Adversaries may use trust monitor events to establish persistent access or exfiltrate data by leveraging compromised credentials or misconfigured trust relationships. SOC teams should proactively hunt for this behavior to identify potential lateral movement or data exfiltration attempts within their Azure Sentinel environment.
KQL Query
let timeframe = ago(5m);
DuoSecurityTrustMonitor_CL
| where TimeGenerated >= timeframe
| extend AccountName = tostring(split(surfaced_auth_user_name_s, "@")[0]), AccountUPNSuffix = tostring(split(surfaced_auth_user_name_s, "@")[1])
id: 8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182
name: Trust Monitor Event
description: |
'This query identifies when a new trust monitor event is detected.'
severity: Medium
requiredDataConnectors: []
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1528
- T1555
query: |
let timeframe = ago(5m);
DuoSecurityTrustMonitor_CL
| where TimeGenerated >= timeframe
| extend AccountName = tostring(split(surfaced_auth_user_name_s, "@")[0]), AccountUPNSuffix = tostring(split(surfaced_auth_user_name_s, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: surfaced_auth_user_name_s
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: surfaced_auth_access_device_ip_s
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: SecurityJedi
support:
tier: Community
categories:
domains: [ "Security - Others" ]Scenario: A system administrator is manually configuring a new trust relationship using Active Directory PowerShell cmdlets (Set-ADTrust or New-ADTrust).
Filter/Exclusion: Exclude events where the source is a known admin account (e.g., CN=Administrator,CN=Users,DC=example,DC=com) or where the command is explicitly Set-ADTrust or New-ADTrust.
Scenario: A scheduled job runs to synchronize trust relationships between domains using ADSync or Azure AD Connect.
Filter/Exclusion: Exclude events that occur during the scheduled execution window of known synchronization tools (e.g., ADSync or Azure AD Connect jobs) or where the process name is adsync.exe or azureadconnect.exe.
Scenario: A third-party security tool (e.g., CrowdStrike, Microsoft Defender for Identity) generates a trust monitor event as part of its normal operation.
Filter/Exclusion: Exclude events where the source process is a known security tool (e.g., CrowdStrike.exe, Microsoft Defender for Identity service) or where the event is tagged with a specific tool identifier.
Scenario: An IT support technician is troubleshooting a trust issue and uses Dsrm.exe or Ntdsutil to inspect or modify trust relationships.
Filter/Exclusion: Exclude events where the command line includes Dsrm.exe or Ntdsutil, or where the user is a member of the Domain Admins group and the command is known administrative.
Scenario: A backup or replication job (e.g., Veeam, Symantec Backup Exec) triggers a trust monitor event due to changes in the directory structure.
Filter/Exclusion: Exclude events where the source process