New Federated Domain Added

calendar Aug 12, 2024 · attack.persistence attack.t1136.003  ·
Share on: linkedin copy

Detects the addition of a new Federated Domain.

Sigma rule (View on GitHub)

 1title: New Federated Domain Added
 2id: 58f88172-a73d-442b-94c9-95eaed3cbb36
 3related:
 4    - id: 42127bdd-9133-474f-a6f1-97b6c08a4339
 5      type: similar
 6status: test
 7description: Detects the addition of a new Federated Domain.
 8references:
 9    - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
10    - https://o365blog.com/post/aadbackdoor/
11author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
12date: 2023-09-18
13tags:
14    - attack.persistence
15    - attack.t1136.003
16logsource:
17    service: audit
18    product: m365
19detection:
20    selection_domain:
21        Operation|contains: 'domain'
22    selection_operation:
23        Operation|contains:
24            - 'add'
25            - 'new'
26    condition: all of selection_*
27falsepositives:
28    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
29level: medium

References

  • Detection: O365 New Federated Domain Added

    Updated Date: 2024-05-28 ID: e155876a-6048-11eb-ae93-0242ac130002 Author: Rod Soto, Mauricio Velazco Splunk Type: TTP Product: Splunk Enterprise Security Description The following analytic identifies the addition of a new federated domain in an Office 365 environment. This behavior is detected by analyzing Office 365 management activity logs, specifically filtering for Workload=Exchange and Operation="Add-FederatedDomain". The addition of a new federated domain is significant as it may indicate unauthorized changes or potential compromises. If confirmed malicious, attackers could establish a backdoor, bypass security measures, or exfiltrate data, leading to data breaches and unauthorized access to sensitive information.


    Read More

  • How to create a backdoor to Azure AD - part 1: Identity federation

    On November 2018 Azure AD MFA was down over 12 hours preventing users from logging in to Office 365. Same happened in October 2019 in US data centers. As MFA is usually mandatory for administrators by company policy, they couldn’t log in either. In this blog, I’ll show how to create a backdoor to Azure AD so you can log in and bypass MFA.


    Read More

Related rules

to-top