Domain policy modification: A privilege escalation attack technique

Domain policy modification as a privilege escalation technique

When it comes to domain modification, adversaries may change the domain settings to escalate privileges in domain environments. Domains provide the ability for centralized management of how various resources such as computers and users interact with one another. The policies that concern the domain also include configuration settings between different domains in a forest environment. Domain policy modification includes both:

• Modifications to domain Group Policy Objects (GPOs)
• Altering domain trust settings

There is a high risk when it comes to adversaries gaining access to modify domain policies, since domain configurations control a vast number of interactions in AD. Some examples of the types of misuse that can take place are:

• Malicious scheduled tasks from modifying GPOs.
• A rogue domain controller set up by changing configuration settings.

An important note here is that an adversary may modify the domain policy to launch an attack and then restore the settings to prevent detection of any suspicious activity.

Identification process for privilege escalation

Event logs can be used for identifying domain modifications. In the case of Group Policy modifications, various Windows Event IDs are logged for modifying, creating, moving, deleting, and recovering deleted objects. It is recommended to monitor any modifications to domain trust settings (for example, if and when a user or application modifies federation settings) via actions that are associated with a policy. In addition, you can monitor commands that are specifically used to modify domain policy settings.

Prevention methods for privilege escalation

Domain policy modification can be prevented and mitigated in case of incidents through certain methods. For example:

• Performing an audit (ID M1047) of systems, software, configurations, etc. can help identify and mitigate domain policy modification using tools such as BloodHound.
• Using least privilege policies and keeping track of administrative level of access while making sure service accounts are not created with high-level access privileges.