T1484.002

Trust Modification

Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges. In Microsoft Azure AD / Entra ID environments this includes converting a managed domain to federated authentication and injecting a backdoor signing certificate to forge SAML tokens (Golden SAML) without compromising the original cert. Adversaries may also add entirely new federated identity providers to Okta, AWS IAM Identity Center, or other identity tenants, enabling them to authenticate as any user in the tenant. On-premises Active Directory trust manipulation generates Windows Security Event IDs 4706/4707/4716. Threat actors observed using this technique include Scattered Spider (adding federated IdPs to SSO tenants with automatic account linking), Storm-0501 (creating new federated domains in Microsoft Entra for persistent backdoor), and AADInternals tooling which automates federated domain backdoor creation.

Microsoft Sentinel / Defender

kusto

let FederationOperations = dynamic([
    "Set domain authentication",
    "Set federation settings on domain",
    "Set DomainFederationSettings",
    "Add domain to company",
    "Add trusted CA for certificate-based auth",
    "Update federation settings on domain",
    "Add identity provider to organization",
    "Set company information"
]);
// Azure AD / Entra ID: federation and trust changes via AuditLogs
let CloudTrustChanges = AuditLogs
| where TimeGenerated > ago(24h)
| where Category in ("DirectoryManagement", "ApplicationManagement", "Policy")
| where OperationName in~ (FederationOperations)
| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorIP = tostring(InitiatedBy.user.ipAddress)
| extend ActorApp = tostring(InitiatedBy.app.displayName)
| extend ActorServicePrincipal = tostring(InitiatedBy.app.servicePrincipalId)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend NewFederationValue = tostring(TargetResources[0].modifiedProperties[0].newValue)
| extend OldFederationValue = tostring(TargetResources[0].modifiedProperties[0].oldValue)
| extend IsFederationToManaged = NewFederationValue has "Managed" and OldFederationValue has "Federated"
| extend IsManagedToFederation = NewFederationValue has "Federated" and OldFederationValue has "Managed"
| project TimeGenerated, Source="AzureAD", EventType=OperationName, Result,
          Actor=coalesce(ActorUPN, ActorApp), ActorIP, ActorServicePrincipal,
          TargetResource, NewFederationValue, OldFederationValue,
          IsManagedToFederation, IsFederationToManaged, CorrelationId;
// On-premises AD: domain trust creation, removal, or modification
let OnPremTrustChanges = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4706, 4707, 4716)
| extend EventType = case(
    EventID == 4706, "New Domain Trust Created",
    EventID == 4707, "Domain Trust Removed",
    EventID == 4716, "Trusted Domain Information Modified",
    "Unknown Trust Event"
)
| project TimeGenerated, Source="OnPremAD", EventType, Result="Success",
          Actor=strcat(SubjectDomainName, "\\", SubjectUserName), ActorIP="",
          ActorServicePrincipal="", TargetResource=Computer,
          NewFederationValue=EventData, OldFederationValue="",
          IsManagedToFederation=false, IsFederationToManaged=false, CorrelationId="";
union CloudTrustChanges, OnPremTrustChanges
| sort by TimeGenerated desc

critical severity high confidence

Data Sources

Identity: Domain Properties Azure AD Audit Logs (AuditLogs) Windows Security Event Log (SecurityEvent) Active Directory: Domain Trust Events

Required Tables

AuditLogs SecurityEvent

False Positives

Legitimate IT infrastructure changes when merging or integrating company domains during M&A activity
Planned federation setup by identity team when deploying AD FS or third-party SSO (Okta, Ping Identity) for the first time
Automated tooling (Azure AD Connect, Microsoft Identity Manager) synchronizing trust configurations as part of hybrid identity management
Removal of federation trust when decommissioning legacy on-premises AD FS infrastructure in favor of managed authentication
Test or staging environment domain federation changes performed by authorized identity engineers during pre-production validation

Splunk

spl

(
  sourcetype="azure:aad:audit"
  (
    operationName="Set domain authentication"
    OR operationName="Set federation settings on domain"
    OR operationName="Set DomainFederationSettings"
    OR operationName="Add domain to company"
    OR operationName="Add trusted CA for certificate-based auth"
    OR operationName="Update federation settings on domain"
    OR operationName="Add identity provider to organization"
    OR operationName="Set company information"
  )
)
OR
(
  sourcetype="WinEventLog:Security"
  (EventCode=4706 OR EventCode=4707 OR EventCode=4716)
)
| eval Source=case(
    sourcetype="azure:aad:audit", "AzureAD",
    sourcetype="WinEventLog:Security", "OnPremAD",
    "Unknown"
)
| eval EventType=case(
    Source="AzureAD", operationName,
    EventCode=="4706", "New Domain Trust Created",
    EventCode=="4707", "Domain Trust Removed",
    EventCode=="4716", "Trusted Domain Information Modified",
    "Unknown"
)
| eval Actor=case(
    Source="AzureAD", coalesce('initiatedBy.user.userPrincipalName', 'initiatedBy.app.displayName'),
    Source="OnPremAD", SubjectUserName,
    "Unknown"
)
| eval ActorIP=if(Source="AzureAD", 'initiatedBy.user.ipAddress', "N/A")
| eval TargetResource=case(
    Source="AzureAD", 'targetResources{}.displayName',
    Source="OnPremAD", Computer,
    "Unknown"
)
| eval Result=coalesce(result, "N/A")
| eval NewValue=if(Source="AzureAD", 'targetResources{}.modifiedProperties{}.newValue', "N/A")
| eval IsManagedToFederation=if(match(NewValue, "(?i)federated") AND Source="AzureAD", 1, 0)
| eval RiskScore=case(
    IsManagedToFederation=1, 100,
    EventType="New Domain Trust Created", 80,
    EventType="Trusted Domain Information Modified", 70,
    EventType="Domain Trust Removed", 60,
    Source="AzureAD", 75,
    1=1, 50
)
| table _time, Source, EventType, Actor, ActorIP, TargetResource, Result, NewValue, IsManagedToFederation, RiskScore
| sort - _time

critical severity high confidence

Data Sources

Azure AD Audit Logs (azure:aad:audit) Windows Security Event Log Active Directory Trust Events

Required Sourcetypes

azure:aad:audit WinEventLog:Security

False Positives

Authorized identity team deploying AD FS or SAML federation for the first time — expect a single managed-to-federated event per domain
M&A integration work establishing cross-forest trust relationships between acquiring and acquired company domains
Automated Azure AD Connect synchronization tasks that periodically update federation metadata or refresh token-signing certificates
Decommission activities that remove existing federation trusts when migrating from AD FS to Entra ID managed authentication
Penetration testing or red team exercises with pre-authorized scope covering identity infrastructure

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  username AS Actor,
  sourceip AS ActorIP,
  QIDNAME(qid) AS EventName,
  "EventID",
  "operationName",
  "targetResourceDisplayName",
  CASE
    WHEN LOGSOURCETYPENAME(devicetype) ILIKE '%Azure Active Directory%' THEN 'AzureAD'
    WHEN "EventID" IN ('4706','4707','4716') THEN 'OnPremAD'
    ELSE 'Unknown'
  END AS Source,
  CASE
    WHEN "EventID" = '4706' THEN 'New Domain Trust Created'
    WHEN "EventID" = '4707' THEN 'Domain Trust Removed'
    WHEN "EventID" = '4716' THEN 'Trusted Domain Information Modified'
    ELSE "operationName"
  END AS EventType
FROM events
WHERE
  devicetime > NOW() - 86400000
  AND (
    (
      LOGSOURCETYPENAME(devicetype) ILIKE '%Azure Active Directory%'
      AND (
        "operationName" ILIKE 'Set domain authentication'
        OR "operationName" ILIKE 'Set federation settings on domain'
        OR "operationName" ILIKE 'Set DomainFederationSettings'
        OR "operationName" ILIKE 'Add domain to company'
        OR "operationName" ILIKE 'Add trusted CA for certificate-based auth'
        OR "operationName" ILIKE 'Update federation settings on domain'
        OR "operationName" ILIKE 'Add identity provider to organization'
        OR "operationName" ILIKE 'Set company information'
      )
    )
    OR (
      LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%'
      AND "EventID" IN ('4706', '4707', '4716')
    )
  )
ORDER BY devicetime DESC
LAST 1440 MINUTES

critical severity high confidence

Data Sources

Microsoft Azure Active Directory DSM (QRadar) Microsoft Windows Security Event Log DSM (QRadar)

Required Tables

events

False Positives

Authorized identity federation projects during Microsoft 365 tenant onboarding or hybrid identity migration where domains are intentionally converted to federated authentication with ADFS
Change-management-approved trust additions between corporate AD forests during mergers, acquisitions, or subsidiary onboarding with corresponding tickets in the ticketing system
Domain trust removals as part of decommissioning legacy domains or cleaning up stale forest trusts following a consolidation project

Sumo Logic CSE

sql

(_sourceCategory=*azure*audit* OR _sourceCategory=*windows*security*)
| where operationName in ("Set domain authentication","Set federation settings on domain","Set DomainFederationSettings","Add domain to company","Add trusted CA for certificate-based auth","Update federation settings on domain","Add identity provider to organization","Set company information")
  OR EventID in ("4706","4707","4716")
| if (isNull(EventID), "AzureAD", "OnPremAD") as Source
| if (Source="AzureAD", operationName,
     if (EventID="4706", "New Domain Trust Created",
     if (EventID="4707", "Domain Trust Removed",
     if (EventID="4716", "Trusted Domain Information Modified", "Unknown")))) as EventType
| if (Source="AzureAD",
     if (!isNull(initiatedBy_user_userPrincipalName), initiatedBy_user_userPrincipalName,
     if (!isNull(initiatedBy_app_displayName), initiatedBy_app_displayName, "Unknown")),
     SubjectUserName) as Actor
| if (Source="AzureAD", initiatedBy_user_ipAddress, "N/A") as ActorIP
| if (Source="AzureAD", targetResources_0_displayName, Computer) as TargetResource
| eval RiskScore = if(EventType="New Domain Trust Created", 80,
                  if(EventType="Trusted Domain Information Modified", 70,
                  if(EventType="Domain Trust Removed", 60,
                  if(Source="AzureAD", 75, 50))))
| fields _messageTime, Source, EventType, Actor, ActorIP, TargetResource, RiskScore
| sort by _messageTime desc

critical severity high confidence

Data Sources

Azure AD Audit Logs via Sumo Logic Azure integration (sourceCategory=*azure*audit*) Windows Security Event Log via Sumo Logic Windows collector (sourceCategory=*windows*security*)

Required Tables

Raw log indexes (Azure audit, Windows Security)

False Positives

Legitimate cloud identity migration projects converting managed domains to federated authentication using ADFS, Okta, or another IdP under an approved project plan
Enterprise IT performing routine trust configuration updates between Active Directory forests for business units that share resources, tracked via ITSM change tickets
Authorized red team or purple team exercises specifically testing AADInternals-based federation backdoor techniques with written scope approval

Google Chronicle / SecOps

yaral

rule trust_modification_t1484_002 {
  meta:
    author = "Detection Engineering"
    description = "Detects MITRE ATT&CK T1484.002 - Domain Trust Modification including Azure AD federation manipulation and on-premises AD trust events (4706/4707/4716). Covers Golden SAML setup, federated IdP injection, and AD trust changes by Scattered Spider and Storm-0501."
    mitre_attack_tactic = "Privilege Escalation, Defense Evasion"
    mitre_attack_technique = "T1484.002"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    (
      (
        $e.metadata.vendor_name = "Microsoft"
        and $e.metadata.product_name = "Azure Active Directory"
        and (
          $e.metadata.product_event_type = "Set domain authentication"
          or $e.metadata.product_event_type = "Set federation settings on domain"
          or $e.metadata.product_event_type = "Set DomainFederationSettings"
          or $e.metadata.product_event_type = "Add domain to company"
          or $e.metadata.product_event_type = "Add trusted CA for certificate-based auth"
          or $e.metadata.product_event_type = "Update federation settings on domain"
          or $e.metadata.product_event_type = "Add identity provider to organization"
          or $e.metadata.product_event_type = "Set company information"
        )
      )
      or
      (
        $e.metadata.vendor_name = "Microsoft"
        and $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
        and $e.metadata.product_event_type in ("4706", "4707", "4716")
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Microsoft Azure Active Directory logs via Chronicle ingestion (log type AZURE_AD_AUDIT) Windows Security Event Log via Chronicle forwarder (log type WINEVTLOG)

Required Tables

UDM events (metadata.product_name, metadata.product_event_type, metadata.vendor_name)

False Positives

Legitimate federation configuration during Microsoft 365 tenant deployment or hybrid AD rollout projects where ADFS is being connected or a third-party IdP is being registered under an approved change
Authorized changes to existing federation trusts during ADFS token-signing certificate rotation procedures which require updating federation metadata on the Azure AD side
Domain trust additions during approved corporate mergers, acquisitions, or subsidiary onboarding workflows that involve establishing cross-forest trusts between newly joined AD environments

CrowdStrike LogScale (CQL)

cql

(
  (
    #repo = "WinEventLog"
    | EventCode in ["4706", "4707", "4716"]
    | Channel = "Security"
  )
  or
  (
    #repo = "azure_ad_audit"
    | OperationName in [
        "Set domain authentication",
        "Set federation settings on domain",
        "Set DomainFederationSettings",
        "Add domain to company",
        "Add trusted CA for certificate-based auth",
        "Update federation settings on domain",
        "Add identity provider to organization",
        "Set company information"
      ]
  )
)
| Source := case {
    #repo = "WinEventLog" => "OnPremAD";
    #repo = "azure_ad_audit" => "AzureAD";
    * => "Unknown"
  }
| EventType := case {
    EventCode = "4706" => "New Domain Trust Created";
    EventCode = "4707" => "Domain Trust Removed";
    EventCode = "4716" => "Trusted Domain Information Modified";
    * => OperationName
  }
| Actor := coalesce(
    initiatedBy.user.userPrincipalName,
    initiatedBy.app.displayName,
    SubjectUserName,
    "Unknown"
  )
| ActorIP := coalesce(initiatedBy.user.ipAddress, "N/A")
| TargetResource := coalesce(targetResources[0].displayName, Computer, "Unknown")
| IsManagedToFederation := if(
    match(regex="(?i)federated", field=OperationName) and Source = "AzureAD",
    true, false
  )
| select([_time, Source, EventType, Actor, ActorIP, TargetResource, IsManagedToFederation])
| sort(_time, order=desc)

critical severity high confidence

Data Sources

Windows Security Event Log forwarded via Falcon Log Forwarder or Winlogbeat into LogScale (repository: WinEventLog) Azure AD Audit Logs via Azure Event Hub to LogScale ingestion endpoint (repository: azure_ad_audit)

Required Tables

WinEventLog repository azure_ad_audit repository

False Positives

Authorized federation setup or reconfiguration during enterprise SSO projects where an administrator is legitimately adding a new SAML IdP or updating existing federation metadata under a tracked change request
Domain controller maintenance windows where IT performs trust relationship modifications between AD forests as part of infrastructure consolidation or domain rename operations
Authorized red team or penetration testing engagements that include testing AADInternals-based federation backdoor creation or BloodHound-identified trust escalation paths within documented scope

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1484.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Trust Modification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections