AN0755: Analytic 0755

Adversary modifies Group Policy Objects (GPOs), domain trust, or directory service objects via GUI, CLI, or programmatic APIs. Behavior includes creation/modification of GPOs, delegation permissions, trust objects, or rogue domain controller registration.

EnterpriseAN0755AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic concerns unauthorized or suspicious changes to Windows Active Directory control structures such as Group Policy Objects, domain trusts, directory objects, delegation permissions, and domain controller registration. For leaders, the significance is that these are not ordinary endpoint events: changes here can alter authentication, policy enforcement, privilege boundaries, and domain-wide administrative control. If an organization cannot quickly prove who changed these objects, when, and whether the change was approved, incident response and audit confidence are materially weakened.

Executive priority

Prioritize this as an identity and Windows domain governance issue. The business question is whether Active Directory changes that can affect broad access, trust, or policy enforcement are visible, authorized, and reviewable. Security leaders should ask whether GPO, trust, delegation, and domain controller registration changes are covered by change management, privileged access controls, and SOC monitoring. This also supports compliance evidence because these events can demonstrate whether administrative changes to critical identity infrastructure are controlled and traceable.

Technical view

The supplied ATT&CK object identifies Windows-focused detection logic for adversary modification of GPOs, domain trusts, or directory service objects through GUI, CLI, or programmatic APIs, but it does not provide an official detection query or tactic mapping. SOC and IR teams should validate monitoring around Active Directory and Group Policy administrative changes rather than relying only on endpoint process visibility. Detection engineering should focus on approved-versus-unapproved modification patterns, privileged account context, source host context, timing, and whether the modified object is sensitive, such as GPOs, delegation permissions, trust objects, or domain controller-related registration.

Likely telemetry

Windows domain controller security and directory service audit logs
Active Directory object change events
Group Policy change records and GPO metadata
Privileged account activity and administrative logon context
Domain trust object change evidence

Detection direction

Confirm that auditing is enabled for changes to GPOs, domain trusts, delegation permissions, directory service objects, and domain controller-related registrations.
Correlate directory changes with the initiating account, source system, administrative session, and approved change ticket or maintenance window.
Tune carefully for legitimate administrators and automated identity management tooling, since normal administration may create similar events.
Treat changes to broad-scope GPOs, trust relationships, or delegation permissions as higher priority than routine object maintenance.
Validate whether programmatic API-based changes are visible; environments that only monitor interactive admin tools may miss important activity.

Mitigation priorities

Establish strict change control for GPOs, trusts, delegation permissions, and domain controller registration-related activity.
Limit privileged access to directory and Group Policy administration based on role and operational need.
Review and monitor privileged groups and delegated permissions that can modify domain-wide identity or policy settings.
Centralize and retain domain controller and directory audit logs so IR teams can reconstruct changes.
Use periodic review of sensitive Active Directory objects to identify unauthorized or undocumented modifications.

Analyst notes and limits

This object is a detection analytic, AN0755, for Windows in the enterprise ATT&CK domain. It describes modification of GPOs, domain trusts, and directory service objects through GUI, CLI, or programmatic APIs. No ATT&CK relationships, tactic mapping, or official detection procedure were supplied, so the take emphasizes validation of telemetry and controls rather than a specific analytic implementation.

The official detection field is not provided and no relationship context is supplied. This summary cannot assert specific ATT&CK techniques, adversary groups, active exploitation, impact, or guaranteed detection. Local Active Directory architecture, audit policy, administrative tooling, and change-management data are required to determine actual coverage and priority.

Official MITRE ATT&CK definition

Analytic 0755

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: ef9c6cc09d2985ca...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`ef9c6cc09d29…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0755
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use