Detect Trust Modification in Microsoft Sentinel
Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges. In Microsoft Azure AD / Entra ID environments this includes converting a managed domain to federated authentication and injecting a backdoor signing certificate to forge SAML tokens (Golden SAML) without compromising the original cert. Adversaries may also add entirely new federated identity providers to Okta, AWS IAM Identity Center, or other identity tenants, enabling them to authenticate as any user in the tenant. On-premises Active Directory trust manipulation generates Windows Security Event IDs 4706/4707/4716. Threat actors observed using this technique include Scattered Spider (adding federated IdPs to SSO tenants with automatic account linking), Storm-0501 (creating new federated domains in Microsoft Entra for persistent backdoor), and AADInternals tooling which automates federated domain backdoor creation.
MITRE ATT&CK
- Sub-technique
- T1484.002 Trust Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1484/002/
KQL Detection Query
let FederationOperations = dynamic([
"Set domain authentication",
"Set federation settings on domain",
"Set DomainFederationSettings",
"Add domain to company",
"Add trusted CA for certificate-based auth",
"Update federation settings on domain",
"Add identity provider to organization",
"Set company information"
]);
// Azure AD / Entra ID: federation and trust changes via AuditLogs
let CloudTrustChanges = AuditLogs
| where TimeGenerated > ago(24h)
| where Category in ("DirectoryManagement", "ApplicationManagement", "Policy")
| where OperationName in~ (FederationOperations)
| extend ActorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend ActorIP = tostring(InitiatedBy.user.ipAddress)
| extend ActorApp = tostring(InitiatedBy.app.displayName)
| extend ActorServicePrincipal = tostring(InitiatedBy.app.servicePrincipalId)
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend NewFederationValue = tostring(TargetResources[0].modifiedProperties[0].newValue)
| extend OldFederationValue = tostring(TargetResources[0].modifiedProperties[0].oldValue)
| extend IsFederationToManaged = NewFederationValue has "Managed" and OldFederationValue has "Federated"
| extend IsManagedToFederation = NewFederationValue has "Federated" and OldFederationValue has "Managed"
| project TimeGenerated, Source="AzureAD", EventType=OperationName, Result,
Actor=coalesce(ActorUPN, ActorApp), ActorIP, ActorServicePrincipal,
TargetResource, NewFederationValue, OldFederationValue,
IsManagedToFederation, IsFederationToManaged, CorrelationId;
// On-premises AD: domain trust creation, removal, or modification
let OnPremTrustChanges = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID in (4706, 4707, 4716)
| extend EventType = case(
EventID == 4706, "New Domain Trust Created",
EventID == 4707, "Domain Trust Removed",
EventID == 4716, "Trusted Domain Information Modified",
"Unknown Trust Event"
)
| project TimeGenerated, Source="OnPremAD", EventType, Result="Success",
Actor=strcat(SubjectDomainName, "\\", SubjectUserName), ActorIP="",
ActorServicePrincipal="", TargetResource=Computer,
NewFederationValue=EventData, OldFederationValue="",
IsManagedToFederation=false, IsFederationToManaged=false, CorrelationId="";
union CloudTrustChanges, OnPremTrustChanges
| sort by TimeGenerated descDetects domain trust and federation modifications across both Azure AD / Entra ID (cloud) and on-premises Active Directory. The cloud branch monitors AuditLogs for operations that convert domains to federated authentication, modify existing federation settings, or add new identity providers — all of which enable adversaries to forge SAML tokens or authenticate as arbitrary users. Flags when a domain transitions from Managed to Federated (highest risk). The on-premises branch monitors Windows Security Events 4706 (new trust), 4707 (trust removed), and 4716 (trust modified) which cover traditional AD forest/external trust manipulation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate IT infrastructure changes when merging or integrating company domains during M&A activity
- Planned federation setup by identity team when deploying AD FS or third-party SSO (Okta, Ping Identity) for the first time
- Automated tooling (Azure AD Connect, Microsoft Identity Manager) synchronizing trust configurations as part of hybrid identity management
- Removal of federation trust when decommissioning legacy on-premises AD FS infrastructure in favor of managed authentication
- Test or staging environment domain federation changes performed by authorized identity engineers during pre-production validation
Other platforms for T1484.002
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Current Federation Settings via MSOnline
Expected signal: Azure AD AuditLogs: OperationName='Get domain federation settings' or similar read operation, initiatedBy showing the authenticated UPN. PowerShell ScriptBlock Log Event ID 4104 capturing the Get-MsolDomainFederationSettings command with domain parameter. Sysmon Event ID 1 showing powershell.exe process with MSOnline module loaded.
- Test 2Convert Domain to Federated Authentication via Set-MsolDomainAuthentication
Expected signal: Azure AD AuditLogs: OperationName='Set domain authentication' with Category='DirectoryManagement', Result='success', InitiatedBy.user.userPrincipalName showing the test account, TargetResources[0].displayName='testlab.onmicrosoft.com', modifiedProperties showing oldValue containing 'Managed' and newValue containing 'Federated' along with the adversary IssuerUri. PowerShell ScriptBlock Log Event ID 4104 capturing the full Set-MsolDomainAuthentication command.
- Test 3Create New On-Premises AD Domain Trust (netdom)
Expected signal: Windows Security Event ID 4706 on all domain controllers: SubjectUserName=DomainAdmin, SubjectDomainName=VICTIMCORP, TdoType=2 (External), TdoDomainName=adversarydomain.local, TdoSid showing the SID of the adversary domain, SidFilteringEnabled=Yes (if default). Also generates replication events across the domain.
- Test 4Add Federated Identity Provider to Azure AD via Microsoft Graph API
Expected signal: Azure AD AuditLogs: OperationName='Add identity provider to organization' or 'Create identity provider', Category='DirectoryManagement', Result='success', InitiatedBy showing the authenticating application or user, TargetResources containing the new federation configuration details including the adversary IssuerUri and signing certificate.
References (10)
- https://attack.mitre.org/techniques/T1484/002/
- https://o365blog.com/post/federation-vulnerability/
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
- https://us-cert.cisa.gov/ncas/alerts/aa21-008a
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
- https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection
- https://www.sygnia.co/threat-reports-and-advisories/golden-saml-attack/
- https://reinforce.awsevents.com/content/dam/reinforce/2024/slides/TDR432_New-tactics-and-techniques-for-proactive-threat-detection.pdf
- https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365
- https://learn.microsoft.com/en-us/graph/api/resources/federationconfigurations-overview
Unlock Pro Content
Get the full detection package for T1484.002 including response playbook, investigation guide, and atomic red team tests.