Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Credential Access
  4. >ATTACK-T1556.007
ATTACK-T1556.007Active

Hybrid Identity

Statement

Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.

Many organizations maintain hybrid user and device identities that are shared between on-premises and cloud-based environments. These can be maintained in a number of ways. For example, Microsoft Entra ID includes three options for synchronizing identities between Active Directory and Entra ID(Citation: Azure AD Hybrid Identity):

  • Password Hash Synchronization (PHS), in which a privileged on-premises account synchronizes user password hashes between Active Directory and Entra ID, allowing authentication to Entra ID to take place entirely in the cloud
  • Pass Through Authentication (PTA), in which Entra ID authentication attempts are forwarded to an on-premises PTA agent, which validates the credentials against Active Directory
  • Active Directory Federation Services (AD FS), in which a trust relationship is established between Active Directory and Entra ID

AD FS can also be used with other SaaS and cloud platforms such as AWS and GCP, which will hand off the authentication process to AD FS and receive a token containing the hybrid users’ identity and privileges.

By modifying authentication processes tied to hybrid identities, an adversary may be able to establish persistent privileged access to cloud resources. For example, adversaries who compromise an on-premises server running a PTA agent may inject a malicious DLL into the AzureADConnectAuthenticationAgentService process that authorizes all attempts to authenticate to Entra ID, as well as records user credentials.(Citation: Azure AD Connect for Read Teamers)(Citation: AADInternals Azure AD On-Prem to Cloud) In environments using AD FS, an adversary may edit the Microsoft.IdentityServer.Servicehost configuration file to load a malicious DLL that generates authentication tokens for any user with any set of claims, thereby bypassing multi-factor authentication and defined AD FS policies.(Citation: MagicWeb)

In some cases, adversaries may be able to modify the hybrid identity authentication process from the cloud. For example, adversaries who compromise a Global Administrator account in an Entra ID tenant may be able to register a new PTA agent via the web console, similarly allowing them to harvest credentials and log into the Entra ID environment as any user.(Citation: Mandiant Azure AD Backdoors)

Location

Tactic
Credential Access

Technique Details

Identifier
ATTACK-T1556.007
Parent Technique
ATTACK-T1556
ATT&CK Page
View on MITRE

Tactics

Credential AccessDefense EvasionPersistence

Platforms

WindowsSaaSIaaSOffice SuiteIdentity Provider

Detection

Detect Hybrid Identity Authentication Process Modification

Mitigations

Multi-factor Authentication: Multi-Factor Authentication (MFA) enhances security by requiring users to provide at least two forms of verification to prove their identity before granting access. These factors typically include:

  • Something you know: Passwords, PINs.
  • Something you have: Physical tokens, smartphone authenticator apps.
  • Something you are: Biometric data such as fingerprints, facial recognition, or retinal scans.

Implementing MFA across all critical systems and services ensures robust protection against account takeover and unauthorized access. This mitigation can be implemented through the following measures:

Identity and Access Management (IAM):

  • Use IAM solutions like Azure Active Directory, Okta, or AWS IAM to enforce MFA policies for all user logins, especially for privileged roles.
  • Enable conditional access policies to enforce MFA for risky sign-ins (e.g., unfamiliar devices, geolocations).
  • Enable Conditional Access policies to only allow logins from trusted devices, such as those enrolled in Intune or joined via Hybrid/Entra.

Authentication Tools and Methods:

  • Use authenticator applications such as Google Authenticator, Microsoft Authenticator, or Authy for time-based one-time passwords (TOTP).
  • Deploy hardware-based tokens like YubiKey, RSA SecurID, or smart cards for additional security.
  • Enforce biometric authentication for compatible devices and applications.

Secure Legacy Systems:

  • Integrate MFA solutions with older systems using third-party tools like Duo Security or Thales SafeNet.
  • Enable RADIUS/NPS servers to facilitate MFA for VPNs, RDP, and other network logins.

Monitoring and Alerting:

  • Use SIEM tools to monitor failed MFA attempts, login anomalies, or brute-force attempts against MFA systems.
  • Implement alerts for suspicious MFA activities, such as repeated failed codes or new device registrations.

Training and Policy Enforcement:

  • Educate employees on the importance of MFA and secure authenticator usage.
  • Enforce policies that require MFA on all critical systems, especially for remote access, privileged accounts, and cloud applications.

Audit: Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

  • Use Case: Regularly assess system configurations to ensure compliance with organizational security policies.
  • Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

  • Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation.
  • Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

  • Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector.
  • Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

  • Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA).
  • Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

  • Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections.
  • Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

Privileged Account Management: Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through the following measures:

Account Permissions and Roles:

  • Implement RBAC and least privilege principles to allocate permissions securely.
  • Use tools like Active Directory Group Policies to enforce access restrictions.

Credential Security:

  • Deploy password vaulting tools like CyberArk, HashiCorp Vault, or KeePass for secure storage and rotation of credentials.
  • Enforce password policies for complexity, uniqueness, and expiration using tools like Microsoft Group Policy Objects (GPO).

Multi-Factor Authentication (MFA):

  • Enforce MFA for all privileged accounts using Duo Security, Okta, or Microsoft Azure AD MFA.

Privileged Access Management (PAM):

  • Use PAM solutions like CyberArk, BeyondTrust, or Thycotic to manage, monitor, and audit privileged access.

Auditing and Monitoring:

  • Integrate activity monitoring into your SIEM (e.g., Splunk or QRadar) to detect and alert on anomalous privileged account usage.

Just-In-Time Access:

  • Deploy JIT solutions like Azure Privileged Identity Management (PIM) or configure ephemeral roles in AWS and GCP to grant time-limited elevated permissions.

Tools for Implementation

Privileged Access Management (PAM):

  • CyberArk, BeyondTrust, Thycotic, HashiCorp Vault.

Credential Management:

  • Microsoft LAPS (Local Admin Password Solution), Password Safe, HashiCorp Vault, KeePass.

Multi-Factor Authentication:

  • Duo Security, Okta, Microsoft Azure MFA, Google Authenticator.

Linux Privilege Management:

  • sudo configuration, SELinux, AppArmor.

Just-In-Time Access:

  • Azure Privileged Identity Management (PIM), AWS IAM Roles with session constraints, GCP Identity-Aware Proxy.
SP 800-53
SP800-53-AC-1relatedvia ctid-attack-to-sp800-53
SP800-53-AC-2relatedvia ctid-attack-to-sp800-53
SP800-53-AC-3relatedvia ctid-attack-to-sp800-53
SP800-53-AC-6relatedvia ctid-attack-to-sp800-53
SP800-53-AU-1relatedvia ctid-attack-to-sp800-53
View in graphReport an issue
← Back to Credential Access
Credential Access62 controls
ATTACK-T1003OS Credential DumpingATTACK-T1003.001LSASS MemoryATTACK-T1003.002Security Account ManagerATTACK-T1003.003NTDSATTACK-T1003.004LSA SecretsATTACK-T1003.005Cached Domain CredentialsATTACK-T1003.006DCSyncATTACK-T1003.007Proc FilesystemATTACK-T1003.008/etc/passwd and /etc/shadowATTACK-T1040Network SniffingATTACK-T1110Brute ForceATTACK-T1110.001Password GuessingATTACK-T1110.002Password CrackingATTACK-T1110.003Password SprayingATTACK-T1110.004Credential StuffingATTACK-T1111Multi-Factor Authentication InterceptionATTACK-T1187Forced AuthenticationATTACK-T1212Exploitation for Credential AccessATTACK-T1528Steal Application Access TokenATTACK-T1539Steal Web Session CookieATTACK-T1552Unsecured CredentialsATTACK-T1552.001Credentials In FilesATTACK-T1552.002Credentials in RegistryATTACK-T1552.003Shell HistoryATTACK-T1552.004Private KeysATTACK-T1552.005Cloud Instance Metadata APIATTACK-T1552.006Group Policy PreferencesATTACK-T1552.007Container APIATTACK-T1552.008Chat MessagesATTACK-T1555Credentials from Password StoresATTACK-T1555.001KeychainATTACK-T1555.002Securityd MemoryATTACK-T1555.003Credentials from Web BrowsersATTACK-T1555.004Windows Credential ManagerATTACK-T1555.005Password ManagersATTACK-T1555.006Cloud Secrets Management StoresATTACK-T1556Modify Authentication ProcessATTACK-T1556.001Domain Controller AuthenticationATTACK-T1556.002Password Filter DLLATTACK-T1556.003Pluggable Authentication ModulesATTACK-T1556.004Network Device AuthenticationATTACK-T1556.005Reversible EncryptionATTACK-T1556.006Multi-Factor AuthenticationATTACK-T1556.007Hybrid IdentityATTACK-T1556.008Network Provider DLLATTACK-T1556.009Conditional Access PoliciesATTACK-T1557Adversary-in-the-MiddleATTACK-T1557.001LLMNR/NBT-NS Poisoning and SMB RelayATTACK-T1557.002ARP Cache PoisoningATTACK-T1557.003DHCP SpoofingATTACK-T1557.004Evil TwinATTACK-T1558Steal or Forge Kerberos TicketsATTACK-T1558.001Golden TicketATTACK-T1558.002Silver TicketATTACK-T1558.003KerberoastingATTACK-T1558.004AS-REP RoastingATTACK-T1558.005Ccache FilesATTACK-T1606Forge Web CredentialsATTACK-T1606.001Web CookiesATTACK-T1606.002SAML TokensATTACK-T1621Multi-Factor Authentication Request GenerationATTACK-T1649Steal or Forge Authentication Certificates