DET0458: Detection of Trust Relationship Modifications in Domain or Tenant Policies
This detection strategy matters because changes to domain or tenant trust relationships can alter who is allowed to authenticate across boundaries. Even wi...
Analyst context for executives and security teams
This detection strategy matters because changes to domain or tenant trust relationships can alter who is allowed to authenticate across boundaries. Even without official detection logic in the ATT&CK object, its relationship to Trust Modification (T1484.002) makes it a high-value area for identity, Windows, and identity-provider monitoring: unexpected trust changes can support privilege escalation or weaken defenses.
Executive priority
Treat trust relationship monitoring as an identity resilience and governance priority. Security leaders should ask whether changes to domain or tenant trust policy are approved, logged, reviewed, and explainable during an incident or audit. Coverage should be prioritized where Windows domain trusts or identity-provider trust/federation relationships affect access to shared resources or privileged environments.
Technical view
DET0458 is a detection strategy for identifying trust relationship modifications in domain or tenant policies and is linked to ATT&CK technique T1484.002, Trust Modification, under defense-impairment and privilege-escalation tactics. SOC and IR teams should validate whether they can see administrative changes to trust objects, federation or tenant trust settings, and related policy changes in Windows and identity-provider environments. Because the official object provides no detection analytic, teams must derive local logic from authoritative change logs, approved change records, and known administrative workflows.
Likely telemetry
- Identity provider administrative audit logs
- Windows domain trust or directory service change logs
- Tenant or federation configuration change records
- Privileged administrator activity logs
- Change management tickets or approval records for trust policy updates
Detection direction
- Baseline legitimate trust relationship changes and compare observed modifications against approved change windows and administrators.
- Prioritize alerts for new, modified, or removed trust relationships involving privileged domains, tenants, or shared-resource access paths.
- Correlate trust policy changes with privileged account activity to reduce noise and support incident scoping.
- Validate blind spots where identity-provider audit logs, directory service logs, or change-management records are not retained or centrally searchable.
- Tune for expected administrative maintenance, but require review when trust changes lack an approved business justification.
Mitigation priorities
- Restrict who can modify domain, tenant, federation, or trust policies using least privilege.
- Require formal approval and documentation for trust relationship changes.
- Ensure logging and retention are enabled for identity-provider and Windows directory trust changes.
- Review privileged identity governance controls for administrators able to change trust relationships.
- Include trust policy review in incident response playbooks and compliance evidence collection.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy with no official description or detection text. The practical guidance is therefore based on the object name, external reference, and its relationship to T1484.002 Trust Modification, including the related tactics of defense impairment and privilege escalation and the related platforms Identity Provider and Windows.
No official detection logic, data sources, platforms, or tactics are specified directly on DET0458. Local environment architecture, logging configuration, identity-provider capabilities, and change-management practices are required to turn this into testable detections.
Detection of Trust Relationship Modifications in Domain or Tenant Policies
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1484.002 | Trust Modification Sub-technique | This object detects Trust Modification. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 941a78642984… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0458Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.