Detect Hybrid Identity in Splunk
Adversaries may patch or backdoor cloud authentication processes tied to on-premises identities to bypass authentication, access credentials, and enable persistent access. Methods include: injecting a malicious DLL (PTASpy via AADInternals) into the AzureADConnectAuthenticationAgentService to authorize all authentication attempts and record credentials; modifying Microsoft.IdentityServer.Servicehost.exe.config (ADFS) to load a malicious DLL generating tokens for any user (APT29 MagicWeb); and registering a new PTA agent via the web console. Detection requires monitoring of Azure AD Connect processes, ADFS configuration files, and PTA agent registrations.
MITRE ATT&CK
- Technique
- T1556 Modify Authentication Process
- Sub-technique
- T1556.007 Hybrid Identity
- Canonical reference
- https://attack.mitre.org/techniques/T1556/007/
SPL Detection Query
index=azure_audit OR index=wineventlog
sourcetype IN ("azure:aad:audit", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval EventType=case(
sourcetype="azure:aad:audit", "AzureAD",
EventCode=1, "ProcessCreate",
EventCode=11, "FileCreate",
1==1, "Other"
)
| where (EventType="AzureAD" AND match(OperationName, "(?i)(PTA|pass.through|agent|connector)"))
OR (EventType="ProcessCreate" AND match(Image, "(?i)AzureADConnect") AND NOT match(ParentImage, "(?i)(services\.exe|svchost\.exe)"))
OR (EventType="FileCreate" AND (match(TargetFilename, "(?i)(ADFS|IdentityServer|AzureADConnect)") AND match(TargetFilename, "\.(dll|config)$")))
| table _time, EventType, Image, TargetFilename, OperationName, User, host
| sort - _timeDetects hybrid identity backdoor activity across Azure AD audit logs and Windows endpoint telemetry (Sysmon). Combines PTA agent registration events from Azure AD with local process and file events on Azure AD Connect and ADFS servers.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate Azure AD Connect version upgrades
- Authorized ADFS server patching and configuration updates
- New PTA agents deployed during capacity expansion
- Identity team performing authorized maintenance during change windows
Other platforms for T1556.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Current PTA Agents (Reconnaissance)
Expected signal: Azure AD audit log: OperationName 'Get service principal' — read operations. PowerShell ScriptBlock Log Event ID 4104 with the Get-AzureADServicePrincipal command. Network connection from PowerShell to Azure AD Graph API endpoints.
- Test 2Check ADFS Configuration File Integrity
Expected signal: Sysmon Event ID 12/13 (Registry) or Event ID 7 (ImageLoad) from PowerShell accessing ADFS directories. File access events in Security Event Log (4663) if file system auditing is enabled on the ADFS directory.
- Test 3Simulate AADInternals PTASpy Installation Indicators
Expected signal: PowerShell ScriptBlock Log Event ID 4104 with the simulation command. Sysmon Event ID 1 for powershell.exe. Any Get-Service calls appear in PowerShell module logging (Event ID 4103).
References (6)
- https://attack.mitre.org/techniques/T1556/007/
- https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/
- https://blog.xpnsec.com/azuread-connect-for-redteam/
- https://o365blog.com/post/on-prem_admin/
- https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.007/T1556.007.md
Unlock Pro Content
Get the full detection package for T1556.007 including response playbook, investigation guide, and atomic red team tests.