LoFP / in most organizations, new customm domains will be updated infrequently. filter as needed.

Techniques

• T1484
• T1484.002

Sample rules

Azure AD New Custom Domain Added

• source: splunk
• technicques:
  • T1484
  • T1484.002

Description

The following analytic detects the addition of a new custom domain within an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify successful “Add unverified domain” operations. This activity is significant as it may indicate an adversary attempting to establish persistence by setting up identity federation backdoors, allowing them to impersonate users and bypass authentication mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized access, escalate privileges, and maintain long-term access to the Azure AD environment, posing a severe security risk.

Detection logic

`azure_monitor_aad`  operationName="Add unverified domain" properties.result=success 
| rename properties.* as * 
| rename targetResources{}.displayName as domain 
| stats count min(_time) as firstTime max(_time) as lastTime by user, domain, result, operationName, src_ip 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_new_custom_domain_added_filter`