Domain or Tenant Policy Modification (T1484)

View on ATT&CK

In Playbook

Technique & Subtechniques

Associated Tactics

  • Defense Evasion
  • Privilege Escalation

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021. CISA SolarWinds Cloud Detection
Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019. ADSecurity GPO Persistence 2016
Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. Microsoft 365 Defender Solorigate
Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020. Microsoft - Azure Sentinel ADFSDomainTrustMods
Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020. Microsoft - Update or Repair Federated domain
MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020. Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks
Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024. Okta Cross-Tenant Impersonation 2023
Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019. Wald0 Guide to GPOs
Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024. Harmj0y Abusing GPO Permissions
Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. Sygnia Golden SAML