Domain Policy Modification: Domain Trust Modification

ID Name
T1484.001 Group Policy Modification
T1484.002 Domain Trust Modification

Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.[1] These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.[2]

ID: T1484.002
Sub-technique of:  T1484
Platforms: Azure AD, Windows
Permissions Required: Administrator
Contributors: Blake Strom, Microsoft 365 Defender; Praetorian
Version: 1.1
Created: 28 December 2020
Last Modified: 21 October 2022

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.[3][4]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.[5][6]

Mitigations

ID Mitigation Description
M1026 Privileged Account Management

Use the principal of least privilege and protect administrative access to domain trusts.

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Creation

Monitor for newly constructed active directory objects, such as Windows EID 5137.

Active Directory Object Modification

Monitor for changes made to AD settings for unexpected modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain.

DS0017 Command Command Execution

Monitor executed commands and arguments that updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication.[7] Monitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: "Federated Domain Name", or Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain.[8]

References