T1484.002 Domain Trust Modification
Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.3 These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.
Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge SAML Tokens, without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. An adversary may also convert a domain to a federated domain, which may enable malicious trust modifications such as altering the claim issuance rules to log in any valid set of credentials as a specified user.2
| Item | Value |
|---|---|
| ID | T1484.002 |
| Sub-techniques | T1484.001, T1484.002 |
| Tactics | TA0005, TA0004 |
| Platforms | Azure AD, Windows |
| Permissions required | Administrator |
| Version | 1.1 |
| Created | 28 December 2020 |
| Last Modified | 21 October 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0677 | AADInternals | AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.78 |
| C0024 | SolarWinds Compromise | During the SolarWinds Compromise, APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.109 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management | Use the principal of least privilege and protect administrative access to domain trusts. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0026 | Active Directory | Active Directory Object Creation |
| DS0017 | Command | Command Execution |
References
-
CISA. (2021, January 8). Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments. Retrieved January 8, 2021. ↩
-
Dr. Nestori Syynimaa. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved September 28, 2022. ↩
-
Microsoft. (2018, November 28). What is federation with Azure AD?. Retrieved December 30, 2020. ↩
-
Microsoft. (2020, December). Azure Sentinel Detections. Retrieved December 30, 2020. ↩
-
Microsoft. (2020, September 14). Update or repair the settings of a federated domain in Office 365, Azure, or Intune. Retrieved December 30, 2020. ↩
-
Sygnia. (2020, December). Detection and Hunting of Golden SAML Attack. Retrieved January 6, 2021. ↩
-
Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. ↩
-
Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022. ↩
-
Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. ↩
-
Secureworks CTU. (n.d.). IRON RITUAL. Retrieved February 24, 2022. ↩