This hypothesis detects potential adversary behavior involving the modification of federation trust settings or transitioning a domain to federated authentication, which could indicate an attempt to establish unauthorized access or exfiltration pathways. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary activity that could compromise domain trust relationships.
KQL Query
let auditLookback = 1d;
(union isfuzzy=true
(
CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType =~ "Set federation settings on domain."
),
(
CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType =~ "Set domain authentication."
| extend modifiedProperties = parse_json(RawEventData).ModifiedProperties
| mvexpand modifiedProperties
| extend newDomainValue=tostring(parse_json(modifiedProperties).NewValue)
| where newDomainValue has "Federated"
)
)
| extend resultStatus = extractjson("$.ResultStatus", tostring(RawEventData), typeof(string))
| extend targetDisplayName = parse_json(RawEventData).Target[0].ID
| project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent
id: 8b55db72-9ece-4e93-b551-cd7eb7355104
name: ADFSDomainTrustMods[Nobelium]
description: |
This query will find when federation trust settings are changed for a domain or when the domain is changed from managed to federated authentication. Results will relate to when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added.
Modification to domain federation settings should be rare, so confirm the added or modified target domain/URL is legitimate administrative behavior.
The actor, Nobelium, was observed modifying domain trust settings to subvert existing mechanisms and cause the domain to accept authorization tokens signed with actor-owned certificates. See Customer Guidance on Recent Nation-State Cyber Attacks.
To understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see Update or repair the settings of a federated domain in Office 365, Azure, or Intune.
For details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: 3.2.5.1.2.4 Security Realm Data.
For further information on AuditLogs, please see Microsoft Entra ID audit activity reference.
This query is inspired by an Azure Sentinal detection.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365
https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b
https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- CloudAppEvents
tactics:
- Defense evasion
tags:
- Nobelium
query: |
let auditLookback = 1d;
(union isfuzzy=true
(
CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType =~ "Set federation settings on domain."
),
(
CloudAppEvents
| where Timestamp > ago(auditLookback)
| where ActionType =~ "Set domain authentication."
| extend modifiedProperties = parse_json(RawEventData).ModifiedProperties
| mvexpand modifiedProperties
| extend newDomainValue=tostring(parse_json(modifiedProperties).NewValue)
| where newDomainValue has "Federated"
)
)
| extend resultStatus = extractjson("$.ResultStatus", tostring(RawEventData), typeof(string))
| extend targetDisplayName = parse_json(RawEventData).Target[0].ID
| project Timestamp, ActionType, InitiatingUserOrApp=AccountDisplayName, targetDisplayName, resultStatus, InitiatingIPAddress=IPAddress, UserAgent
| Sentinel Table | Notes |
|---|---|
CloudAppEvents | Ensure this data connector is enabled |
Scenario: Scheduled Federation Trust Maintenance Job
Description: A legitimate scheduled job runs to update federation trust settings as part of routine maintenance or configuration changes.
Filter/Exclusion: EventID != 4663 or EventID == 4663 AND SourceName != "Microsoft Federation Gateway"
Scenario: Admin Task to Switch Authentication Method
Description: An administrator manually changes the authentication method of a domain from managed to federated as part of an identity migration or hybrid setup.
Filter/Exclusion: EventID == 4663 AND TargetDomain != "example.com" (replace with actual domain name)
Scenario: Active Directory Sync Tool Configuration Update
Description: A tool like Azure AD Connect is used to synchronize domain settings, which may trigger changes in federation trust configurations.
Filter/Exclusion: EventID == 4663 AND SourceName == "Azure AD Connect"
Scenario: Domain Rename During Migration
Description: A domain is renamed during a migration process, which can cause the system to log changes in federation trust settings.
Filter/Exclusion: EventID == 4663 AND OldDomainName != "old.domain.com" (replace with actual old domain name)
Scenario: Third-Party Identity Provider Configuration
Description: A third-party identity provider (e.g., Okta, Ping Identity) is integrated with the domain, which may involve changes to federation trust settings.
Filter/Exclusion: EventID == 4663 AND SourceName == "Okta" OR SourceName == "Ping Identity"