T1484.002 Splunk · SPL

Detect Trust Modification in Splunk

Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges. In Microsoft Azure AD / Entra ID environments this includes converting a managed domain to federated authentication and injecting a backdoor signing certificate to forge SAML tokens (Golden SAML) without compromising the original cert. Adversaries may also add entirely new federated identity providers to Okta, AWS IAM Identity Center, or other identity tenants, enabling them to authenticate as any user in the tenant. On-premises Active Directory trust manipulation generates Windows Security Event IDs 4706/4707/4716. Threat actors observed using this technique include Scattered Spider (adding federated IdPs to SSO tenants with automatic account linking), Storm-0501 (creating new federated domains in Microsoft Entra for persistent backdoor), and AADInternals tooling which automates federated domain backdoor creation.

MITRE ATT&CK

Tactic
Defense Evasion Privilege Escalation
Technique
T1484 Domain or Tenant Policy Modification
Sub-technique
T1484.002 Trust Modification
Canonical reference
https://attack.mitre.org/techniques/T1484/002/

SPL Detection Query

Splunk (SPL)
spl 
(
  sourcetype="azure:aad:audit"
  (
    operationName="Set domain authentication"
    OR operationName="Set federation settings on domain"
    OR operationName="Set DomainFederationSettings"
    OR operationName="Add domain to company"
    OR operationName="Add trusted CA for certificate-based auth"
    OR operationName="Update federation settings on domain"
    OR operationName="Add identity provider to organization"
    OR operationName="Set company information"
  )
)
OR
(
  sourcetype="WinEventLog:Security"
  (EventCode=4706 OR EventCode=4707 OR EventCode=4716)
)
| eval Source=case(
    sourcetype="azure:aad:audit", "AzureAD",
    sourcetype="WinEventLog:Security", "OnPremAD",
    "Unknown"
)
| eval EventType=case(
    Source="AzureAD", operationName,
    EventCode=="4706", "New Domain Trust Created",
    EventCode=="4707", "Domain Trust Removed",
    EventCode=="4716", "Trusted Domain Information Modified",
    "Unknown"
)
| eval Actor=case(
    Source="AzureAD", coalesce('initiatedBy.user.userPrincipalName', 'initiatedBy.app.displayName'),
    Source="OnPremAD", SubjectUserName,
    "Unknown"
)
| eval ActorIP=if(Source="AzureAD", 'initiatedBy.user.ipAddress', "N/A")
| eval TargetResource=case(
    Source="AzureAD", 'targetResources{}.displayName',
    Source="OnPremAD", Computer,
    "Unknown"
)
| eval Result=coalesce(result, "N/A")
| eval NewValue=if(Source="AzureAD", 'targetResources{}.modifiedProperties{}.newValue', "N/A")
| eval IsManagedToFederation=if(match(NewValue, "(?i)federated") AND Source="AzureAD", 1, 0)
| eval RiskScore=case(
    IsManagedToFederation=1, 100,
    EventType="New Domain Trust Created", 80,
    EventType="Trusted Domain Information Modified", 70,
    EventType="Domain Trust Removed", 60,
    Source="AzureAD", 75,
    1=1, 50
)
| table _time, Source, EventType, Actor, ActorIP, TargetResource, Result, NewValue, IsManagedToFederation, RiskScore
| sort - _time
critical severity high confidence

Detects domain trust and federation modifications from both Azure AD audit logs (via Splunk Add-on for Microsoft Cloud Services, sourcetype=azure:aad:audit) and on-premises Windows Security Event Log. Computes a risk score based on the severity of the change: managed-to-federated domain conversion (100) is the highest risk as it enables Golden SAML attacks; on-prem trust creation (80) and modification (70) indicate AD forest boundary changes. IsManagedToFederation flag specifically highlights domain authentication type changes from managed to federated, the primary indicator of an AADInternals-style backdoor.

Data Sources

Azure AD Audit Logs (azure:aad:audit)Windows Security Event LogActive Directory Trust Events

Required Sourcetypes

azure:aad:auditWinEventLog:Security

False Positives & Tuning

  • Authorized identity team deploying AD FS or SAML federation for the first time — expect a single managed-to-federated event per domain
  • M&A integration work establishing cross-forest trust relationships between acquiring and acquired company domains
  • Automated Azure AD Connect synchronization tasks that periodically update federation metadata or refresh token-signing certificates
  • Decommission activities that remove existing federation trusts when migrating from AD FS to Entra ID managed authentication
  • Penetration testing or red team exercises with pre-authorized scope covering identity infrastructure
Download portable Sigma rule (.yml)

Other platforms for T1484.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Current Federation Settings via MSOnline

    Expected signal: Azure AD AuditLogs: OperationName='Get domain federation settings' or similar read operation, initiatedBy showing the authenticated UPN. PowerShell ScriptBlock Log Event ID 4104 capturing the Get-MsolDomainFederationSettings command with domain parameter. Sysmon Event ID 1 showing powershell.exe process with MSOnline module loaded.

  2. Test 2Convert Domain to Federated Authentication via Set-MsolDomainAuthentication

    Expected signal: Azure AD AuditLogs: OperationName='Set domain authentication' with Category='DirectoryManagement', Result='success', InitiatedBy.user.userPrincipalName showing the test account, TargetResources[0].displayName='testlab.onmicrosoft.com', modifiedProperties showing oldValue containing 'Managed' and newValue containing 'Federated' along with the adversary IssuerUri. PowerShell ScriptBlock Log Event ID 4104 capturing the full Set-MsolDomainAuthentication command.

  3. Test 3Create New On-Premises AD Domain Trust (netdom)

    Expected signal: Windows Security Event ID 4706 on all domain controllers: SubjectUserName=DomainAdmin, SubjectDomainName=VICTIMCORP, TdoType=2 (External), TdoDomainName=adversarydomain.local, TdoSid showing the SID of the adversary domain, SidFilteringEnabled=Yes (if default). Also generates replication events across the domain.

  4. Test 4Add Federated Identity Provider to Azure AD via Microsoft Graph API

    Expected signal: Azure AD AuditLogs: OperationName='Add identity provider to organization' or 'Create identity provider', Category='DirectoryManagement', Result='success', InitiatedBy showing the authenticating application or user, TargetResources containing the new federation configuration details including the adversary IssuerUri and signing certificate.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1484.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1484Domain or Tenant Policy Modification

Related Sub-techniques

T1484.001Group Policy Modification

Related Techniques

T1606.002SAML TokensT1550.001Application Access TokenT1078.004Cloud AccountsT1484.001Group Policy ModificationT1556.006Multi-Factor AuthenticationT1098.001Additional Cloud CredentialsT1098.003Additional Cloud RolesT1528Steal Application Access TokenT1552.001Credentials In FilesT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections