title: Trust Modification (T1484.002)
id: df00tech-t1484-002
status: experimental
description: "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges. In Microsoft Azure AD / Entra ID environments this includes converting a managed domain to federated authentication and injecting a backdoor signing certificate to forge SAML tokens (Golden SAML) without compromising the original cert. Adversaries may also add entirely new federated identity providers to Okta, AWS IAM Identity Center, or other identity tenants, enabling them to authenticate as any user in the tenant. On-premises Active Directory trust manipulation generates Windows Security Event IDs 4706/4707/4716. Threat actors observed using this technique include Scattered Spider (adding federated IdPs to SSO tenants with automatic account linking), Storm-0501 (creating new federated domains in Microsoft Entra for persistent backdoor), and AADInternals tooling which automates federated domain backdoor creation."
references:
  - https://attack.mitre.org/techniques/T1484/002/
  - https://df00tech.com/detections/T1484.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1484.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate IT infrastructure changes when merging or integrating company domains during M&A activity"
  - "Planned federation setup by identity team when deploying AD FS or third-party SSO (Okta, Ping Identity) for the first time"
  - "Automated tooling (Azure AD Connect, Microsoft Identity Manager) synchronizing trust configurations as part of hybrid identity management"
  - Removal of federation trust when decommissioning legacy on-premises AD FS infrastructure in favor of managed authentication
  - Test or staging environment domain federation changes performed by authorized identity engineers during pre-production validation
level: critical