{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/azure-ad-connect/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure AD Connect Authentication Agent"],"_cs_severities":["high"],"_cs_tags":["credential-access","dll-side-loading","azure-ad-connect"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Azure AD Connect Authentication Agent facilitates pass-through authentication (PTA) in hybrid environments. Attackers may attempt to load malicious DLLs into the \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e process to intercept or persist credentials. This involves placing an untrusted DLL in a location where the service will load it, such as a directory with weak permissions or through DLL side-loading. Successful exploitation allows attackers to capture user credentials as they are processed by the PTA service, potentially leading to domain compromise. This activity specifically targets systems utilizing Azure AD Connect with PTA enabled. Defenders should monitor for unexpected DLL loads by the Azure AD Connect Authentication Agent to identify and prevent credential access attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system hosting the Azure AD Connect Authentication Agent.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a location where they can place a malicious DLL that the \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e process will load, such as a directory with weak permissions or a location susceptible to DLL side-loading.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious DLL (e.g., \u003ccode\u003eevil.dll\u003c/code\u003e) into the identified location.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e process is started or restarted.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e process loads the malicious DLL (\u003ccode\u003eevil.dll\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts or captures credentials as they are processed by the PTA service.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the captured credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to other systems or resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept credentials handled by the Azure AD Connect Authentication Agent. This can lead to the compromise of user accounts and the ability to move laterally within the environment. Organizations using Azure AD Connect with Pass-through Authentication are at risk. The impact includes potential data breaches, unauthorized access to sensitive information, and domain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eUntrusted DLL Loaded by Azure AD Connect Authentication Agent\u003c/code\u003e to detect the loading of untrusted DLLs by the Azure AD Connect Authentication Agent service in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e loading DLLs outside of the standard Microsoft directories, as defined in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eRestrict write access to the Azure AD Connect Authentication Agent directories to prevent unauthorized DLL placement.\u003c/li\u003e\n\u003cli\u003eReview administrative access to the PTA host to prevent unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-azureadconnect-dll-load/","summary":"The loading of an untrusted DLL by the Azure AD Connect Authentication Agent, potentially indicating credential access attempts via the Pass-through Authentication service, is detected by this rule.","title":"Untrusted DLL Loaded by Azure AD Connect Authentication Agent","url":"https://feed.craftedsignal.io/briefs/2024-11-azureadconnect-dll-load/"}],"language":"en","title":"CraftedSignal Threat Feed — Azure-Ad-Connect","version":"https://jsonfeed.org/version/1.1"}