolicy
1214
aws::eventNamein
CreatePolicyVersion
1214
data_stream.dataseteq
o365.audit
945
data_stream.dataseteq
google_workspace.admin
618
data_stream.dataseteq
okta.system
648
data_stream.dataseteq
aws.cloudtrail
3141
event.categoryeq
web
820
event.categoryeq
iam
414
AttributeLDAPDisplayNameeq
gpcmachineextensionnames
67
AttributeLDAPDisplayNameeq
gpcuserextensionnames
34
ObjectClasseq
groupPolicyContainer
66
ObjectClasseq
domainDNS
44
Actioncontains
iam:passrole
510
Actionstarts_with
iam:
510
Provider_Nameeq
Exchange
519
Provider_Nameeq
admin
39
Provider_Nameeq
iam.amazonaws.com
325
admonEventTypeeq
Update
55
OperationTypeeq
%%14674
417
AccessListcontains
%%4417
311
EventTypeeq
CHANGE_APPLICATION_SETTING
33
aceAccessRightsin
Full control
34
objectCategorystarts_with
cn=group-policy-container
33

Exclusions (24 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
new_aceeq
old_values
8
ProviderNamecontains
asi
2
aceTypein
*denied*
2
aceTypein
D
2
aceTypein
OD
2
aceTypein
XD
2
AlertNamecontains
0275
1
AlertNamecontains
0297
1
AttributeValueeq
0
1
EventDatacontains
gc_service.exe
1
EventDatacontains
gc_worker.exe
1
Imageeq
c:\windows\system32\dfsrs.exe
1
ParentImagecontains
gc_service.exe
1
ParentImagecontains
gc_worker.exe
1
SubjectUserNameeq
SRVAGPM01$
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 11 rules

Elastic 31 rules

Splunk 25 rules

Kusto 16 rules

YARA-L 1 rule

Panther 4 rules