Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0270: Detection of Domain or Tenant Policy Modifications via AD and Identity Provider

This detection strategy matters because changes to domain or identity tenant policy can affect many users, devices, and applications at once. Even without...

EnterpriseDET0270Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy matters because changes to domain or identity tenant policy can affect many users, devices, and applications at once. Even without detailed MITRE detection text, its relationship to ATT&CK technique T1484 shows the business issue: policy changes in Active Directory or an identity provider can weaken defenses or enable privilege escalation in centrally managed environments.

Executive priority

Treat domain and tenant policy modification visibility as a resilience and governance priority. Leaders should ask whether security teams can prove who changed identity or domain policy, what changed, when it changed, whether it affected trust, federation, syncing, or Group Policy behavior, and whether those changes were authorized. This is also useful audit evidence for identity governance, privileged access oversight, and incident response decision-making.

Technical view

DET0270 is a detection strategy for T1484, Domain or Tenant Policy Modification, which is associated with defense impairment and privilege escalation across Windows and identity provider environments. Because the supplied ATT&CK object does not include official detection logic, teams should validate monitoring around administrative policy changes in Active Directory and identity provider control planes, especially changes that affect domain policy, tenant configuration, trust relationships, identity synchronization, federation, and centrally applied controls.

Likely telemetry

  • Active Directory change events for domain, Group Policy, trust, and directory configuration objects
  • Identity provider audit logs for tenant policy, federation, synchronization, and administrative configuration changes
  • Privileged administrator activity logs tied to the account, source, time, and target object changed
  • Change management or ticketing records to compare policy changes against approved administrative activity
  • Security control telemetry showing downstream effects of policy changes where available

Detection direction

  • Baseline expected policy administration patterns and alert on high-risk or unusual changes to domain or tenant-wide configuration.
  • Correlate identity provider and Active Directory audit events with privileged account activity and approved change records.
  • Prioritize changes affecting trust relationships, identity federation, identity syncing, tenant-wide settings, or Group Policy-like controls because the related technique is tied to defense impairment and privilege escalation.
  • Tune for legitimate administrative maintenance to reduce false positives, but require strong context for changes made outside normal windows, by unusual administrators, or from unusual sources.
  • Check blind spots where identity provider audit retention, AD auditing, or change history is incomplete; lack of telemetry can prevent confident incident scoping.

Mitigation priorities

  • Ensure domain and tenant policy changes are restricted to appropriate privileged roles and reviewed regularly.
  • Require documented approval and post-change validation for high-impact identity or domain configuration changes.
  • Maintain sufficient audit logging and retention for Active Directory and identity provider administrative actions.
  • Use separation of duties and privileged access governance for administrators who can modify tenant-wide, federation, synchronization, trust, or policy settings.
  • Include policy modification review in incident response playbooks because these changes may affect both defense posture and privilege boundaries.
Analyst notes and limits

The ATT&CK detection strategy object has no official description, detection text, tactics, or platforms of its own. The practical guidance is therefore derived conservatively from its explicit relationship to T1484 and the supplied T1484 context. Local architecture determines which policy objects, tenant settings, and logs are most important.

This take does not assert active exploitation, attribution, or guaranteed detection coverage. The supplied object is sparse, so organizations must validate exact event IDs, log sources, retention, and normal administrative patterns in their own Active Directory and identity provider environments.

Official MITRE ATT&CK definition

Detection of Domain or Tenant Policy Modifications via AD and Identity Provider

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1484 Domain or Tenant Policy Modification This object detects Domain or Tenant Policy Modification.
Relationship explorer

All related ATT&CK context

detects · Technique T1484: Domain or Tenant Policy Modification Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
79e7b86bb0819bfb...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 79e7b86bb081…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0270
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use