Azure AD Custom Domain Addition for Persistence
Detection of a new custom domain addition in Azure AD audit logs, potentially indicating an attacker establishing persistence via identity federation backdoors for unauthorized access and privilege escalation.
The addition of a new custom domain in Azure Active Directory (AD) can be a critical indicator of malicious activity. Attackers may add unverified domains to establish persistence through identity federation backdoors. This allows them to impersonate legitimate users, bypass multi-factor authentication, and maintain a foothold within the Azure AD environment. This technique is particularly relevant in scenarios where an attacker has already gained initial access and is looking to deepen their presence and control within the organization's cloud infrastructure. The activity is detected by monitoring Azure AD AuditLogs for successful "Add unverified domain" operations. Defenders should be aware of this technique to quickly identify and remediate unauthorized domain additions that could lead to significant security breaches. The references highlight APT29 as a potential actor abusing this technique.
Attack Chain
- Initial Compromise: The attacker gains initial access to an Azure AD account through credential phishing, brute-force attacks, or exploiting a vulnerability.
- Privilege Escalation: The attacker escalates privileges within the compromised Azure AD account, potentially using techniques like exploiting misconfigured roles or permissions.
- Domain Discovery: The attacker enumerates existing domains within the Azure AD tenant to understand the current configuration.
- Add Unverified Domain: The attacker adds a new, unverified custom domain to the Azure AD tenant using the "Add unverified domain" operation.
- Identity Federation Setup: The attacker configures identity federation between the newly added domain and the Azure AD tenant to establish a backdoor.
- Account Impersonation: The attacker impersonates legitimate users within the Azure AD environment, leveraging the newly established federation.
- Data Access and Exfiltration: The attacker gains unauthorized access to sensitive data and exfiltrates it from the Azure AD environment.
- Persistence: The attacker maintains long-term access to the environment through the federated domain, even if initial access is revoked.
Impact
Successful addition of a malicious custom domain can have severe consequences, including unauthorized access to sensitive data, privilege escalation, and long-term persistence within the Azure AD environment. This can lead to significant data breaches, financial losses, and reputational damage. Organizations in various sectors, including government, finance, and healthcare, are potential targets. If left undetected, attackers can maintain access for extended periods, potentially exfiltrating large volumes of sensitive data. Mandiant has documented real-world cases of APT29 using this technique.
Recommendation
- Deploy the Sigma rule
Azure AD New Custom Domain Addedto your SIEM and tune for your environment to detect unauthorized domain additions usingoperationName="Add unverified domain"andproperties.result=success. - Enable and monitor Azure AD AuditLogs for all domain-related activities, focusing on "Add unverified domain" operations as described in the
data_sourcefield. - Review and restrict Azure AD roles and permissions to minimize the attack surface for privilege escalation, preventing attackers from adding new domains.
- Investigate any alerts triggered by the Sigma rule by reviewing the
dest,user,src,vendor_account,vendor_product,user_agent,domain, andsignaturefields in the logs. - Regularly review and validate all configured custom domains in Azure AD to identify and remove any unauthorized or suspicious domains as referenced in https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-manage.
Detection coverage 2
Azure AD New Custom Domain Added
highDetects the addition of a new custom domain in Azure AD, which may indicate malicious persistence attempts.
Azure AD Domain Additions by New Users
mediumDetects Azure AD domain additions performed by users who have recently appeared in logs, potentially indicating compromised accounts.
Detection queries are available on the platform. Get full rules →