Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):
AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.
By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)
In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement protects against Hybrid Identity through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement protects against Hybrid Identity through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use hybrid identities.
References
|
| DE.CM-03.03 | Privileged account monitoring | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1556.007 | Hybrid Identity |
Comments
This diagnostic statement protects against Hybrid Identity through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IA-13 | Identity Providers and Authorization Servers | mitigates | T1556.007 | Hybrid Identity | |
| IA-11 | Re-authentication | mitigates | T1556.007 | Hybrid Identity | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1556.007 | Hybrid Identity | |
| AC-02 | Account Management | mitigates | T1556.007 | Hybrid Identity | |
| AC-03 | Access Enforcement | mitigates | T1556.007 | Hybrid Identity | |
| AC-06 | Least Privilege | mitigates | T1556.007 | Hybrid Identity |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1556.007 | Hybrid Identity |
Comments
This control can monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| advanced_protection_program | Advanced Protection Program | technique_scores | T1556.007 | Hybrid Identity |
Comments
Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| EID-RBAC-E3 | Role Based Access Control | Technique Scores | T1556.007 | Hybrid Identity |
Comments
The RBAC control can be used to implement the principle of least privilege to limit Global Administrator accounts, and ensure these accounts are cloud-only. This scores Partial for its ability to minimize hybrid accounts with administrative privileges.
License Requirements:
ME-ID Built-in Roles (Free)
References
|
| EID-PIM-E5 | Privileged Identity Management | Technique Scores | T1556.007 | Hybrid Identity |
Comments
The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator, which may be used for modifying the hybrid identity authentication process from the cloud. Ideally, ensure these accounts are dedicated cloud-only rather than hybrid accounts. MFA can be required both when assigning Global Administrator, and/or when a user activates the role. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use.
License Requirements:
Microsoft Entra ID P2 or Microsoft Entra ID Governance
References
|