Technique on mitre.org

T1484.002: Trust Modification

Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources. These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating these trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, in Microsoft Active Directory (AD) environments, this may be used to forge SAML Tokens without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert an AD domain to a federated domain using Active Directory Federation Services (AD FS), which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.

An adversary may also add a new federated identity provider to an identity tenant such as Okta, which may enable the adversary to authenticate as any user of the tenant.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

microsoft_exchange: PT-CR-2351: Exchange_Remove_Federation_Trust: A user deleted a federation trust from an Exchange organization. This could be an attacker's attempt to disrupt availability of system and network resources.

Detection

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that updates domain authentication from Managed to Federated via ActionTypes Set federation settings on domain and Set domain authentication. Monitor for PowerShell commands such as: Update-MSOLFederatedDomain –DomainName: "Federated Domain Name", or Update-MSOLFederatedDomain –DomainName: "Federated Domain Name" –supportmultipledomain.

IDDS0015Data source and componentApplication Log: Application Log ContentDescription

Monitor changes to cloud-based directory services and identity tenants, especially regarding the addition of new federated identity providers. In Okta environments, the event system.idp.lifecycle.create will trigger on the creation of an identity provider, while sign-ins from a third-party identity provider will create the event user.authentication.auth_via_IDP.

IDDS0026Data source and componentActive Directory: Active Directory Object ModificationDescription

Monitor for changes made to AD settings for unexpected modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain.

IDDS0026Data source and componentActive Directory: Active Directory Object CreationDescription

Monitor for newly constructed active directory objects, such as Windows EID 5137.

Mitigation

IDM1026NamePrivileged Account ManagementDescription

Use the principal of least privilege and protect administrative access to domain trusts and identity tenants.