T1556.007 CrowdStrike LogScale · LogScale

Detect Hybrid Identity in CrowdStrike LogScale

Adversaries may patch or backdoor cloud authentication processes tied to on-premises identities to bypass authentication, access credentials, and enable persistent access. Methods include: injecting a malicious DLL (PTASpy via AADInternals) into the AzureADConnectAuthenticationAgentService to authorize all authentication attempts and record credentials; modifying Microsoft.IdentityServer.Servicehost.exe.config (ADFS) to load a malicious DLL generating tokens for any user (APT29 MagicWeb); and registering a new PTA agent via the web console. Detection requires monitoring of Azure AD Connect processes, ADFS configuration files, and PTA agent registrations.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.007 Hybrid Identity
Canonical reference
https://attack.mitre.org/techniques/T1556/007/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = /ProcessRollup2|SyntheticProcessRollup2|FileWritten|PeFileWritten/
| test {
    ImageFileName = /(?i)AzureADConnectAuthenticationAgentService\.exe/
    OR TargetFileName = /(?i)(\\ADFS\\|Microsoft\.IdentityServer|AzureADConnectAuthentication).+\.(dll|config|exe)$/
    OR (
      ImageFileName = /(?i)AzureADConnectAuthenticationAgentService/
      AND NOT ParentBaseFileName = /(?i)(services\.exe|svchost\.exe)/
    )
  }
| DetectionType := if(
    TargetFileName = /(?i)\.(dll|config)$/, "ADFS_File_Tampering",
    if(
      ImageFileName = /(?i)AzureADConnectAuthenticationAgentService/
        AND NOT ParentBaseFileName = /(?i)(services\.exe|svchost\.exe)/,
      "Suspicious_PTA_Spawn",
      "AzureADConnect_File_Activity"
    )
  )
| select([ComputerName, DetectionType, #event_simpleName, ImageFileName, CommandLine, ParentBaseFileName, TargetFileName, UserName, SHA256HashData])
| sort(field=@timestamp, order=desc)
critical severity high confidence

CrowdStrike LogScale (Falcon CQL) detection for T1556.007 Hybrid Identity using ProcessRollup2, SyntheticProcessRollup2, FileWritten, and PeFileWritten Falcon telemetry events. Detects three behavioral patterns: DLL or config file writes into ADFS and AzureADConnect directories (PTASpy/MagicWeb staging), AzureADConnectAuthenticationAgentService.exe launched by unexpected parent processes (DLL injection side effect), and general AzureADConnect file activity for broader coverage. Results are classified by DetectionType and enriched with SHA256 for IOC pivoting.

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2)CrowdStrike Falcon Endpoint (SyntheticProcessRollup2)CrowdStrike Falcon Endpoint (FileWritten)CrowdStrike Falcon Endpoint (PeFileWritten)

Required Tables

ProcessRollup2SyntheticProcessRollup2FileWrittenPeFileWritten

False Positives & Tuning

  • CrowdStrike Falcon sensor self-updates or policy enforcement actions that write files to monitored identity service directories, generating PeFileWritten events
  • Legitimate IT automation pipelines (Ansible, SCCM, Intune) deploying Azure AD Connect upgrades that produce correlated ProcessRollup2 and FileWritten events within the same time window
  • Microsoft Identity Manager or other IAM federation products co-located with ADFS that write to overlapping directory paths and launch child processes during normal operation
Download portable Sigma rule (.yml)

Other platforms for T1556.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Current PTA Agents (Reconnaissance)

    Expected signal: Azure AD audit log: OperationName 'Get service principal' — read operations. PowerShell ScriptBlock Log Event ID 4104 with the Get-AzureADServicePrincipal command. Network connection from PowerShell to Azure AD Graph API endpoints.

  2. Test 2Check ADFS Configuration File Integrity

    Expected signal: Sysmon Event ID 12/13 (Registry) or Event ID 7 (ImageLoad) from PowerShell accessing ADFS directories. File access events in Security Event Log (4663) if file system auditing is enabled on the ADFS directory.

  3. Test 3Simulate AADInternals PTASpy Installation Indicators

    Expected signal: PowerShell ScriptBlock Log Event ID 4104 with the simulation command. Sysmon Event ID 1 for powershell.exe. Any Get-Service calls appear in PowerShell module logging (Event ID 4103).

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1556.006Multi-Factor AuthenticationT1055Process InjectionT1606.002SAML TokensT1078.004Cloud AccountsT1136.003Cloud Account

Same Tactic: Credential Access

Popular Detections