Attack Chain

1. An attacker gains initial access to a system hosting the Azure AD Connect Authentication Agent.
2. The attacker identifies a location where they can place a malicious DLL that the AzureADConnectAuthenticationAgentService.exe process will load, such as a directory with weak permissions or a location susceptible to DLL side-loading.
3. The attacker places a malicious DLL (e.g., evil.dll) into the identified location.
4. The AzureADConnectAuthenticationAgentService.exe process is started or restarted.
5. The AzureADConnectAuthenticationAgentService.exe process loads the malicious DLL (evil.dll).
6. The malicious DLL intercepts or captures credentials as they are processed by the PTA service.
7. The attacker exfiltrates the captured credentials.
8. The attacker uses the stolen credentials to gain unauthorized access to other systems or resources.

Impact

Successful exploitation allows attackers to intercept credentials handled by the Azure AD Connect Authentication Agent. This can lead to the compromise of user accounts and the ability to move laterally within the environment. Organizations using Azure AD Connect with Pass-through Authentication are at risk. The impact includes potential data breaches, unauthorized access to sensitive information, and domain compromise.

Recommendation

• Implement the Sigma rule Untrusted DLL Loaded by Azure AD Connect Authentication Agent to detect the loading of untrusted DLLs by the Azure AD Connect Authentication Agent service in your environment.
• Monitor process creation events for AzureADConnectAuthenticationAgentService.exe loading DLLs outside of the standard Microsoft directories, as defined in the Sigma rule.
• Enable Sysmon Event ID 7 (Image Loaded) logging to provide the necessary data for the Sigma rule to function effectively.
• Restrict write access to the Azure AD Connect Authentication Agent directories to prevent unauthorized DLL placement.
• Review administrative access to the PTA host to prevent unauthorized modifications.