This analytic detects execution of the ConvertTo-AADIntBackdoor command via PowerShell Script Block Logging (Event ID 4104). ConvertTo-AADIntBackdoor is part of the AADInternals toolkit and is used to modify Azure Active Directory federation settings, enabling an attacker to issue security tokens that impersonate any user, potentially bypass MFA, escalate privileges, and establish persistence within an Azure AD tenant. The rule triggers when a PowerShell ScriptBlock contains the string ConvertTo-AADIntBackdoor, indicating a direct attempt to alter federation configuration from an endpoint. The detector relies on endpoint telemetry (PowerShell Script Block Logging) complemented by process context (process GUID, name, parent process) and complete command-line data, normalized via CIM to enable reliable correlation in Splunk. The query aggregates signals by destination host, user, script text, and related metadata to surface suspicious activity and provide actionable drilldowns. It also includes risk-based context to help triage and prioritize incidents. Known false positives include legitimate federation configuration changes performed by trusted administrators or approved security tooling; these should be vetted against change management and administrative authorization. Remediation actions include validating the federation modification with the administrator, auditing federation settings, reviewing token issuance events, and ensuring MFA remains enforced. The detection reflects tactics around credential access and persistence in Azure AD, such as domain federation modification, token impersonation, and privilege escalation. The rule is designed for Windows endpoints and relies on centralized EDR telemetry to identify anomalous Federation-related activity at the client level.