MITRE ATT&CK Technique
Description
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts. Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity): * Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud * Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory * Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges. By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the `AzureADConnectAuthenticationAgentService` process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the `Microsoft.IdentityServer.Servicehost` configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb) In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2022-09-28T13:29:53.354Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may patch, modify, or otherwise backdoor cloud '
'authentication processes that are tied to on-premises user '
'identities in order to bypass typical authentication '
'mechanisms, access credentials, and enable persistent access '
'to accounts. \n'
'\n'
'Many organizations maintain hybrid user and device identities '
'that are shared between on-premises and cloud-based '
'environments. These can be maintained in a number of ways. '
'For example, Microsoft Entra ID includes three options for '
'synchronizing identities between Active Directory and Entra '
'ID(Citation: Azure AD Hybrid Identity):\n'
'\n'
'* Password Hash Synchronization (PHS), in which a privileged '
'on-premises account synchronizes user password hashes between '
'Active Directory and Entra ID, allowing authentication to '
'Entra ID to take place entirely in the cloud \n'
'* Pass Through Authentication (PTA), in which Entra ID '
'authentication attempts are forwarded to an on-premises PTA '
'agent, which validates the credentials against Active '
'Directory \n'
'* Active Directory Federation Services (AD FS), in which a '
'trust relationship is established between Active Directory '
'and Entra ID \n'
'\n'
'AD FS can also be used with other SaaS and cloud platforms '
'such as AWS and GCP, which will hand off the authentication '
'process to AD FS and receive a token containing the hybrid '
'users’ identity and privileges. \n'
'\n'
'By modifying authentication processes tied to hybrid '
'identities, an adversary may be able to establish persistent '
'privileged access to cloud resources. For example, '
'adversaries who compromise an on-premises server running a '
'PTA agent may inject a malicious DLL into the '
'`AzureADConnectAuthenticationAgentService` process that '
'authorizes all attempts to authenticate to Entra ID, as well '
'as records user credentials.(Citation: Azure AD Connect for '
'Read Teamers)(Citation: AADInternals Azure AD On-Prem to '
'Cloud) In environments using AD FS, an adversary may edit the '
'`Microsoft.IdentityServer.Servicehost` configuration file to '
'load a malicious DLL that generates authentication tokens for '
'any user with any set of claims, thereby bypassing '
'multi-factor authentication and defined AD FS '
'policies.(Citation: MagicWeb)\n'
'\n'
'In some cases, adversaries may be able to modify the hybrid '
'identity authentication process from the cloud. For example, '
'adversaries who compromise a Global Administrator account in '
'an Entra ID tenant may be able to register a new PTA agent '
'via the web console, similarly allowing them to harvest '
'credentials and log into the Entra ID environment as any '
'user.(Citation: Mandiant Azure AD Backdoors)',
'external_references': [{'external_id': 'T1556.007',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1556/007'},
{'description': 'Adam Chester. (2019, February 18). '
'Azure AD Connect for Red Teamers. '
'Retrieved September 28, 2022.',
'source_name': 'Azure AD Connect for Read Teamers',
'url': 'https://blog.xpnsec.com/azuread-connect-for-redteam/'},
{'description': 'Dr. Nestori Syynimaa. (2020, July '
'13). Unnoticed sidekick: Getting '
'access to cloud as an on-prem admin. '
'Retrieved September 28, 2022.',
'source_name': 'AADInternals Azure AD On-Prem to '
'Cloud',
'url': 'https://o365blog.com/post/on-prem_admin/'},
{'description': 'Microsoft Threat Intelligence '
'Center, Microsoft Detection and '
'Response Team, Microsoft 365 '
'Defender Research Team . (2022, '
'August 24). MagicWeb: NOBELIUM’s '
'post-compromise trick to '
'authenticate as anyone. Retrieved '
'September 28, 2022.',
'source_name': 'MagicWeb',
'url': 'https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/'},
{'description': 'Microsoft. (2022, August 26). Choose '
'the right authentication method for '
'your Azure Active Directory hybrid '
'identity solution. Retrieved '
'September 28, 2022.',
'source_name': 'Azure AD Hybrid Identity',
'url': 'https://learn.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn'},
{'description': 'Mike Burns. (2020, September 30). '
'Detecting Microsoft 365 and Azure '
'Active Directory Backdoors. '
'Retrieved September 28, 2022.',
'source_name': 'Mandiant Azure AD Backdoors',
'url': 'https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors'}],
'id': 'attack-pattern--54ca26f3-c172-4231-93e5-ccebcac2161f',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-04-15T22:40:10.913Z',
'name': 'Hybrid Identity',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Praetorian'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows',
'SaaS',
'IaaS',
'Office Suite',
'Identity Provider'],
'x_mitre_version': '1.1'}