T1556.007: Hybrid Identity
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID[1]:
* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud * Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory * Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID
AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.
By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.[2][3] In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.[4]
In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.[5]
Analyst context for executives and security teams
Hybrid Identity is material because it targets the trust bridge between on-premises identity systems and cloud services. If that bridge is modified or backdoored, normal controls such as cloud authentication checks, MFA policy enforcement, and identity-based access decisions may no longer mean what leaders think they mean. The business issue is not only account compromise; it is loss of confidence in the authentication fabric used to run SaaS, office, IaaS, and Windows-connected operations.
Executive priority
Prioritize this where cloud access depends on synchronized or federated on-premises identities, especially environments using Entra ID hybrid identity patterns such as Password Hash Synchronization, Pass Through Authentication, or AD FS. Executives should ask who can administer hybrid identity components, how changes to federation/PTA/authentication infrastructure are audited, and whether incident response can quickly validate trust between on-premises identity and cloud services. This technique directly affects resilience, privileged access governance, compliance evidence, and cloud incident decision-making.
Technical view
For SOC, detection engineering, and IR teams, the key validation point is whether changes to hybrid authentication infrastructure are visible and reviewable. ATT&CK provides no official detection text for this sub-technique, but the relationship to DET0293 indicates a detection strategy exists for hybrid identity authentication process modification. Focus validation on the supplied behaviors: modification of PTA-related services such as AzureADConnectAuthenticationAgentService, unexpected DLL loading, AD FS service configuration changes such as Microsoft.IdentityServer.Servicehost loading modified components, new PTA agent registration from cloud administration, and abnormal privileged identity actions involving on-premises administrators or cloud Global Administrator-equivalent roles. Treat this as a Modify Authentication Process sub-technique spanning defense impairment, persistence, and credential access.
Likely telemetry
- Identity provider audit logs for administrative changes, federation settings, authentication policy changes, and agent registration events
- Cloud sign-in and audit logs for Entra ID, SaaS, Office Suite, and IaaS access tied to hybrid identities
- Windows server event logs from AD FS, Azure AD Connect, PTA agent, and related identity infrastructure hosts
- Process, service, module, and DLL load telemetry for authentication-related services
- File integrity or configuration monitoring for AD FS and hybrid identity service configuration files
Detection direction
- Confirm whether DET0293-aligned logic or equivalent monitoring exists for hybrid identity authentication process modification; ATT&CK does not provide detailed detection guidance in the object.
- Baseline legitimate hybrid identity components, PTA agents, AD FS servers, service binaries, DLL loads, and configuration files, then alert on unauthorized or rare changes.
- Monitor for new or unexpected PTA agent registration, especially from privileged cloud administration paths.
- Correlate privileged admin actions with subsequent authentication anomalies, unusual sign-ins, or broad access across SaaS, Office Suite, IaaS, and identity provider platforms.
- Tune carefully for planned identity infrastructure maintenance, federation changes, and agent upgrades to reduce false positives while preserving change accountability.
Mitigation priorities
- Start with Privileged Account Management: restrict, monitor, and regularly review accounts that can administer on-premises identity infrastructure, AD FS, Azure AD Connect/PTA components, and cloud tenant identity settings.
- Maintain MFA for critical systems and privileged accounts, but do not treat MFA alone as sufficient because the described behavior may modify authentication processes or token issuance paths.
- Implement strong auditing for identity infrastructure: configuration changes, privileged role use, service changes, agent registration, and authentication policy changes should be logged and reviewed.
- Require change control and independent review for hybrid identity architecture changes, federation trust updates, and authentication agent deployment.
- Ensure incident response playbooks include steps to validate the integrity of hybrid identity servers, authentication agents, federation configuration, and cloud administrative changes before restoring trust.
Analyst notes and limits
This object is a sub-technique of T1556 Modify Authentication Process and is mapped to defense impairment, persistence, and credential access. The supplied platforms are IaaS, Identity Provider, Office Suite, SaaS, and Windows. The official description provides Microsoft Entra ID, PTA, PHS, and AD FS examples, including malicious DLL loading, token generation, MFA bypass through modified AD FS behavior, and cloud-side PTA agent registration after privileged cloud compromise. Relationships include mitigations M1026 Privileged Account Management, M1032 Multi-factor Authentication, M1047 Audit, detection strategy DET0293, APT29 use, and AADInternals use.
MITRE does not provide official detection text in the supplied object, and the related DET0293 details are not included here. This take cannot determine whether any specific environment is exposed or covered. Local architecture, identity provider configuration, logging retention, endpoint telemetry, and privileged access model are required to assess practical risk and detection quality.
Hybrid Identity
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID[1]:
* Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud * Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory * Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID
AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.
By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.[2][3] In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.[4]
In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.[5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1556 | Modify Authentication Process | This object subtechnique of Modify Authentication Process. |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
S0677: AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 57860b9d8832… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Azure AD Hybrid Identity
Microsoft. (2022, August 26). Choose the right authentication method for your Azure Active Directory hybrid identity solution. Retrieved September 28, 2022.
Open source URL -
[2]
Azure AD Connect for Read Teamers
Adam Chester. (2019, February 18). Azure AD Connect for Red Teamers. Retrieved September 28, 2022.
Open source URL -
[3]
AADInternals Azure AD On-Prem to Cloud
Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.
Open source URL -
[4]
MagicWeb
Microsoft Threat Intelligence Center, Microsoft Detection and Response Team, Microsoft 365 Defender Research Team . (2022, August 24). MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone. Retrieved September 28, 2022.
Open source URL -
[5]
Mandiant Azure AD Backdoors
Mike Burns. (2020, September 30). Detecting Microsoft 365 and Azure Active Directory Backdoors. Retrieved September 28, 2022.
Open source URL -
[6]
mitre-attack T1556.007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.