New Federated Domain Added

 1title: New Federated Domain Added
 2id: 58f88172-a73d-442b-94c9-95eaed3cbb36
 3related:
 4    - id: 42127bdd-9133-474f-a6f1-97b6c08a4339
 5      type: similar
 6status: experimental
 7description: Detects the addition of a new Federated Domain.
 8references:
 9    - https://research.splunk.com/cloud/e155876a-6048-11eb-ae93-0242ac130002/
10    - https://o365blog.com/post/aadbackdoor/
11author: Splunk Threat Research Team (original rule), Harjot Singh @cyb3rjy0t (sigma rule)
12date: 2023/09/18
13tags:
14    - attack.persistence
15    - attack.t1136.003
16logsource:
17    service: audit
18    product: m365
19detection:
20    selection_domain:
21        Operation|contains: 'domain'
22    selection_operation:
23        Operation|contains:
24            - 'add'
25            - 'new'
26    condition: all of selection_*
27falsepositives:
28    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
29level: medium

References

• O365 New Federated Domain Added

  Cloud Account, Create Account

  
  Read More

• How to create a backdoor to Azure AD - part 1: Identity federation

  

  On November 2018 Azure AD MFA was down over 12 hours preventing users from logging in to Office 365. Same happened in October 2019 in US data centers. As MFA is usually mandatory for administrators by company policy, they couldn’t log in either. In this blog, I’ll show how to create a backdoor to Azure AD so you can log in and bypass MFA.

  
  Read More

Related rules

• AWS ElastiCache Security Group Created
• New Federated Domain Added - Exchange
• AWS IAM Backdoor Users Keys
• AWS Identity Center Identity Provider Change
• AWS Route 53 Domain Transfer Lock Disabled