{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/golden-saml/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["low"],"_cs_tags":["azure","entra-id","domain-federation","golden-saml"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert detects the addition or verification of custom domains within an Entra ID tenant. While legitimate in some administrative contexts, these actions are infrequent and can signal the initial stages of a Golden SAML or BYOIDP (Bring Your Own Identity Provider) attack. Attackers might add a domain to configure domain federation, routing authentication through an attacker-controlled identity provider. Defenders should investigate such events when they lack corresponding change requests or IT workflows. The rule is based on Microsoft Entra ID Audit Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains unauthorized access to an Entra ID tenant, typically requiring Global Administrator or Domain Administrator privileges, possibly through compromised credentials or privilege escalation.\u003c/li\u003e\n\u003cli\u003eAttacker adds a new, unverified custom domain to the Entra ID tenant using the Azure portal, Microsoft Graph API, or PowerShell. The added domain is typically attacker-controlled.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;Add unverified domain\u0026quot; event is logged in the Azure audit logs.\u003c/li\u003e\n\u003cli\u003eAttacker verifies the custom domain by adding a specific TXT record to the domain's DNS settings as instructed by Entra ID.\u003c/li\u003e\n\u003cli\u003eThe \u0026quot;Verify domain\u0026quot; event is logged in the Azure audit logs.\u003c/li\u003e\n\u003cli\u003eAttacker configures domain federation settings to point to an attacker-controlled identity provider (IdP).\u003c/li\u003e\n\u003cli\u003eUsers authenticating to cloud applications are redirected to the malicious IdP, potentially leading to credential theft or unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials or SAML tokens to access sensitive resources within the organization's cloud environment, achieving data exfiltration or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to perform man-in-the-middle attacks and potentially gain unauthorized access to cloud resources by routing authentication through an attacker-controlled IdP. This can lead to data breaches, service disruption, and reputational damage. The addition and verification of custom domains are early indicators of such attacks and require immediate investigation to prevent further compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eEntra ID Custom Domain Added or Verified\u003c/code\u003e to your SIEM, using the \u003ccode\u003efilebeat-*\u003c/code\u003e and \u003ccode\u003elogs-azure.auditlogs-*\u003c/code\u003e indices, and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eazure.auditlogs.properties.initiated_by.user.userPrincipalName\u003c/code\u003e and \u003ccode\u003eipAddress\u003c/code\u003e to identify the user and source IP that initiated the domain addition or verification, as suggested in the rule's triage steps.\u003c/li\u003e\n\u003cli\u003eMonitor for subsequent \u003ccode\u003e\u0026quot;Set domain authentication\u0026quot;\u003c/code\u003e or \u003ccode\u003e\u0026quot;Set federation settings on domain\u0026quot;\u003c/code\u003e events following a domain addition or verification, as outlined in the rule's triage section.\u003c/li\u003e\n\u003cli\u003eImplement Privileged Identity Management (PIM) for Global Administrator roles to restrict domain management operations.\u003c/li\u003e\n\u003cli\u003eIf an unauthorized domain addition is detected, immediately remove the unverified or verified domain using \u003ccode\u003eRemove-MgDomain -DomainId \u0026quot;\u0026lt;domain\u0026gt;\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-custom-domain-added/","summary":"Detection of custom domain additions or verifications in Entra ID, a precursor to potentially malicious domain federation for Golden SAML attacks.","title":"Entra ID Custom Domain Added or Verified","url":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-custom-domain-added/"}],"language":"en","title":"CraftedSignal Threat Feed - Golden-Saml","version":"https://jsonfeed.org/version/1.1"}