detection-rules
detection-rules copied to clipboard
elastic
[New Rule] Azure Modify Trusted Domains
Description
Hardening Strategies for Microsoft 365 to Defend Against UNC2452 - thanks to @dstepanic17 for sharing the whitepaper.
The Azure AD Audit log and Unified Audit log records when a domain is configured for federated authentication and the modification of federated realm objects. In most organizations, domain federation settings will be updated infrequently. Organizations should create rules to alert on the log events generated by these activities and audit them to ensure they are legitimate.
Required Info
- Eventing Sources:
- Target Operating Systems:
- Platforms
- Target ECS Version: x.x.x
- New fields required in ECS for this?
- Related issues or PRs
Optional Info
- References: https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf
Example Data
“Operation”: “Set domain authentication.”
“Operation”: “Set federation settings on domain.”
Detection Command Line:
process.args : (*Update-MSOLFederatedDomain* OR *Update-MSOLFederatedDomain*)
OperationName
azure.auditlogs.operation_name : (“Set domain authentication.” OR “Set federation settings on domain.”)
Fields:
- userPrincipalName
- OperationName
MITRE
| Tactic | Technique ID | Technique Name | Sub-Technique Name |
|---|---|---|---|
| Privilege Escalation | T1484.002 | Domain Policy Modification | Domain Trust Modification |
| Privilege Escalation | T1134 | Access Token Manipulation |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}