Hybrid Identity

Information

• Name: Hybrid Identity

• ID: T1556.007

• Tactics: TA0006, TA0005, TA0003

• Technique: T1556

Introduction

Hybrid Identity (T1556.007) is a sub-technique within the MITRE ATT&CK framework under the broader Credential Access technique known as Modify Authentication Process (T1556). This sub-technique specifically involves adversaries targeting hybrid identity environments—such as those integrating on-premises Active Directory with cloud-based identity providers like Azure Active Directory (Azure AD)—to manipulate authentication processes, compromise credentials, and maintain persistence. By exploiting hybrid identity configurations, attackers can move laterally between cloud and on-premises environments, significantly increasing the complexity and impact of the attack.

Deep Dive Into Technique

Hybrid Identity attacks typically exploit the integration points between on-premises Active Directory (AD) and cloud identity providers (e.g., Azure AD). Attackers leverage vulnerabilities or misconfigurations in federation services, password synchronization mechanisms, or identity provisioning tools to escalate privileges, harvest credentials, or bypass multi-factor authentication (MFA).

Key technical details and execution methods include:

• Federated Authentication Manipulation:

  • Adversaries may target federation services such as Active Directory Federation Services (ADFS) to intercept or modify authentication tokens.

  • Attackers can compromise federation servers or manipulate trust relationships to issue fraudulent authentication tokens, enabling unauthorized access to cloud resources.

• Password Hash Synchronization Exploitation:

  • Malicious actors may exploit synchronization mechanisms (e.g., Azure AD Connect) to harvest password hashes during synchronization processes.

  • Compromised synchronization servers allow attackers to intercept sensitive credential data, facilitating offline password cracking or credential replay attacks.

• Pass-the-Hash and Token Replay Attacks:

  • Attackers may reuse stolen hashes or authentication tokens obtained from hybrid identity infrastructures to authenticate directly to cloud services or on-premises resources without knowing plaintext passwords.

• Misconfigured Identity Provisioning Tools:

  • Exploiting misconfigured provisioning services or connectors can allow attackers to create unauthorized user accounts, modify privileges, or establish persistence in hybrid environments.

When this Technique is Usually Used

Attackers utilize Hybrid Identity exploitation in multiple attack scenarios and stages, including:

• Initial Access:

  • Leveraging compromised hybrid identities to gain initial foothold in cloud or on-premises environments.

• Privilege Escalation:

  • Using compromised federation or synchronization services to escalate privileges across hybrid environments.

• Credential Harvesting:

  • Capturing credentials during synchronization or federation processes to enable lateral movement and persistent access.

• Persistence:

  • Establishing persistent access by creating unauthorized accounts or modifying existing authentication mechanisms within hybrid environments.

• Lateral Movement:

  • Moving laterally between cloud and on-premises assets by exploiting trust relationships and authentication tokens.

How this Technique is Usually Detected

Detection of Hybrid Identity exploitation involves monitoring and analyzing hybrid identity infrastructure logs, authentication events, and synchronization processes. Effective detection methods include:

• Federation Server Monitoring:

  • Monitor federation server logs (e.g., ADFS logs) for unusual authentication token requests, unauthorized certificate usage, or unexpected changes in federation trust configurations.

• Azure AD Connect Monitoring:

  • Monitor synchronization logs and events for anomalies, unexpected credential synchronization attempts, or unauthorized configuration changes.

• Authentication Event Analysis:

  • Analyze authentication logs from both cloud (Azure AD Sign-in logs) and on-premises environments for anomalous login patterns, unusual geographic locations, or unexpected usage of privileged accounts.

• Network Traffic Monitoring:

  • Monitor network traffic to detect unusual communications between on-premises identity infrastructure and cloud identity providers or unauthorized external IP addresses.

• Endpoint Detection and Response (EDR) Solutions:

  • Deploy EDR tools to identify suspicious processes or unauthorized access attempts involving hybrid identity infrastructure components.

Specific Indicators of Compromise (IoCs) include:

• Unusual authentication token issuance events or unexpected federation trust changes.

• Suspicious new user accounts or privilege escalations within hybrid identity environments.

• Anomalous synchronization events or unexpected credential hash extraction activities.

• Authentication events indicating Pass-the-Hash or token replay attacks.

Why it is Important to Detect This Technique

Early detection of Hybrid Identity exploitation is critical due to the significant impact these attacks can have on an organization's security posture. Possible impacts and reasons for importance include:

• Credential Compromise:

  • Attackers can harvest sensitive user credentials, enabling unauthorized access to critical systems and data.

• Privilege Escalation and Unauthorized Access:

  • Exploiting hybrid identity systems can provide attackers with elevated privileges, facilitating deeper access into cloud and on-premises environments.

• Persistence and Stealth:

  • Attackers can establish persistent access through compromised hybrid identity infrastructure, making detection and remediation challenging.

• Data Exfiltration and Breaches:

  • Hybrid identity exploitation can lead to unauthorized data access, exfiltration, and major data breaches, resulting in significant financial and reputational damage.

• Complexity of Remediation:

  • Hybrid identity attacks often require extensive remediation efforts due to the interconnected nature of cloud and on-premises environments, increasing recovery time and costs.

Examples

Real-world examples of Hybrid Identity exploitation include:

• SolarWinds Supply Chain Attack (2020):

  • Attackers compromised federation infrastructure (ADFS) to forge authentication tokens, enabling unauthorized access to cloud resources.

  • Tools used: SUNBURST malware, customized Cobalt Strike implants.

  • Impact: Extensive compromise of multiple U.S. government agencies and major corporations, significant data exfiltration, and persistent access.

• NOBELIUM Attack Campaign (2021):

  • Attackers targeted Azure AD Connect servers to harvest synchronized password hashes, allowing attackers to authenticate to cloud services.

  • Tools used: FoggyWeb malware, customized backdoors targeting ADFS and Azure AD Connect.

  • Impact: Persistent access to sensitive email accounts, extensive credential compromise, and lateral movement across hybrid environments.

• Password Spray Attacks on Hybrid Environments:

  • Attackers leveraged hybrid identity misconfigurations to conduct password spraying attacks, bypassing MFA and gaining unauthorized cloud access.

  • Tools used: Open-source password spraying tools (e.g., MSOLSpray, MailSniper).

  • Impact: Unauthorized access to email accounts, data breaches, and potential lateral movement within compromised organizations.

• Golden SAML Attacks:

  • Attackers compromised federation servers to issue fraudulent SAML tokens, enabling persistent cloud access.

  • Tools used: Customized scripts and tools to generate forged SAML tokens.

  • Impact: Persistent and stealthy access to cloud services, bypassing MFA, and significant challenges in detection and remediation.