New Federated Domain Added - Exchange

calendar Oct 12, 2023 · attack.persistence attack.t1136.003  ·
Share on: linkedin copy

Detects the addition of a new Federated Domain.

Sigma rule (View on GitHub)

 1title: New Federated Domain Added - Exchange
 2id: 42127bdd-9133-474f-a6f1-97b6c08a4339
 3related:
 4    - id: 58f88172-a73d-442b-94c9-95eaed3cbb36
 5      type: similar
 6status: test
 7description: Detects the addition of a new Federated Domain.
 8references:
 9    - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf
10    - https://us-cert.cisa.gov/ncas/alerts/aa21-008a
11    - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
12    - https://www.sygnia.co/golden-saml-advisory
13    - https://o365blog.com/post/aadbackdoor/
14author: Splunk Threat Research Team (original rule), '@ionsor (rule)'
15date: 2022/02/08
16tags:
17    - attack.persistence
18    - attack.t1136.003
19logsource:
20    service: exchange
21    product: m365
22detection:
23    selection:
24        eventSource: Exchange
25        eventName: 'Add-FederatedDomain'
26        status: success
27    condition: selection
28falsepositives:
29    - The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
30level: medium

References

Related rules

to-top