EXPLORE

← Back to Explore

T1484.002

Trust Modification

Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise change the configuration of trust relationships between domains and tenants to evade defenses and/or elevate privileges.Trust details, such as whether or not user identities are federated, allow authentication and authorization properties to apply between domains or tenants for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include ac...

Identity ProviderWindows

14

Detections

4

Sources

2

Threat Actors

BY SOURCE

9elastic3splunk_escu1kql1sigma

PROCEDURES (8)

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Token2 detections

Auto-extracted: 2 detections for token

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Service2 detections

Auto-extracted: 2 detections for service

Azure1 detections

Auto-extracted: 1 detections for azure

Aws1 detections

Auto-extracted: 1 detections for aws

Api1 detections

Auto-extracted: 1 detections for api

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

THREAT ACTORS (2)

Scattered Spider Storm-0501

DETECTIONS (14)

Attempt to Deactivate an Okta Network Zone

AWS IAM OIDC Provider Created by Rare User

AWS IAM SAML Provider Created

AWS IAM SAML Provider Updated

Azure AD New Custom Domain Added

Azure AD New Federated Domain Added

Domain Added to Google Workspace Trusted Domains

Domain federation trust settings modified

Entra ID Domain Federation Configuration Change

Entra ID Federated Identity Credential Issuer Modified

M365 Exchange Federated Domain Created or Modified

New Federated Domain Added

New Okta Identity Provider (IdP) Added by Admin

O365 Cross-Tenant Access Change