New Federated Domain Added - Exchange

 1title: New Federated Domain Added - Exchange
 2id: 42127bdd-9133-474f-a6f1-97b6c08a4339
 3related:
 4    - id: 58f88172-a73d-442b-94c9-95eaed3cbb36
 5      type: similar
 6status: test
 7description: Detects the addition of a new Federated Domain.
 8references:
 9    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
10    - https://us-cert.cisa.gov/ncas/alerts/aa21-008a
11    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
12    - https://www.sygnia.co/golden-saml-advisory
13    - https://o365blog.com/post/aadbackdoor/
14author: Splunk Threat Research Team (original rule), '@ionsor (rule)'
15date: 2022-02-08
16tags:
17    - attack.persistence
18    - attack.t1136.003
19logsource:
20    service: exchange
21    product: m365
22detection:
23    selection:
24        eventSource: Exchange
25        eventName: 'Add-FederatedDomain'
26        status: success
27    condition: selection
28falsepositives:
29    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
30level: medium

References

• https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf

  
  Read More

• Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments | CISA

  Summary This Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise for all referenced threat actor tactics and techniques....

  
  Read More

• A Golden SAML Journey: SolarWinds Continued | Splunk

  

  The SolarWinds Orion compromise resulted in the first recorded use of Golden SAML in the wild. Learn how you can start detecting this in Splunk now.

  
  Read More

• https://www.sygnia.co/golden-saml-advisory

  
  Read More

• How to create a backdoor to Azure AD - part 1: Identity federation

  

  On November 2018 Azure AD MFA was down over 12 hours preventing users from logging in to Office 365. Same happened in October 2019 in US data centers. As MFA is usually mandatory for administrators by company policy, they couldn’t log in either. In this blog, I’ll show how to create a backdoor to Azure AD so you can log in and bypass MFA.

  
  Read More

Related rules

• AWS ElastiCache Security Group Created
• New Federated Domain Added
• New Github Organization Member Added
• A Member Was Added to a Security-Enabled Global Group
• A Member Was Removed From a Security-Enabled Global Group