Detections
Analytics
Domain Policy Modification: Trust Modification(Azure)
Description
Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Entra ID | Read-only | HTTPS | Tenant properties | ||
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Windows Services | Plugin ID: 44401 |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Defense Evasion, Privilege Escalation
Technique: Domain Policy Modification
Sub-Technique: Trust Modification
Platform: Entra ID
Products Required: Tenable Identity Exposure and Tenable Vulnerability Management
Tenable Release Date: 2024 Q2