1. Home
  2. ATT&CK Techniques
  3. T1556.007 Hybrid Identity

T1556.007 Hybrid Identity

Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.

Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):

  • Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud
  • Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory
  • Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID

AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.

By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)

In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1556.007 Hybrid Identity
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.02 Privileged system access Mitigates T1556.007 Hybrid Identity
    Comments
    This diagnostic statement protects against Hybrid Identity through the use of privileged account management and the use of multi-factor authentication.
    References
      DE.CM-06.02 Third-party access monitoring Mitigates T1556.007 Hybrid Identity
      Comments
      This diagnostic statement protects against Hybrid Identity through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
      References
        PR.PS-01.07 Cryptographic keys and certificates Mitigates T1556.007 Hybrid Identity
        Comments
        This diagnostic statement protects against Modify Authentication Process through the use of revocation of keys and key management. Employing key protection strategies and key management for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to use hybrid identities.
        References
          DE.CM-03.03 Privileged account monitoring Mitigates T1556.007 Hybrid Identity
          Comments
          This diagnostic statement implements mechanisms and tools to mitigate potential misuse of privileged users and accounts. Continuous monitoring of role and attribute assignments and activity is essential to prevent and detect unauthorized access or misuse.
          References
            PR.AA-03.01 Authentication requirements Mitigates T1556.007 Hybrid Identity
            Comments
            This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
            References
              PR.AA-01.01 Identity and credential management Mitigates T1556.007 Hybrid Identity
              Comments
              This diagnostic statement protects against Hybrid Identity through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
              References

                NIST 800-53 Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                IA-13 Identity Providers and Authorization Servers mitigates T1556.007 Hybrid Identity
                IA-11 Re-authentication mitigates T1556.007 Hybrid Identity
                IA-02 Identification and Authentication (Organizational Users) mitigates T1556.007 Hybrid Identity
                AC-02 Account Management mitigates T1556.007 Hybrid Identity
                AC-03 Access Enforcement mitigates T1556.007 Hybrid Identity
                AC-06 Least Privilege mitigates T1556.007 Hybrid Identity

                Azure Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                file_integrity_monitoring Microsoft Defender for Cloud: File Integrity Monitoring technique_scores T1556.007 Hybrid Identity
                Comments
                This control can monitor for suspicious modification of files associated with hybrid identity authentication processes, such as configuration files.
                References
                1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview

                GCP Mappings

                Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                advanced_protection_program Advanced Protection Program technique_scores T1556.007 Hybrid Identity
                Comments
                Advanced Protection Program enables the use of a security key for multi-factor authentication. Even in the event of compromised credentials, the lack of a security key would prevent an adversary from accessing the account. This leads to significant protection against the technique.
                References
                1. ['https://landing.google.com/advancedprotection/']