T1484: Domain or Tenant Policy Modification

Domain or Tenant Policy Modification matters because a single change in Active Directory or an identity provider tenant can affect many users, devices, and applications at once. If an adversary has enough permission to alter GPOs, domain trusts, federation settings, or identity provider configuration, they may be able to weaken defenses, expand access, or make malicious authentication appear legitimate. For leaders, this is an identity control-plane risk, not just an endpoint issue.

Executive priority

Prioritize this as a high-value identity and resilience control area. Executives should ask who can change domain, tenant, GPO, trust, synchronization, and federation settings; whether those changes are logged and reviewed; and whether incident responders can quickly identify and reverse unauthorized changes. This technique is especially relevant to audit evidence, privileged access governance, cloud/identity security, and business continuity because misconfiguration or abuse can propagate broadly across centrally managed environments.

Technical view

SOC, detection engineering, and IR teams should validate monitoring for Windows Active Directory and identity provider administrative changes associated with domain or tenant policy. The ATT&CK object has no official detection text, but the relationship to DET0270 indicates a detection strategy focused on domain or tenant policy modifications via AD and identity provider telemetry. Teams should specifically review coverage for the related sub-techniques: T1484.001 Group Policy Modification and T1484.002 Trust Modification. Investigation should account for temporary changes that may be reverted after a malicious action, so point-in-time configuration snapshots and change history are important.

Likely telemetry

Active Directory administrative change logs for GPO, domain, and trust configuration changes
Identity provider administrative audit logs for tenant, federation, trust, and identity provider configuration changes
Privileged account activity associated with policy, GPO, domain trust, synchronization, or federation administration
Configuration baselines or snapshots for domain, GPO, trust, and tenant settings
Change management records to compare approved versus observed administrative changes

Detection direction

Validate that DET0270-style coverage is implemented for both Active Directory and identity provider administrative changes where applicable.
Correlate policy or trust modifications with the privileged account, source system, time, approval record, and subsequent authentication or access activity.
Tune for high-risk changes rather than every routine administrative update: new or modified trusts, federation changes, GPO changes affecting many systems, and additions of federated identity providers are especially important based on the supplied ATT&CK description.
Account for false positives from legitimate identity administration, migrations, federation updates, and planned GPO maintenance by integrating change-management context.
Address blind spots where logs are not retained long enough, identity provider audit events are not ingested into the SIEM, or reverted configuration changes are not captured.

Mitigation priorities

Enforce user account management controls so ordinary accounts cannot modify domain, tenant, GPO, trust, or federation policy settings unless explicitly required.
Apply privileged account management for all roles that can alter centralized identity or policy configuration, including least privilege, role scoping, accountability, and monitoring.
Implement and regularly review auditing for domain, tenant, GPO, trust, and federation configuration changes to support detection, compliance evidence, and incident reconstruction.
Maintain known-good configuration baselines for high-impact identity and policy settings so responders can identify and reverse unauthorized changes.
Periodically review delegated permissions over GPOs, trusts, federation, synchronization, and identity provider configuration, especially after administrative projects or organizational changes.

Analyst notes and limits

This technique sits under defense impairment and privilege escalation for Windows and Identity Provider platforms. The supplied relationships identify User Account Management, Privileged Account Management, and Audit as relevant mitigations, and identify Group Policy Modification and Trust Modification as sub-techniques. The most important local validation question is whether the organization can reliably prove who changed centralized identity policy, what changed, whether it was authorized, and whether it was later reverted.

The official ATT&CK object does not provide detection guidance, so detection recommendations are derived from the technique description, platforms, tactics, relationship to DET0270, and related mitigations/sub-techniques. Local identity architecture, logging configuration, retention, and change-management maturity determine actual coverage.

Official MITRE ATT&CK definition

Domain or Tenant Policy Modification

Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation.

Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants.

With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include:

* modifying GPOs to push a malicious Scheduled Task to computers throughout the domain environment[1][2][3] * modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources[4] * changing configuration settings within the AD environment to implement a Rogue Domain Controller. * adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant [5]

Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1484.002	Trust Modification Sub-technique	Trust Modification subtechnique of this object.
Enterprise	T1484.001	Group Policy Modification Sub-technique	Group Policy Modification subtechnique of this object.

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1047: Audit Enterprise mitigates · Mitigation M1026: Privileged Account Management Enterprise subtechnique of · Technique T1484.002: Trust Modification Enterprise mitigates · Mitigation M1018: User Account Management Enterprise subtechnique of · Technique T1484.001: Group Policy Modification Enterprise detects · Detection Strategy DET0270: Detection of Domain or Tenant Policy Modifications via AD and Identity Provider Enterprise

Mitigations

Mitigation direction

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1026: Privileged Account Management

Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

- Implement RBAC and least privilege principles to allocate permissions securely. - Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

- Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials. - Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

- Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

- Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

- Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

- Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

*Tools for Implementation*

Privileged Access Management (PAM):

- CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

- Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

- Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

- sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

- Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.

M1018: User Account Management

User Account Management involves implementing and enforcing policies for the lifecycle of user accounts, including creation, modification, and deactivation. Proper account management reduces the attack surface by limiting unauthorized access, managing account privileges, and ensuring accounts are used according to organizational policies. This mitigation can be implemented through the following measures:

Enforcing the Principle of Least Privilege

- Implementation: Assign users only the minimum permissions required to perform their job functions. Regularly audit accounts to ensure no excess permissions are granted. - Use Case: Reduces the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

Implementing Strong Password Policies

- Implementation: Enforce password complexity requirements (e.g., length, character types). Require password expiration every 90 days and disallow password reuse. - Use Case: Prevents adversaries from gaining unauthorized access through password guessing or brute force attacks.

Managing Dormant and Orphaned Accounts

- Implementation: Implement automated workflows to disable accounts after a set period of inactivity (e.g., 30 days). Remove orphaned accounts (e.g., accounts without an assigned owner) during regular account audits. - Use Case: Eliminates dormant accounts that could be exploited by attackers.

Account Lockout Policies

- Implementation: Configure account lockout thresholds (e.g., lock accounts after five failed login attempts). Set lockout durations to a minimum of 15 minutes. - Use Case: Mitigates automated attack techniques that rely on repeated login attempts.

Multi-Factor Authentication (MFA) for High-Risk Accounts

- Implementation: Require MFA for all administrative accounts and high-risk users. Use MFA mechanisms like hardware tokens, authenticator apps, or biometrics. - Use Case: Prevents unauthorized access, even if credentials are stolen.

Restricting Interactive Logins

- Implementation: Restrict interactive logins for privileged accounts to specific secure systems or management consoles. Use group policies to enforce logon restrictions. - Use Case: Protects sensitive accounts from misuse or exploitation.

*Tools for Implementation*

Built-in Tools:

- Microsoft Active Directory (AD): Centralized account management and RBAC enforcement. - Group Policy Object (GPO): Enforce password policies, logon restrictions, and account lockout policies.

Identity and Access Management (IAM) Tools:

- Okta: Centralized user provisioning, MFA, and SSO integration. - Microsoft Azure Active Directory: Provides advanced account lifecycle management, role-based access, and conditional access policies.

Privileged Account Management (PAM): - CyberArk, BeyondTrust, Thycotic: Manage and monitor privileged account usage, enforce session recording, and JIT access.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 4.0
Created: Mar 7, 2019, 14:10 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 6245d26c8aaf2b0b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	4.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`6245d26c8aaf…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ADSecurity GPO Persistence 2016

Metcalf, S. (2016, March 14). Sneaky Active Directory Persistence #17: Group Policy. Retrieved March 5, 2019.
Open source URL
[2]
Wald0 Guide to GPOs

Robbins, A. (2018, April 2). A Red Teamer’s Guide to GPOs and OUs. Retrieved March 5, 2019.
Open source URL
[3]
Harmj0y Abusing GPO Permissions

Schroeder, W. (2016, March 17). Abusing GPO Permissions. Retrieved September 23, 2024.
Open source URL
[4]
Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks

MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
Open source URL
[5]
Okta Cross-Tenant Impersonation 2023

Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.
Open source URL
[6]
mitre-attack T1484
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams