DET0458 Detection of Trust Relationship Modifications in Domain or Tenant Policies
| Item |
Value |
| ID |
DET0458 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1484.002 (Trust Modification)
Analytics
Windows
AN1259
Adversary modifies Active Directory domain trust settings via netdom, nltest, or PowerShell to add new domain trust or alter federation. Modifications occur in AD object attributes like trustDirection, trustType, trustAttributes, often paired with SeEnableDelegationPrivilege or certificate injection.
Log Sources
Mutable Elements
| Field |
Description |
| ObjectType |
Focus on trustedDomain or foreignSecurityPrincipal AD objects in trust containers. |
| AttributeModified |
Monitor attributes like trustPartner, trustDirection, trustType, msDS-TrustForestTrustInfo. |
| TimeWindow |
Correlate trust creation with unusual logon events or certificate modifications. |
| UserContext |
Flag rare accounts or non-standard admin users performing trust changes. |
Identity Provider
AN1260
Adversary adds federated identity provider (IdP) or modifies tenant domain authentication from Managed to Federated. Detected via API, PowerShell, or Admin Portal through federation events like Set domain authentication, Add federated identity provider, or Update-MsolFederatedDomain.
Log Sources
Mutable Elements
| Field |
Description |
| OperationName |
Identify rare trust-modification operations (SetDomainAuthentication, Update-MsolFederatedDomain). |
| InitiatedBy |
Flag federated trust changes performed by unknown users, service principals, or tokens. |
| UserAgent |
Separate scripted/API interactions from GUI-based administrative changes. |
| TimeWindow |
Correlate trust change to federated login or SAML token injection within short window. |