T1556.007 Hybrid Identity Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PTAAgentEvents = AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any (
    "Add agent to application",
    "Register connector",
    "Agent health status",
    "Pass-through authentication agent"
  )
| extend Actor = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, Actor, Result, ResultDescription;
let ADFSServiceEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (
    @"\ADFS\", @"\Microsoft.IdentityServer",
    @"\AzureADConnectAuthenticationAgentService"
  )
| where ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".dll" or FileName endswith ".config" or FileName endswith ".exe"
| project Timestamp, DeviceName, FolderPath, FileName, ActionType,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256;
let AzureADConnectProcess = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "AzureADConnectAuthenticationAgentService.exe"
    or FileName =~ "AzureADConnectAuthenticationAgentService.exe"
| where ProcessCommandLine has_any ("inject", "dll", "-", "PTASpy")
    or InitiatingProcessFileName !in~ ("services.exe", "svchost.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName;
union PTAAgentEvents, ADFSServiceEvents, AzureADConnectProcess
| sort by TimeGenerated desc, Timestamp desc

critical severity high confidence

Data Sources

File: File Modification Process: Process Creation Active Directory: Active Directory Object Modification Microsoft Entra ID Audit Logs

Required Tables

AuditLogs DeviceFileEvents DeviceProcessEvents

False Positives

Authorized Azure AD Connect upgrades that modify PTA agent binaries and configuration files
Legitimate new PTA agent registration during Azure AD Connect scale-out deployments
ADFS server updates or patches that modify Microsoft.IdentityServer binaries
Configuration management tools (Ansible, DSC) deploying authorized ADFS configuration changes

Splunk

spl

index=azure_audit OR index=wineventlog
  sourcetype IN ("azure:aad:audit", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval EventType=case(
    sourcetype="azure:aad:audit", "AzureAD",
    EventCode=1, "ProcessCreate",
    EventCode=11, "FileCreate",
    1==1, "Other"
  )
| where (EventType="AzureAD" AND match(OperationName, "(?i)(PTA|pass.through|agent|connector)"))
    OR (EventType="ProcessCreate" AND match(Image, "(?i)AzureADConnect") AND NOT match(ParentImage, "(?i)(services\.exe|svchost\.exe)"))
    OR (EventType="FileCreate" AND (match(TargetFilename, "(?i)(ADFS|IdentityServer|AzureADConnect)") AND match(TargetFilename, "\.(dll|config)$")))
| table _time, EventType, Image, TargetFilename, OperationName, User, host
| sort - _time

critical severity high confidence

Data Sources

Azure Active Directory Audit Logs Sysmon Event ID 1 (Process Create) Sysmon Event ID 11 (File Create)

Required Sourcetypes

azure:aad:audit XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Azure AD Connect version upgrades
Authorized ADFS server patching and configuration updates
New PTA agents deployed during capacity expansion
Identity team performing authorized maintenance during change windows

Elastic Security (EQL)

eql

any where
  (
    event.dataset == "azure.auditlogs" and
    azure.auditlogs.operation_name : ("Add agent to application", "Register connector", "Agent health status", "Pass-through authentication agent")
  ) or
  (
    event.category == "file" and
    event.action in ("creation", "modification") and
    file.path : ("*\\ADFS\\*", "*\\Microsoft.IdentityServer*", "*\\AzureADConnectAuthenticationAgentService*") and
    file.extension in ("dll", "config", "exe")
  ) or
  (
    event.category == "process" and
    (
      process.name : "AzureADConnectAuthenticationAgentService.exe" or
      process.parent.name : "AzureADConnectAuthenticationAgentService.exe"
    ) and
    not process.parent.name : ("services.exe", "svchost.exe")
  )

critical severity high confidence

Data Sources

Azure AD Audit Logs via Azure integration Elastic Endpoint (file events) Elastic Endpoint (process events) Windows Sysmon via Elastic Agent

Required Tables

azure.auditlogs logs-endpoint.events.file-* logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

Legitimate PTA agent registration during a planned Azure AD Connect installation or upgrade performed by an authorized identity team administrator
Microsoft patch management or SCCM writing updated ADFS binaries and configuration files to monitored directories during a scheduled maintenance window
Security scanning or backup tooling that enumerates ADFS directories, triggering file-category events without performing actual modifications

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  CATEGORYNAME(category) AS category,
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  hostname,
  "EventID" AS event_id,
  "File Path" AS file_path,
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  "CommandLine" AS command_line
FROM events
WHERE
  (
    LOGSOURCETYPEID(devicetype) = 452
    AND (
      LOWER(QIDNAME(qid)) LIKE '%pta%'
      OR LOWER(QIDNAME(qid)) LIKE '%pass-through%'
      OR LOWER(QIDNAME(qid)) LIKE '%pass through%'
      OR LOWER(QIDNAME(qid)) LIKE '%add agent%'
      OR LOWER(QIDNAME(qid)) LIKE '%register connector%'
    )
  )
  OR (
    LOGSOURCETYPEID(devicetype) = 433
    AND "EventID" IN (1, 11)
    AND (
      LOWER("File Path") LIKE '%\adfs\%'
      OR LOWER("File Path") LIKE '%microsoft.identityserver%'
      OR LOWER("File Path") LIKE '%azureadconnectauthenticationagentservice%'
    )
    AND (
      LOWER("File Path") LIKE '%.dll'
      OR LOWER("File Path") LIKE '%.config'
      OR LOWER("File Path") LIKE '%.exe'
    )
  )
  OR (
    LOGSOURCETYPEID(devicetype) = 433
    AND "EventID" = 1
    AND LOWER("Image") LIKE '%azureadconnectauthenticationagentservice%'
    AND LOWER("ParentImage") NOT LIKE '%services.exe%'
    AND LOWER("ParentImage") NOT LIKE '%svchost.exe%'
  )
ORDER BY devicetime DESC
LAST 24 HOURS

critical severity medium confidence

Data Sources

Azure Active Directory DSM (QRadar) Microsoft Windows Sysmon DSM (QRadar) Microsoft Windows Security Event Log DSM (QRadar)

Required Tables

events

False Positives

Authorized Azure AD Connect upgrades by IT engineering that legitimately register new PTA agents, generating audit events matching the Azure AD log filter
Microsoft Defender for Identity sensor updates or ADFS role installations by Windows Update that write new DLL versions to monitored directories
Legitimate AzureADConnect health monitoring processes that launch diagnostic binaries, which may appear as unexpected child processes in Sysmon EventID 1 data

Sumo Logic CSE

sql

(_sourceCategory=azure/audit OR _sourceCategory=windows/sysmon OR _sourceCategory=windows/security)
| parse field=_raw "\"operationName\":\"*\"" as operationName nodrop
| parse field=_raw "Image: *" as image nodrop
| parse field=_raw "ParentImage: *" as parentImage nodrop
| parse field=_raw "TargetFilename: *" as targetFilename nodrop
| parse field=_raw "CommandLine: *" as commandLine nodrop
| parse field=_raw "EventID: *" as eventId nodrop
| where (
    matches(toLowerCase(operationName), "*pta*")
    OR matches(toLowerCase(operationName), "*pass-through*")
    OR matches(toLowerCase(operationName), "*add agent to application*")
    OR matches(toLowerCase(operationName), "*register connector*")
  )
  OR (
    (eventId = "11" OR eventId = "1")
    AND (
      matches(toLowerCase(targetFilename), "*\\adfs\\*")
      OR matches(toLowerCase(targetFilename), "*microsoft.identityserver*")
      OR matches(toLowerCase(targetFilename), "*azureadconnect*")
    )
    AND (
      matches(toLowerCase(targetFilename), "*.dll")
      OR matches(toLowerCase(targetFilename), "*.config")
      OR matches(toLowerCase(targetFilename), "*.exe")
    )
  )
  OR (
    eventId = "1"
    AND matches(toLowerCase(image), "*azureadconnectauthenticationagentservice*")
    AND !matches(toLowerCase(parentImage), "*services.exe*")
    AND !matches(toLowerCase(parentImage), "*svchost.exe*")
  )
| fields _messageTime, operationName, image, parentImage, targetFilename, commandLine, eventId, _sourceHost
| sort by _messageTime desc

critical severity high confidence

Data Sources

Azure AD Audit Logs (_sourceCategory=azure/audit) Windows Sysmon (_sourceCategory=windows/sysmon) Windows Security Event Log (_sourceCategory=windows/security)

Required Tables

_sourceCategory=azure/audit _sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Scheduled Azure AD Connect version upgrades that legitimately register new PTA agents and update service binaries, generating correlated file and audit events
Windows Update or ADFS role patching cycles writing new Microsoft-signed DLLs to monitored directories during approved maintenance windows
Third-party identity management products such as Ping Identity or Okta AD Agent that co-locate with ADFS and interact with overlapping directory paths

Google Chronicle / SecOps

yaral

rule hybrid_identity_t1556_007 {
  meta:
    author = "Detection Engineering"
    description = "Detects T1556.007 Hybrid Identity - PTA agent registration, ADFS DLL/config tampering, anomalous AzureADConnect process spawning"
    mitre_attack_tactic = "Persistence, Defense Evasion, Credential Access"
    mitre_attack_technique = "T1556.007"
    severity = "HIGH"
    confidence = "HIGH"
    rule_version = "1.0"
    reference = "https://attack.mitre.org/techniques/T1556/007/"

  events:
    (
      $e.metadata.event_type = "FILE_MODIFICATION"
      and re.regex($e.target.file.full_path, `(?i)(\\ADFS\\|Microsoft\.IdentityServer|AzureADConnectAuthenticationAgentService)`)
      and re.regex($e.target.file.full_path, `(?i)\.(dll|config|exe)$`)
    )
    or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.file.full_path, `(?i)AzureADConnectAuthenticationAgentService\.exe`)
        or re.regex($e.principal.process.file.full_path, `(?i)AzureADConnectAuthenticationAgentService\.exe`)
      )
      and not re.regex($e.principal.process.file.full_path, `(?i)(services\.exe|svchost\.exe)`)
    )
    or
    (
      $e.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
      and re.regex($e.metadata.product_event_type, `(?i)(Add agent to application|Register connector|Pass-through authentication agent)`)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle SIEM (UDM) Azure AD audit logs via Chronicle ingestion Windows Sysmon via Chronicle Forwarder CrowdStrike or Carbon Black endpoint telemetry via Chronicle

Required Tables

UDM Events (FILE_MODIFICATION) UDM Events (PROCESS_LAUNCH) UDM Events (USER_RESOURCE_UPDATE_CONTENT)

False Positives

Authorized Azure AD Connect deployments or periodic health attestation cycles that legitimately generate USER_RESOURCE_UPDATE_CONTENT events for PTA agent registration
Planned ADFS infrastructure upgrades where Microsoft-signed DLLs and configuration files are written by admin accounts with expected file paths, triggering FILE_MODIFICATION events
Endpoint security agents or asset management tools that read and stage ADFS configuration directories for inventory or compliance scanning purposes

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /ProcessRollup2|SyntheticProcessRollup2|FileWritten|PeFileWritten/
| test {
    ImageFileName = /(?i)AzureADConnectAuthenticationAgentService\.exe/
    OR TargetFileName = /(?i)(\\ADFS\\|Microsoft\.IdentityServer|AzureADConnectAuthentication).+\.(dll|config|exe)$/
    OR (
      ImageFileName = /(?i)AzureADConnectAuthenticationAgentService/
      AND NOT ParentBaseFileName = /(?i)(services\.exe|svchost\.exe)/
    )
  }
| DetectionType := if(
    TargetFileName = /(?i)\.(dll|config)$/, "ADFS_File_Tampering",
    if(
      ImageFileName = /(?i)AzureADConnectAuthenticationAgentService/
        AND NOT ParentBaseFileName = /(?i)(services\.exe|svchost\.exe)/,
      "Suspicious_PTA_Spawn",
      "AzureADConnect_File_Activity"
    )
  )
| select([ComputerName, DetectionType, #event_simpleName, ImageFileName, CommandLine, ParentBaseFileName, TargetFileName, UserName, SHA256HashData])
| sort(field=@timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2) CrowdStrike Falcon Endpoint (SyntheticProcessRollup2) CrowdStrike Falcon Endpoint (FileWritten) CrowdStrike Falcon Endpoint (PeFileWritten)

Required Tables

ProcessRollup2 SyntheticProcessRollup2 FileWritten PeFileWritten

False Positives

CrowdStrike Falcon sensor self-updates or policy enforcement actions that write files to monitored identity service directories, generating PeFileWritten events
Legitimate IT automation pipelines (Ansible, SCCM, Intune) deploying Azure AD Connect upgrades that produce correlated ProcessRollup2 and FileWritten events within the same time window
Microsoft Identity Manager or other IAM federation products co-located with ADFS that write to overlapping directory paths and launch child processes during normal operation

Hybrid Identity

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections