Modify Authentication Process: Hybrid Identity
Created the Friday 10 February 2023. Updated 1 year, 2 months ago.
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD:
Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Azure AD, allowing authentication to Azure AD to take place entirely in the cloud Pass Through Authentication (PTA), in which Azure AD authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Azure AD AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.
By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials. In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.
In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.
Technique Identifier
Technique Tags
Credential Access Defense Evasion Persistence backdoor cloud authentication processes bypass authentication mechanisms modifying authentication processes access credentials enable persistent access Active Directory Azure AD Password Hash Synchronization (PHS) Pass Through Authentication (PTA) Active Directory Federation Services (ADFS) AzureADConnectAuthenticationAgentService Microsoft.IdentityServer.Servicehost configuration file hybrid identity authentication process credentia harvesting APT29 inject malicious DLL
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.
- Modify Authentication Process: Hybrid Identity, Sub-technique T1556.007 - Enterprise | MITRE ATT&CK®