title: Hybrid Identity (T1556.007)
id: df00tech-t1556-007
status: experimental
description: "Adversaries may patch or backdoor cloud authentication processes tied to on-premises identities to bypass authentication, access credentials, and enable persistent access. Methods include: injecting a malicious DLL (PTASpy via AADInternals) into the AzureADConnectAuthenticationAgentService to authorize all authentication attempts and record credentials; modifying Microsoft.IdentityServer.Servicehost.exe.config (ADFS) to load a malicious DLL generating tokens for any user (APT29 MagicWeb); and registering a new PTA agent via the web console. Detection requires monitoring of Azure AD Connect processes, ADFS configuration files, and PTA agent registrations."
references:
  - https://attack.mitre.org/techniques/T1556/007/
  - https://df00tech.com/detections/T1556.007
author: df00tech
date: 2026/04/13
tags:
  - attack.t1556.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized Azure AD Connect upgrades that modify PTA agent binaries and configuration files
  - Legitimate new PTA agent registration during Azure AD Connect scale-out deployments
  - ADFS server updates or patches that modify Microsoft.IdentityServer binaries
  - "Configuration management tools (Ansible, DSC) deploying authorized ADFS configuration changes"
level: critical