Detect Hybrid Identity in Google Chronicle
Adversaries may patch or backdoor cloud authentication processes tied to on-premises identities to bypass authentication, access credentials, and enable persistent access. Methods include: injecting a malicious DLL (PTASpy via AADInternals) into the AzureADConnectAuthenticationAgentService to authorize all authentication attempts and record credentials; modifying Microsoft.IdentityServer.Servicehost.exe.config (ADFS) to load a malicious DLL generating tokens for any user (APT29 MagicWeb); and registering a new PTA agent via the web console. Detection requires monitoring of Azure AD Connect processes, ADFS configuration files, and PTA agent registrations.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.007 Hybrid Identity
- Canonical reference
- https://attack.mitre.org/techniques/T1556/007/
YARA-L Detection Query
rule hybrid_identity_t1556_007 {
meta:
author = "Detection Engineering"
description = "Detects T1556.007 Hybrid Identity - PTA agent registration, ADFS DLL/config tampering, anomalous AzureADConnect process spawning"
mitre_attack_tactic = "Persistence, Defense Evasion, Credential Access"
mitre_attack_technique = "T1556.007"
severity = "HIGH"
confidence = "HIGH"
rule_version = "1.0"
reference = "https://attack.mitre.org/techniques/T1556/007/"
events:
(
$e.metadata.event_type = "FILE_MODIFICATION"
and re.regex($e.target.file.full_path, `(?i)(\\ADFS\\|Microsoft\.IdentityServer|AzureADConnectAuthenticationAgentService)`)
and re.regex($e.target.file.full_path, `(?i)\.(dll|config|exe)$`)
)
or
(
$e.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e.target.process.file.full_path, `(?i)AzureADConnectAuthenticationAgentService\.exe`)
or re.regex($e.principal.process.file.full_path, `(?i)AzureADConnectAuthenticationAgentService\.exe`)
)
and not re.regex($e.principal.process.file.full_path, `(?i)(services\.exe|svchost\.exe)`)
)
or
(
$e.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
and re.regex($e.metadata.product_event_type, `(?i)(Add agent to application|Register connector|Pass-through authentication agent)`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1556.007 Hybrid Identity attacks across three correlated UDM event types: FILE_MODIFICATION events where target file paths match ADFS, Microsoft.IdentityServer, or AzureADConnectAuthenticationAgentService directories with DLL, config, or executable extensions (MagicWeb/PTASpy staging); PROCESS_LAUNCH events where AzureADConnectAuthenticationAgentService.exe appears as principal or target process with a non-standard parent (DLL injection indicator); and USER_RESOURCE_UPDATE_CONTENT Azure AD audit events matching PTA agent registration operations (rogue agent registration).
Data Sources
Required Tables
False Positives & Tuning
- Authorized Azure AD Connect deployments or periodic health attestation cycles that legitimately generate USER_RESOURCE_UPDATE_CONTENT events for PTA agent registration
- Planned ADFS infrastructure upgrades where Microsoft-signed DLLs and configuration files are written by admin accounts with expected file paths, triggering FILE_MODIFICATION events
- Endpoint security agents or asset management tools that read and stage ADFS configuration directories for inventory or compliance scanning purposes
Other platforms for T1556.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Current PTA Agents (Reconnaissance)
Expected signal: Azure AD audit log: OperationName 'Get service principal' — read operations. PowerShell ScriptBlock Log Event ID 4104 with the Get-AzureADServicePrincipal command. Network connection from PowerShell to Azure AD Graph API endpoints.
- Test 2Check ADFS Configuration File Integrity
Expected signal: Sysmon Event ID 12/13 (Registry) or Event ID 7 (ImageLoad) from PowerShell accessing ADFS directories. File access events in Security Event Log (4663) if file system auditing is enabled on the ADFS directory.
- Test 3Simulate AADInternals PTASpy Installation Indicators
Expected signal: PowerShell ScriptBlock Log Event ID 4104 with the simulation command. Sysmon Event ID 1 for powershell.exe. Any Get-Service calls appear in PowerShell module logging (Event ID 4103).
References (6)
- https://attack.mitre.org/techniques/T1556/007/
- https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
- https://blog.xpnsec.com/azuread-connect-for-redteam/
- https://o365blog.com/post/on-prem_admin/
- https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.007/T1556.007.md
Unlock Pro Content
Get the full detection package for T1556.007 including response playbook, investigation guide, and atomic red team tests.