Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):
AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.
By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)
In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| IAM-14 | Strong Authentication | mitigates | T1556.007 | Hybrid Identity |
Comments
This control requires both CSP and CSC to independently enforce multi-factor authentication (MFA) for all non-console administrative, remote, sensitive data, and third-party access, implement secure centralized authentication systems and digital certificates, protect credentials, monitor authentication activity, and ensure strong, risk-based authentication measures are consistently applied and reviewed.
References
|
| IAM-13 | Uniquely Identifiable Users | mitigates | T1556.007 | Hybrid Identity |
Comments
This control requires both CSP and CSC to independently assign unique, cryptographically secure identifiers to users, ensure traceability and accountability for all access, including shared accounts, implement strong access controls, encryption for user identity data.
These techniques focus on mitigating attacker techniques against user services or machine accounts within cloud environments or identity management system.
References
|
| IAM-11 | CSCs Approval for Agreed Privileged Access Roles | mitigates | T1556.007 | Hybrid Identity |
Comments
This control requires both CSP and CSC to collaboratively identify high-risk data and privileged roles, enforce formal CSC approval workflows for CSP user access, use secure PAM systems, and implement comprehensive monitoring and reporting to ensure privileged access to sensitive CSC data is tightly controlled and traceable.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-10 | Management of Privileged Access Roles | mitigates | T1556.007 | Hybrid Identity |
Comments
This control requires both CSP and CSC to independently manage privileged access by enforcing time-bound approvals, formal request and justification processes, automated revocation, session restrictions, credential vaulting and rotation, continuous monitoring, and periodic reviews, ensuring privileged access is tightly controlled, monitored, and limited to only what is necessary for specific roles and timeframes.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| IAM-09 | Segregation of Privileged Access Roles | mitigates | T1556.007 | Hybrid Identity |
Comments
This control describes the periodic, risk-based, and reviews of privileged accounts and high-risk access configurations, ensuring these are accounts are managed and scrutinized to prevent unauthorized access or excessive privileges.
Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through
account permissions and roles, PAM solutions, or just-In-Time access.
References
|
| HRS-03 | Clean Desk Policy and Procedures | mitigates | T1556.007 | Hybrid Identity |
Comments
This control includes account management controls such as enabling multi-factor authentication (MFA), which can help prevent adversaries from modifying or manipulating authentication mechanisms.
References
|
| IAM-03 | Identity Inventory | mitigates | T1556.007 | Hybrid Identity |
Comments
This control describes how the CSP must actively maintain and review a comprehensive inventory of all system identities (users, services, applications, roles, groups) with access to cloud resources. Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. For this technique, adversaries may be able to modify the hybrid identity authentication process from the cloud. In terms of mitigation, reviewing the hybrid identity solution in use for any discrepancies could aid with thwarting the use of this technique.
References
|
| IAM-02 | Strong Password Policy and Procedures | mitigates | T1556.007 | Hybrid Identity |
Comments
This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes.
For this technique, adversaries may modify or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. In. terms of mitigation, integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics.
References
|