Skip to content

T1484 Domain Policy Modification

Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.

With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment123 or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.4 Adversaries can also change configuration settings within the AD environment to implement a Rogue Domain Controller.

Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

Item Value
ID T1484
Sub-techniques T1484.001, T1484.002
Tactics TA0005, TA0004
Platforms Azure AD, Windows
Permissions required Administrator, User
Version 2.0
Created 07 March 2019
Last Modified 09 February 2021


ID Mitigation Description
M1047 Audit Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as BloodHound (version 1.5.1 and later)12.
M1026 Privileged Account Management Use least privilege and protect administrative access to the Domain Controller and Active Directory Federation Services (AD FS) server. Do not create service accounts with administrative privileges.
M1018 User Account Management Consider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.21011


ID Data Source Data Component
DS0026 Active Directory Active Directory Object Creation
DS0017 Command Command Execution