1. Home
  2. Techniques
  3. Enterprise
  4. Modify Authentication Process
  5. Hybrid Identity

Modify Authentication Process: Hybrid Identity

ID Name
T1556.001 Domain Controller Authentication
T1556.002 Password Filter DLL
T1556.003 Pluggable Authentication Modules
T1556.004 Network Device Authentication
T1556.005 Reversible Encryption
T1556.006 Multi-Factor Authentication
T1556.007 Hybrid Identity
T1556.008 Network Provider DLL
T1556.009 Conditional Access Policies

Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.

Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID[1]:

  • Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud
  • Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory
  • Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID

AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.

By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.[2][3] In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.[4]

In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.[5]

ID: T1556.007
Sub-technique of:  T1556
Platforms: IaaS, Identity Provider, Office Suite, SaaS, Windows
Contributors: Praetorian
Version: 1.1
Created: 28 September 2022
Last Modified: 14 October 2024
Version Permalink

Procedure Examples

ID Name Description
S0677 AADInternals

AADInternals can inject a malicious DLL (PTASpy) into the AzureADConnectAuthenticationAgentService to backdoor Azure AD Pass-Through Authentication.[3]
G0016 APT29

APT29 has edited the Microsoft.IdentityServer.Servicehost.exe.config file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name.[4]

Mitigations

ID Mitigation Description
M1047 Audit

Periodically review the hybrid identity solution in use for any discrepancies. For example, review all PTA agents in the Entra ID Management Portal to identify any unwanted or unapproved ones.[5] If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.[4]
M1032 Multi-factor Authentication

Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.

M1026 Privileged Account Management

Limit on-premises accounts with access to the hybrid identity solution in place. For example, limit Entra ID Global Administrator accounts to only those required, and ensure that these are dedicated cloud-only accounts rather than hybrid ones.[4]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Enable security auditing to collect logs from hybrid identity solutions. For example, monitor sign-ins to the Entra ID Application Proxy Connector, which are typically generated only when a new PTA Agent is added. [5] If AD FS is in use, review the logs for event ID 501, which specifies all EKU attributes on a claim, and raise alerts on any values that are not configured in your environment.[4]
DS0022 File File Modification

Monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files. Monitor for access to certificates and cryptographic keys material.
DS0028 Logon Session Logon Session Creation

Monitor for discrepancies in authentication to cloud services, such as PTA sign-ins recorded in Entra ID that lack corresponding events in AD.[6]
DS0011 Module Module Load

Monitor the hybrid identity solution in use for the loading of unauthorized DLLs. For example, monitor all PTA agent servers for the creation of DLLs as well as the loading of DLLs into the AzureADConnectAuthenticationAgentService process.[5] If AD FS is in use, monitor the AD FS server for the creation of DLLs as well as the loading of unrecognized or unsigned DLLs into the Microsoft.IdentityServer.Servicehost application.[4]

References

  1. Microsoft. (2022, August 26). Choose the right authentication method for your Azure Active Directory hybrid identity solution. Retrieved September 28, 2022.
  2. Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers. Retrieved September 28, 2022.
  3. Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.
  1. Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.
  2. Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.
  3. Dr. Nestori Syynimaa. (2022, September 20). Exploiting Azure AD PTA vulnerabilities: Creating backdoor and harvesting credentials. Retrieved September 28, 2022.