New Federated Domain Added

 1title: New Federated Domain Added
 2id: 58f88172-a73d-442b-94c9-95eaed3cbb36
 3related:
 4    - id: 42127bdd-9133-474f-a6f1-97b6c08a4339
 5      type: similar
 6status: test
 7description: Detects the addition of a new Federated Domain.
 8references:
 9    - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
10    - https://o365blog.com/post/aadbackdoor/
11author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
12date: 2023-09-18
13tags:
14    - attack.defense-evasion
15    - attack.privilege-escalation
16    - attack.t1484.002
17logsource:
18    service: audit
19    product: m365
20detection:
21    selection_domain:
22        Operation|contains: 'domain'
23    selection_operation:
24        Operation|contains:
25            - 'add'
26            - 'new'
27    condition: all of selection_*
28falsepositives:
29    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
30level: medium

References

• https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/

  
  Read More

• https://o365blog.com/post/aadbackdoor/

  
  Read More

Related rules

• Rare Remote Thread Creation By Uncommon Source Image
• Remote Thread Creation By Uncommon Source Image
• Remote Thread Creation In Uncommon Target Image
• Suspicious Child Process Of Wermgr.EXE
• Potential Notepad++ CVE-2025-49144 Exploitation