1. Home
  2. Techniques
  3. Enterprise
  4. Domain or Tenant Policy Modification
  5. Trust Modification

Domain or Tenant Policy Modification: Trust Modification

ID Name
T1484.001 Group Policy Modification
T1484.002 Trust Modification

Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.[1] These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge SAML Tokens without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.[2]

An adversary may also add a new federated identity provider to an identity tenant such as Okta or AWS IAM Identity Center, which may enable the adversary to authenticate as any user of the tenant.[3] This may enable the threat actor to gain broad access into a variety of cloud-based services that leverage the identity tenant. For example, in AWS environments, an adversary that creates a new identity provider for an AWS Organization will be able to federate into all of the AWS Organization member accounts without creating identities for each of the member accounts.[4]

ID: T1484.002
Sub-technique of:  T1484
Platforms: Identity Provider, Windows
Permissions Required: Administrator
Contributors: Blake Strom, Microsoft 365 Defender; Obsidian Security; Praetorian
Version: 2.1
Created: 28 December 2020
Last Modified: 25 September 2024
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.[5][6]
G1015 Scattered Spider

Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.[7]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.[8][9]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Use the principal of least privilege and protect administrative access to domain trusts and identity tenants.
M1018 User Account Management

In cloud environments, limit permissions to create new identity providers to only those accounts that require them. In AWS environments, consider using Service Control policies to limit the use of API calls such as CreateSAMLProvider or CreateOpenIDConnectProvider.

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Creation

Monitor for newly constructed active directory objects, such as Windows EID 5137.
Active Directory Object Modification

Monitor for changes made to AD settings for unexpected modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain.
DS0015 Application Log Application Log Content

Monitor changes to cloud-based directory services and identity tenants, especially regarding the addition of new federated identity providers. In Okta environments, the event system.idp.lifecycle.create will trigger on the creation of an identity provider, while sign-ins from a third-party identity provider will create the event user.authentication.auth_via_IDP.[10] In AWS environments, alert on events such as StartSSO, CreateSAMLProvider, or CreateOIDCProvider.[4]
DS0017 Command Command Execution

Monitor executed commands and arguments that updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.[11] Monitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: "Federated Domain Name", or Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain.[12]

References

  1. Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020.
  2. Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022.
  3. Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved February 15, 2024.
  4. Ben Fletcher and Steve de Vera. (2024, June). New tactics and techniques for proactive threat detection. Retrieved September 25, 2024.
  5. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  6. Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.
  1. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  2. Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022.
  3. Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021.
  4. Okta Defensive Cyber Operations. (2023, August 31). Cross-Tenant Impersonation: Prevention and Detection. Retrieved March 4, 2024.
  5. Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020.
  6. Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020.