T1556.007 Sumo Logic CSE · Sumo

Detect Hybrid Identity in Sumo Logic CSE

Adversaries may patch or backdoor cloud authentication processes tied to on-premises identities to bypass authentication, access credentials, and enable persistent access. Methods include: injecting a malicious DLL (PTASpy via AADInternals) into the AzureADConnectAuthenticationAgentService to authorize all authentication attempts and record credentials; modifying Microsoft.IdentityServer.Servicehost.exe.config (ADFS) to load a malicious DLL generating tokens for any user (APT29 MagicWeb); and registering a new PTA agent via the web console. Detection requires monitoring of Azure AD Connect processes, ADFS configuration files, and PTA agent registrations.

MITRE ATT&CK

Tactic
Credential Access Defense Evasion Persistence
Technique
T1556 Modify Authentication Process
Sub-technique
T1556.007 Hybrid Identity
Canonical reference
https://attack.mitre.org/techniques/T1556/007/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=azure/audit OR _sourceCategory=windows/sysmon OR _sourceCategory=windows/security)
| parse field=_raw "\"operationName\":\"*\"" as operationName nodrop
| parse field=_raw "Image: *" as image nodrop
| parse field=_raw "ParentImage: *" as parentImage nodrop
| parse field=_raw "TargetFilename: *" as targetFilename nodrop
| parse field=_raw "CommandLine: *" as commandLine nodrop
| parse field=_raw "EventID: *" as eventId nodrop
| where (
    matches(toLowerCase(operationName), "*pta*")
    OR matches(toLowerCase(operationName), "*pass-through*")
    OR matches(toLowerCase(operationName), "*add agent to application*")
    OR matches(toLowerCase(operationName), "*register connector*")
  )
  OR (
    (eventId = "11" OR eventId = "1")
    AND (
      matches(toLowerCase(targetFilename), "*\\adfs\\*")
      OR matches(toLowerCase(targetFilename), "*microsoft.identityserver*")
      OR matches(toLowerCase(targetFilename), "*azureadconnect*")
    )
    AND (
      matches(toLowerCase(targetFilename), "*.dll")
      OR matches(toLowerCase(targetFilename), "*.config")
      OR matches(toLowerCase(targetFilename), "*.exe")
    )
  )
  OR (
    eventId = "1"
    AND matches(toLowerCase(image), "*azureadconnectauthenticationagentservice*")
    AND !matches(toLowerCase(parentImage), "*services.exe*")
    AND !matches(toLowerCase(parentImage), "*svchost.exe*")
  )
| fields _messageTime, operationName, image, parentImage, targetFilename, commandLine, eventId, _sourceHost
| sort by _messageTime desc
critical severity high confidence

Detects T1556.007 Hybrid Identity attacks in Sumo Logic by parsing and correlating Azure AD audit log events for PTA and connector registration, Sysmon EventID 11 and 1 file write events in ADFS and AzureADConnect directories for DLLs and configuration files, and anomalous AzureADConnectAuthenticationAgentService.exe process spawning from non-canonical parents indicative of PTASpy DLL injection or MagicWeb backdoor activity.

Data Sources

Azure AD Audit Logs (_sourceCategory=azure/audit)Windows Sysmon (_sourceCategory=windows/sysmon)Windows Security Event Log (_sourceCategory=windows/security)

Required Tables

_sourceCategory=azure/audit_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • Scheduled Azure AD Connect version upgrades that legitimately register new PTA agents and update service binaries, generating correlated file and audit events
  • Windows Update or ADFS role patching cycles writing new Microsoft-signed DLLs to monitored directories during approved maintenance windows
  • Third-party identity management products such as Ping Identity or Okta AD Agent that co-locate with ADFS and interact with overlapping directory paths
Download portable Sigma rule (.yml)

Other platforms for T1556.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Current PTA Agents (Reconnaissance)

    Expected signal: Azure AD audit log: OperationName 'Get service principal' — read operations. PowerShell ScriptBlock Log Event ID 4104 with the Get-AzureADServicePrincipal command. Network connection from PowerShell to Azure AD Graph API endpoints.

  2. Test 2Check ADFS Configuration File Integrity

    Expected signal: Sysmon Event ID 12/13 (Registry) or Event ID 7 (ImageLoad) from PowerShell accessing ADFS directories. File access events in Security Event Log (4663) if file system auditing is enabled on the ADFS directory.

  3. Test 3Simulate AADInternals PTASpy Installation Indicators

    Expected signal: PowerShell ScriptBlock Log Event ID 4104 with the simulation command. Sysmon Event ID 1 for powershell.exe. Any Get-Service calls appear in PowerShell module logging (Event ID 4103).

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1556.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1556Modify Authentication Process

Related Sub-techniques

T1556.001Domain Controller AuthenticationT1556.002Password Filter DLLT1556.003Pluggable Authentication ModulesT1556.004Network Device AuthenticationT1556.005Reversible EncryptionT1556.006Multi-Factor AuthenticationT1556.008Network Provider DLLT1556.009Conditional Access Policies

Related Techniques

T1556Modify Authentication ProcessT1556.006Multi-Factor AuthenticationT1055Process InjectionT1606.002SAML TokensT1078.004Cloud AccountsT1136.003Cloud Account

Same Tactic: Credential Access

Popular Detections