Microsoft 365 - Modification of Trusted Domain

azure

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1562-impair-defenses

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when a user creates or modifies a trusted domain object in Microsoft 365.

Strategy

Monitor Azure AD Audit logs for the following @evt.name:

  • Set federation settings on domain
  • Set domain authentication

Monitor Microsoft 365 Audit logs for the following @evt.name:

  • Set federation settings on domain.
  • Set domain authentication.

An attacker can create a new attacker-controlled domain as federated or modify the existing federation settings for a domain by configuring a new, secondary signing certificate. Both of these techniques would allow the attacker to authenticate as any user bypassing authentication requirements like a valid password or MFA.

Triage and response

  1. Determine if {{@usr.id}} should have made a {{@evt.name}} API call.
  2. If the API call was not made by the user:
    • Remove the suspicious domain or settings.
    • Begin your organization’s Incident Response (IR) process.
  3. If the API call was made by the user:
    • Ensure the change was authorized.