Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Azure AD includes three options for synchronizing identities between Active Directory and Azure AD(Citation: Azure AD Hybrid Identity):
AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.
By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Azure AD, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)
In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Azure AD tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Azure AD environment as any user.(Citation: Mandiant Azure AD Backdoors)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-02 | Account Management | Protects | T1556.007 | Hybrid Identity | |
| AC-03 | Access Enforcement | Protects | T1556.007 | Hybrid Identity | |
| AC-06 | Least Privilege | Protects | T1556.007 | Hybrid Identity | |
| IA-11 | Re-authentication | Protects | T1556.007 | Hybrid Identity | |
| IA-02 | Identification and Authentication (organizational Users) | Protects | T1556.007 | Hybrid Identity |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ME-RBAC-E3 | Role Based Access Control | Technique Scores | T1556.007 | Hybrid Identity |
Comments
The RBAC control can be used to implement the principle of least privilege to limit Global Administrator accounts, and ensure these accounts are cloud-only. This scores Partial for its ability to minimize hybrid accounts with administrative privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| ME-PIM-E5 | Privileged Identity Management | Technique Scores | T1556.007 | Hybrid Identity |
Comments
The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator, which may be used for modifying the hybrid identity authentication process from the cloud. Ideally, ensure these accounts are dedicated cloud-only rather than hybrid accounts. MFA can be required both when assigning Global Administrator, and/or when a user activates the role. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|