AZT507.3 - External Entity Access: Domain Trust Modification

An adversary may add an additional identity provider or domain to maintain a backdoor into the tenant.

Resource

AzureAD

Actions

• N/A

Examples

Detections

Detection Details

Monitor the 'Pass-through Authentication' page in the Azure portal. Azure AD Connect > Pass-through Authentication

Additional Resources

• https://o365blog.com/post/aadbackdoor/

• https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors

• https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Defense%20evasion/ADFSDomainTrustMods%5BNobelium%5D.yaml