LoFP / in most organizations, domain federation settings will be updated infrequently. filter as needed.

Techniques

• T1484
• T1484.002

Sample rules

Azure AD New Federated Domain Added

• source: splunk
• technicques:
  • T1484
  • T1484.002

Description

The following analytic detects the addition of a new federated domain within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify successful “Set domain authentication” operations. This activity is significant as it may indicate the use of the Azure AD identity federation backdoor technique, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, potentially leading to unauthorized access and control over the Azure AD environment.

Detection logic

`azure_monitor_aad`  operationName="Set domain authentication" "properties.result"=success 
| rename properties.* as * 
| rename targetResources{}.displayName as domain 
| stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_new_federated_domain_added_filter`