CTD-000012

Modified federation settings in Microsoft Entra domain

Critical
Entra ID
Lateral Movement Persistence
v25

Signature Identity

CTD-000012
Threat ID
25
Version
IOC
Indicator Type

Threat Description

This rule checks if the domain’s federation settings were recently modified.
When you federate your on-premises environment with Microsoft Entra ID, you establish a trust relationship between the on-premises identity provider and Microsoft Entra ID.
Due to this established trust, Microsoft Entra ID honours the security token issued by the on-premises identity provider post-authentication, to grant access to resources protected by Microsoft Entra ID. A malicious user might modify federation settings to get access to resources in Microsoft Entra ID.

MITRE ATT&CK: Attack Tactics

Lateral Movement Persistence

D3FEND: Defend Tactics

Domain Trust Policy

Remediation

Review unexpected changes of the federation configuration using Cayosoft Guardian. Remove suspicious domains.

  1. Open Microsoft Entra admin center.
  2. Type Domain Names in the search field.
  3. Select Domain Names in the results.
  4. Remove any stale, unrecognized, or suspicious domains.
  5. Review federation settings by clicking on each domain name.

Frequently Asked Questions

What does Modified federation settings in Microsoft Entra domain mean?

A malicious user has altered the trust relationship between your on-premises identity provider and Microsoft Entra ID, potentially granting unauthorized access to resources protected by Microsoft Entra ID. This change allows attackers to bypass normal authentication controls.

The modified trust relationship can be exploited for unauthorized access and persistence. Attackers can authenticate without proper credentials, enabling them to maintain a persistent presence within the environment.

Attackers can use the modified federation settings to gain unauthorized access to resources protected by Microsoft Entra ID. They can exploit this vulnerability to authenticate without proper credentials and maintain persistence within the environment.

Cayosoft Guardian continuously monitors the trust relationship between your on-premises identity provider and Microsoft Entra ID, flagging any unexpected changes to the federation configuration that may indicate a security compromise. This allows administrators to review and address potential issues promptly.

Cayosoft Guardian alerts administrators to review unexpected changes to the federation configuration, enabling them to remove suspicious domains and restore secure access controls. This helps prevent unauthorized access and persistence, reducing the overall security risk.

Stop AD Threats As They Happen

Cayosoft Protector provides continuous monitoring and real-time alerts across your entire Microsoft Identity stack

Classification
Systems
Entra ID
Themes
Infrastructure
Attack Tactics
Lateral Movement Persistence
Defend Tactics
Domain Trust Policy
Indicator Types
IOC
Related Threats
CTD-000139
Kerberos Constrained Delegation: krbtgt Risks
Critical
CTD-000122
Active Directory Schema Update Permission Risks
Critical