T1556.007 IBM QRadar · QRadar

Detect Hybrid Identity in IBM QRadar

Adversaries may patch or backdoor cloud authentication processes tied to on-premises identities to bypass authentication, access credentials, and enable persistent access. Methods include: injecting a malicious DLL (PTASpy via AADInternals) into the AzureADConnectAuthenticationAgentService to authorize all authentication attempts and record credentials; modifying Microsoft.IdentityServer.Servicehost.exe.config (ADFS) to load a malicious DLL generating tokens for any user (APT29 MagicWeb); and registering a new PTA agent via the web console. Detection requires monitoring of Azure AD Connect processes, ADFS configuration files, and PTA agent registrations.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.007 Hybrid Identity
Canonical reference
https://attack.mitre.org/techniques/T1556/007/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  CATEGORYNAME(category) AS category,
  QIDNAME(qid) AS event_name,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  hostname,
  "EventID" AS event_id,
  "File Path" AS file_path,
  "Image" AS process_image,
  "ParentImage" AS parent_image,
  "CommandLine" AS command_line
FROM events
WHERE
  (
    LOGSOURCETYPEID(devicetype) = 452
    AND (
      LOWER(QIDNAME(qid)) LIKE '%pta%'
      OR LOWER(QIDNAME(qid)) LIKE '%pass-through%'
      OR LOWER(QIDNAME(qid)) LIKE '%pass through%'
      OR LOWER(QIDNAME(qid)) LIKE '%add agent%'
      OR LOWER(QIDNAME(qid)) LIKE '%register connector%'
    )
  )
  OR (
    LOGSOURCETYPEID(devicetype) = 433
    AND "EventID" IN (1, 11)
    AND (
      LOWER("File Path") LIKE '%\adfs\%'
      OR LOWER("File Path") LIKE '%microsoft.identityserver%'
      OR LOWER("File Path") LIKE '%azureadconnectauthenticationagentservice%'
    )
    AND (
      LOWER("File Path") LIKE '%.dll'
      OR LOWER("File Path") LIKE '%.config'
      OR LOWER("File Path") LIKE '%.exe'
    )
  )
  OR (
    LOGSOURCETYPEID(devicetype) = 433
    AND "EventID" = 1
    AND LOWER("Image") LIKE '%azureadconnectauthenticationagentservice%'
    AND LOWER("ParentImage") NOT LIKE '%services.exe%'
    AND LOWER("ParentImage") NOT LIKE '%svchost.exe%'
  )
ORDER BY devicetime DESC
LAST 24 HOURS
critical severity medium confidence

Detects T1556.007 Hybrid Identity attacks in IBM QRadar by correlating Azure AD audit log events (LOGSOURCETYPEID 452) for PTA agent and connector registration operations, Sysmon EventID 11 file creation events targeting ADFS and AzureADConnect service directories with sensitive extensions, and Sysmon EventID 1 process launch events where AzureADConnectAuthenticationAgentService.exe is spawned outside of normal service control manager ancestry.

Data Sources

Azure Active Directory DSM (QRadar)Microsoft Windows Sysmon DSM (QRadar)Microsoft Windows Security Event Log DSM (QRadar)

Required Tables

events

False Positives & Tuning

  • Authorized Azure AD Connect upgrades by IT engineering that legitimately register new PTA agents, generating audit events matching the Azure AD log filter
  • Microsoft Defender for Identity sensor updates or ADFS role installations by Windows Update that write new DLL versions to monitored directories
  • Legitimate AzureADConnect health monitoring processes that launch diagnostic binaries, which may appear as unexpected child processes in Sysmon EventID 1 data
Download portable Sigma rule (.yml)

Other platforms for T1556.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Current PTA Agents (Reconnaissance)

    Expected signal: Azure AD audit log: OperationName 'Get service principal' — read operations. PowerShell ScriptBlock Log Event ID 4104 with the Get-AzureADServicePrincipal command. Network connection from PowerShell to Azure AD Graph API endpoints.

  2. Test 2Check ADFS Configuration File Integrity

    Expected signal: Sysmon Event ID 12/13 (Registry) or Event ID 7 (ImageLoad) from PowerShell accessing ADFS directories. File access events in Security Event Log (4663) if file system auditing is enabled on the ADFS directory.

  3. Test 3Simulate AADInternals PTASpy Installation Indicators

    Expected signal: PowerShell ScriptBlock Log Event ID 4104 with the simulation command. Sysmon Event ID 1 for powershell.exe. Any Get-Service calls appear in PowerShell module logging (Event ID 4103).

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1556.006Multi-Factor AuthenticationT1055Process InjectionT1606.002SAML TokensT1078.004Cloud AccountsT1136.003Cloud Account

Same Tactic: Credential Access

Popular Detections