1. Home
  2. Detection Strategies
  3. Detection of Trust Relationship Modifications in Domain or Tenant Policies

Detection of Trust Relationship Modifications in Domain or Tenant Policies

Technique Detected:  Trust Modification | T1484.002

ID: DET0458
Domains: Enterprise
Analytics: AN1259, AN1260
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1259

Adversary modifies Active Directory domain trust settings via netdom, nltest, or PowerShell to add new domain trust or alter federation. Modifications occur in AD object attributes like trustDirection, trustType, trustAttributes, often paired with SeEnableDelegationPrivilege or certificate injection.

Log Sources
Data Component Name Channel
Active Directory Object Modification (DC0066) WinEventLog:Security EventCode=5136,5137,5141
User Account Modification (DC0010) WinEventLog:Security EventCode=4704
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Mutable Elements
Field Description
ObjectType Focus on `trustedDomain` or `foreignSecurityPrincipal` AD objects in trust containers.
AttributeModified Monitor attributes like `trustPartner`, `trustDirection`, `trustType`, `msDS-TrustForestTrustInfo`.
TimeWindow Correlate trust creation with unusual logon events or certificate modifications.
UserContext Flag rare accounts or non-standard admin users performing trust changes.

AN1260

Adversary adds federated identity provider (IdP) or modifies tenant domain authentication from Managed to Federated. Detected via API, PowerShell, or Admin Portal through federation events like Set domain authentication, Add federated identity provider, or Update-MsolFederatedDomain.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified Set federation settings on domain|Set domain authentication|Add federated identity provider
Command Execution (DC0064) azure:signinLogs OperationName=SetDomainAuthentication OR Update-MsolFederatedDomain
Mutable Elements
Field Description
OperationName Identify rare trust-modification operations (SetDomainAuthentication, Update-MsolFederatedDomain).
InitiatedBy Flag federated trust changes performed by unknown users, service principals, or tokens.
UserAgent Separate scripted/API interactions from GUI-based administrative changes.
TimeWindow Correlate trust change to federated login or SAML token injection within short window.