[New Rule] Azure Modify Trusted Domains

[bm11100]

Description

Hardening Strategies for Microsoft 365 to Defend Against UNC2452 - thanks to @dstepanic17 for sharing the whitepaper.

The Azure AD Audit log and Unified Audit log records when a domain is configured for federated authentication and the modification of federated realm objects. In most organizations, domain federation settings will be updated infrequently. Organizations should create rules to alert on the log events generated by these activities and audit them to ensure they are legitimate.

Required Info

• Eventing Sources:

• Target Operating Systems:

• Platforms

• Target ECS Version: x.x.x
• New fields required in ECS for this?
• Related issues or PRs

Optional Info

• References:
  https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf

Example Data

“Operation”: “Set domain authentication.”
“Operation”: “Set federation settings on domain.”

[austinsonger]

Detection Command Line:

process.args : (*Update-MSOLFederatedDomain* OR *Update-MSOLFederatedDomain*)

OperationName

azure.auditlogs.operation_name : (“Set domain authentication.” OR “Set federation settings on domain.”)

Fields:

• userPrincipalName
• OperationName

MITRE

Tactic	Technique ID	Technique Name	Sub-Technique Name
Privilege Escalation	T1484.002	Domain Policy Modification	Domain Trust Modification
Privilege Escalation	T1134	Access Token Manipulation

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.