1. Home
  2. Detection Strategies
  3. Detect Hybrid Identity Authentication Process Modification

Detect Hybrid Identity Authentication Process Modification

Technique Detected:  Hybrid Identity | T1556.007

ID: DET0293
Domains: Enterprise
Analytics: AN0814, AN0815, AN0816, AN0817, AN0818
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0814

Detects injection or tampering of DLLs in hybrid identity agents (e.g., AzureADConnectAuthenticationAgentService), registry or configuration changes tied to PTA/AD FS, and anomalous LSASS or AD FS module loads correlated with authentication anomalies.

Log Sources
Data Component Name Channel
Module Load (DC0016) WinEventLog:Sysmon EventCode=7
Active Directory Object Modification (DC0066) WinEventLog:Directory Service EventCode=5136
Logon Session Creation (DC0067) WinEventLog:Security Anomalous logon without MFA enforcement
Mutable Elements
Field Description
WatchedServices Hybrid identity services monitored for tampering, e.g., PTA agent, AD FS.
TimeWindow Window correlating DLL/module load events with logon anomalies.

AN0815

Detects registration of new PTA agents, conditional access changes disabling hybrid MFA enforcement, or suspicious updates to AD FS token-signing configurations.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) azure:signinlogs Register PTA Agent or Modify AD FS trust
User Account Modification (DC0010) m365:unified New agent registration by non-admin user
Mutable Elements
Field Description
PrivilegedRoles Roles authorized to configure PTA/AD FS integrations.

AN0816

Detects API calls registering or updating hybrid identity connectors, modification of cloud-to-on-premises federation trust, and unusual token issuance logs.

Log Sources
Data Component Name Channel
Cloud Service Modification (DC0069) CloudTrail:UpdatePolicy UpdateFederationSettings or RegisterHybridConnector
Mutable Elements
Field Description
MonitoredFederations Federation trusts and connectors relevant to hybrid identity setup.

AN0817

Detects tenant-wide authentication or conditional access changes that weaken hybrid identity enforcement, including disabling AD FS or bypassing hybrid MFA policies.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) m365:unified Modify Federation Settings or Update Authentication Policy
Mutable Elements
Field Description
PolicyScope Scope of authentication and federation policies to be monitored.

AN0818

Detects suspicious changes to SAML/OAuth federation configurations, such as new signing certificates, altered endpoints, or claims issuance rules granting elevated privileges.

Log Sources
Data Component Name Channel
Application Log Content (DC0038) saas:okta Federation configuration update or signing certificate change
Mutable Elements
Field Description
FederationEndpoints Federation/SAML endpoints monitored for modification.