{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/domain-federation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Entra ID"],"_cs_severities":["high"],"_cs_tags":["azure","entra-id","domain-federation","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of malicious domain federation modifications within Microsoft Entra ID tenants. Attackers who have obtained Global Administrator or Domain Administrator privileges can exploit this functionality to establish persistent access. This involves adding a custom domain, verifying its ownership, and then configuring it to federate authentication with an identity provider controlled by the attacker. Once successfully federated, the attacker can forge SAML or WS-Federation tokens. This enables them to authenticate as any user within the compromised domain, effectively bypassing multi-factor authentication (MFA) and conditional access policies. This technique, known as Golden SAML, has been observed in campaigns such as the SolarWinds attack attributed to UNC2452 (APT29). Defenders must monitor for unauthorized domain federation activities to prevent persistent compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains initial access and escalates privileges to either Global Administrator or Domain Administrator within the Entra ID tenant.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdd Unverified Domain:\u003c/strong\u003e The attacker adds a custom domain to the Entra ID tenant using the Microsoft Graph API, which is initially in an unverified state.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVerify Domain Ownership:\u003c/strong\u003e The attacker verifies ownership of the newly added domain, often by adding a DNS TXT record.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSet Domain Authentication:\u003c/strong\u003e The attacker sets the domain authentication type to federated using the \u003ccode\u003eSet domain authentication\u003c/code\u003e action. This action initiates the domain federation process.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSet Federation Settings:\u003c/strong\u003e The attacker configures federation settings on the domain, pointing to an attacker-controlled identity provider (IdP). The \u003ccode\u003eSet federation settings on domain\u003c/code\u003e event will correlate to the \u0026quot;Set domain authentication\u0026quot; via the \u003ccode\u003ecorrelation_id\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eToken Forgery:\u003c/strong\u003e The attacker forges SAML or WS-Federation tokens using the attacker-controlled IdP to impersonate any user within the federated domain.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Resources:\u003c/strong\u003e The attacker uses the forged tokens to authenticate to various resources within the Entra ID tenant, bypassing MFA and conditional access policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent Access:\u003c/strong\u003e The attacker maintains persistent access to the Entra ID tenant by continuously generating valid tokens as needed, allowing them to conduct reconnaissance, exfiltrate data, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of domain federation vulnerabilities can lead to a complete compromise of the Entra ID tenant. Attackers can gain unauthorized access to sensitive data, applications, and resources. The SolarWinds attack demonstrated the potential for widespread supply chain compromise and data exfiltration. The lack of visibility into token forgery makes this attack particularly stealthy and difficult to detect. If successful, attackers can maintain persistent access for extended periods, causing significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Entra ID Domain Federation Configuration Change\u0026quot; to your SIEM and tune for your environment to detect unauthorized domain federation changes.\u003c/li\u003e\n\u003cli\u003eEnable Azure integration with Microsoft Entra ID Audit Logs data stream and ingest into your Elastic Stack deployment as required by the Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview and restrict who has Domain Administrator or Global Administrator roles using Privileged Identity Management (PIM) as mentioned in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement alerts on domain management operations and restrict domain federation changes via conditional access policies as mentioned in the rule documentation.\u003c/li\u003e\n\u003cli\u003eIf unauthorized domain federation changes are detected, follow the response and remediation steps outlined in the rule documentation, including removing the federation configuration and revoking active sessions.\u003c/li\u003e\n\u003cli\u003eQuery the Graph API to retrieve the actual federation configuration details, since they are not logged in the audit event: \u003ccode\u003eGet-MgDomainFederationConfiguration -DomainId \u0026quot;\u0026lt;domain\u0026gt;\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-domain-federation/","summary":"Adversaries with Global Administrator or Domain Administrator privileges may add a custom domain, verify ownership, and configure it to federate authentication with an attacker-controlled identity provider, allowing token forgery and bypassing MFA and conditional access policies for persistent, stealthy access to victim tenants.","title":"Entra ID Domain Federation Configuration Change","url":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-domain-federation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["low"],"_cs_tags":["azure","entra-id","domain-federation","golden-saml"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert detects the addition or verification of custom domains within an Entra ID tenant. While legitimate in some administrative contexts, these actions are infrequent and can signal the initial stages of a Golden SAML or BYOIDP (Bring Your Own Identity Provider) attack. Attackers might add a domain to configure domain federation, routing authentication through an attacker-controlled identity provider. Defenders should investigate such events when they lack corresponding change requests or IT workflows. The rule is based on Microsoft Entra ID Audit Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to an Entra ID tenant, typically requiring Global Administrator or Domain Administrator privileges, possibly through compromised credentials or privilege escalation.\u003c/li\u003e\n\u003cli\u003eAttacker adds a new, unverified custom domain to the Entra ID tenant using the Azure portal, Microsoft Graph API, or PowerShell. The added domain is typically attacker-controlled.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;Add unverified domain\u0026quot; event is logged in the Azure audit logs.\u003c/li\u003e\n\u003cli\u003eAttacker verifies the custom domain by adding a specific TXT record to the domain's DNS settings as instructed by Entra ID.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;Verify domain\u0026quot; event is logged in the Azure audit logs.\u003c/li\u003e\n\u003cli\u003eAttacker configures domain federation settings to point to an attacker-controlled identity provider (IdP).\u003c/li\u003e\n\u003cli\u003eUsers authenticating to cloud applications are redirected to the malicious IdP, potentially leading to credential theft or unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials or SAML tokens to access sensitive resources within the organization's cloud environment, achieving data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform man-in-the-middle attacks and potentially gain unauthorized access to cloud resources by routing authentication through an attacker-controlled IdP. This can lead to data breaches, service disruption, and reputational damage. The addition and verification of custom domains are early indicators of such attacks and require immediate investigation to prevent further compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEntra ID Custom Domain Added or Verified\u003c/code\u003e to your SIEM, using the \u003ccode\u003efilebeat-*\u003c/code\u003e and \u003ccode\u003elogs-azure.auditlogs-*\u003c/code\u003e indices, and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eazure.auditlogs.properties.initiated_by.user.userPrincipalName\u003c/code\u003e and \u003ccode\u003eipAddress\u003c/code\u003e to identify the user and source IP that initiated the domain addition or verification, as suggested in the rule's triage steps.\u003c/li\u003e\n\u003cli\u003eMonitor for subsequent \u003ccode\u003e\u0026quot;Set domain authentication\u0026quot;\u003c/code\u003e or \u003ccode\u003e\u0026quot;Set federation settings on domain\u0026quot;\u003c/code\u003e events following a domain addition or verification, as outlined in the rule's triage section.\u003c/li\u003e\n\u003cli\u003eImplement Privileged Identity Management (PIM) for Global Administrator roles to restrict domain management operations.\u003c/li\u003e\n\u003cli\u003eIf an unauthorized domain addition is detected, immediately remove the unverified or verified domain using \u003ccode\u003eRemove-MgDomain -DomainId \u0026quot;\u0026lt;domain\u0026gt;\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-custom-domain-added/","summary":"Detection of custom domain additions or verifications in Entra ID, a precursor to potentially malicious domain federation for Golden SAML attacks.","title":"Entra ID Custom Domain Added or Verified","url":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-custom-domain-added/"}],"language":"en","title":"CraftedSignal Threat Feed - Domain-Federation","version":"https://jsonfeed.org/version/1.1"}