Common Information
| Type | Value |
|---|---|
| Value |
Domain or Tenant Policy Modification - T1484 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments. Such services provide a centralized means of managing identity resources such as devices and accounts, and often include configuration settings that may apply between domains or tenants such as trust relationships, identity syncing, or identity federation. Modifications to domain or tenant settings may include altering domain Group Policy Objects (GPOs) in Microsoft Active Directory (AD) or changing trust settings for domains, including federation trusts relationships between domains or tenants. With sufficient permissions, adversaries can modify domain or tenant policy settings. Since configuration settings for these services apply to a large number of identity resources, there are a great number of potential attacks malicious outcomes that can stem from this abuse. Examples of such abuse include: * modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) * modifying domain trusts to include an adversary-controlled domain, allowing adversaries to forge access tokens that will subsequently be accepted by victim domain resources(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) * changing configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207). * adding new, adversary-controlled federated identity providers to identity tenants, allowing adversaries to authenticate as any user managed by the victim tenant (Citation: Okta Cross-Tenant Impersonation 2023) Adversaries may temporarily modify domain or tenant policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators. |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-04 | 57 | Threat Intelligence Report October 29 - November 4 2024 | Red Piranha | ||
| Details | Website | 2024-10-24 | 16 | Talos IR trends Q3 2024: Identity-based operations loom large | ||
| Details | Website | 2024-10-23 | 5 | EDRSilencer — Red Team Tool | ||
| Details | Website | 2024-10-16 | 108 | Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations | CISA | ||
| Details | Website | 2024-09-25 | 24 | Zero Trust Protections - Illustrated | ||
| Details | Website | 2024-08-28 | 44 | BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks | ||
| Details | Website | 2024-06-07 | 76 | A guide to threat hunting and monitoring in Snowflake | Datadog Security Labs | ||
| Details | Website | 2023-10-23 | 273 | Red Team Tools | ||
| Details | Website | 2023-09-15 | 816 | UNC3944: SMS Phishing, SIM Swapping, and Ransomware Attacks | ||
| Details | Website | 2023-08-10 | 7 | Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization - RedPacket Security | ||
| Details | Website | 2023-08-03 | 43 | Sysmon | TryHackMe | ||
| Details | Website | 2023-07-27 | 117 | Healthcare Threat Landscape 2022-2023: Common TTPs Used by Top Ransomware Groups Targeting the Healthcare Sector | ||
| Details | Website | 2023-05-04 | 10 | Once Bitten: LockBit Ransomware Case Study - ReliaQuest | ||
| Details | Website | 2023-05-03 | 15 | WinRAR as Cyberweapon: UAC-0165 Targets Ukrainian Public Sector with RoarBat - SOC Prime | ||
| Details | Website | 2023-03-04 | 21 | CISA Alert AA23-061A: Royal Ransomware Analysis, Simulation and TTPs | ||
| Details | Website | 2023-02-08 | 21 | Earth Zhulong Familiar Patterns Target Southeast Asian Firms | ||
| Details | Website | 2023-01-26 | 14 | Quarterly Report: Incident Response Trends in Q4 2022 | ||
| Details | Website | 2023-01-11 | 93 | Increasing The Sting of HIVE Ransomware | Rapid7 Blog | ||
| Details | Website | 2022-07-10 | 80 | Resecurity | BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands | ||
| Details | Website | 2022-06-10 | 25 | China-Linked Threat Group Targets Taiwan Critical Infrastructure, Smokescreen Ransomware | ||
| Details | Website | 2022-05-21 | 31 | Analysis on recent wiper attacks: examples and how wiper malware works | ||
| Details | Website | 2022-03-29 | 86 | From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection | ||
| Details | Website | 2022-02-08 | 26 | Ransomware Spotlight: LockBit - Security News | ||
| Details | Website | 2021-07-19 | 75 | Chinese State-Sponsored Cyber Operations: Observed TTPs | CISA | ||
| Details | Website | 2021-03-24 | 18 | Quarterly Report: Incident Response trends from Winter 2020-21 |