AN0814: Analytic 0814

Detects injection or tampering of DLLs in hybrid identity agents (e.g., AzureADConnectAuthenticationAgentService), registry or configuration changes tied to PTA/AD FS, and anomalous LSASS or AD FS module loads correlated with authentication anomalies.

EnterpriseAN0814AnalyticObject v1.0 Modified Nov 12, 2025, 17:10 UTC (UTC+00:00)

This analytic matters because hybrid identity components such as Azure AD Connect authentication agents, Pass-through Authentication, and AD FS sit directly in the sign-in path between on-premises Windows infrastructure and cloud identity. DLL tampering, registry or configuration changes, or unusual LSASS/AD FS module loads around these systems can indicate that authentication trust is being manipulated. For leaders, the decision value is confirming whether identity infrastructure has enough monitoring to support fast incident decisions when sign-in integrity is questioned.

Executive priority

Prioritize this as an identity resilience and incident-readiness control area, not just a malware detection. If hybrid identity services are business-critical, executives should ask whether the organization can prove what changed on those servers, what modules loaded into sensitive processes, and whether authentication anomalies can be correlated quickly. This supports continuity planning, audit evidence for privileged identity systems, and prioritization of monitoring around Windows-based identity bridge infrastructure.

Technical view

For SOC, detection engineering, and IR teams, validate telemetry on Windows systems hosting hybrid identity roles. The supplied analytic focuses on DLL injection or tampering in hybrid identity agents, registry or configuration changes tied to PTA/AD FS, and anomalous LSASS or AD FS module loads correlated with authentication anomalies. Because no official detection logic or ATT&CK tactic mapping is provided, teams should treat this as a validation requirement: confirm visibility into process/module loads, service and file integrity changes, registry/configuration modification events, and authentication anomaly signals, then correlate them specifically around AzureADConnectAuthenticationAgentService, AD FS components, LSASS, and PTA-related configuration.

Likely telemetry

Windows process and module load telemetry for LSASS, AD FS services, and hybrid identity agent processes
File integrity or endpoint telemetry for DLL creation, replacement, or modification in hybrid identity agent and AD FS paths
Windows registry change telemetry for PTA, AD FS, and authentication-agent-related configuration
Service configuration and startup/change events for hybrid identity agent services such as AzureADConnectAuthenticationAgentService
AD FS and Windows authentication logs showing unusual sign-in, token, or authentication error patterns

Detection direction

Inventory Windows servers that host Azure AD Connect authentication agents, PTA components, AD FS, or related hybrid identity roles before tuning detection scope.
Baseline expected DLL/module loads for hybrid identity agent processes, AD FS services, and LSASS, then alert on new, unsigned, unexpected, or path-anomalous modules where local policy supports it.
Correlate registry/configuration changes with authentication anomalies rather than treating every administrative change as malicious; planned maintenance and upgrades are likely false-positive sources.
Ensure detection logic distinguishes authorized identity infrastructure updates from suspicious tampering by using change tickets, maintenance windows, code-signing status, file paths, and administrator context.
Look for blind spots where identity servers lack endpoint telemetry, module-load logging, registry auditing, or centralized authentication-log collection.

Mitigation priorities

Maintain an authoritative inventory of hybrid identity and federation servers, including owners, criticality, and expected services.
Restrict administrative access to Windows identity bridge systems and monitor privileged changes to authentication-related services, files, and registry/configuration areas.
Apply file integrity monitoring or equivalent endpoint controls to sensitive DLL and configuration locations for AD FS and hybrid identity agents.
Harden change management for PTA, AD FS, and authentication-agent configuration so security teams can rapidly separate authorized updates from suspicious modification.
Centralize and retain endpoint, registry, module-load, service-change, and authentication logs from identity servers for incident response and audit support.

Analyst notes and limits

The object is a MITRE ATT&CK detection analytic, AN0814, for Windows in the enterprise domain. It references hybrid identity agents, PTA/AD FS configuration, LSASS and AD FS module loads, and authentication anomalies. No ATT&CK relationships, tactics, aliases, labels, or official detection logic were supplied, so this take emphasizes defensive validation and monitoring requirements rather than a specific query or threat scenario.

This summary uses only the supplied STIX fields and external reference. The object does not provide detection pseudocode, data source mappings, tactic/technique relationships, known threat actors, active exploitation context, or mitigation text. Local architecture, logging configuration, identity design, and approved administrative workflows are required to determine coverage and alert fidelity.

Official MITRE ATT&CK definition

Analytic 0814

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 17:10 UTC (UTC+00:00)
Raw hash: 6c13af2432968fce...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 17:10 UTC (UTC+00:00)	Current bundle	`6c13af243296…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0814
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use