Untrusted DLL Loaded by Azure AD Sync Service
Identifies the load of a DLL without a valid code signature by the Azure AD Sync process, which may indicate an attempt to persist or collect sensitive credentials passing through the Azure AD synchronization server.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/10/14"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic", "Matteo Potito Giorgio"]
11description = """
12Identifies the load of a DLL without a valid code signature by the Azure AD Sync process, which may indicate an attempt
13to persist or collect sensitive credentials passing through the Azure AD synchronization server.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Untrusted DLL Loaded by Azure AD Sync Service"
20references = [
21"https://blog.xpnsec.com/azuread-connect-for-redteam/",
22"https://medium.com/@breakingmhet/detect-azure-pass-through-authentication-abuse-azure-hybrid-environments-ed4274784252",
23"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication"
24]
25risk_score = 73
26rule_id = "f909075d-afc7-42d7-b399-600b94352fd9"
27severity = "high"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33any where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and
34(
35 (event.category == "library" and event.action == "load") or
36 (event.category == "process" and event.action : "Image loaded*")
37) and
38
39not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid") and not
40
41 (
42 /* Elastic defend DLL path */
43 ?dll.path :
44 ("?:\\Windows\\assembly\\NativeImages*",
45 "?:\\Windows\\Microsoft.NET\\*",
46 "?:\\Windows\\WinSxS\\*",
47 "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") or
48
49 /* Sysmon DLL path is mapped to file.path */
50 file.path :
51 ("?:\\Windows\\assembly\\NativeImages*",
52 "?:\\Windows\\Microsoft.NET\\*",
53 "?:\\Windows\\WinSxS\\*",
54 "?:\\Windows\\System32\\DriverStore\\FileRepository\\*")
55 )
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1003"
63name = "OS Credential Dumping"
64reference = "https://attack.mitre.org/techniques/T1003/"
65
66
67[rule.threat.tactic]
68id = "TA0006"
69name = "Credential Access"
70reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
With clients increasingly relying on cloud services from Azure, one of the technologies that has been my radar for a while is Azure AD. For those who have not had the opportunity to work with this, the concept is simple, by extending authentication beyond on-prem Active Directory, users can authenticate with their AD credentials against Microsoft services such as Azure, Office365, Sharepoint, and hundreds of third
Read More -
In recent years, the cloud computing industry has experienced substantial growth, with three prominent vendors emerging as leaders: Amazon…
Read More -
Related rules
- Command Shell Activity Started via RunDLL32
- Creation or Modification of Domain Backup DPAPI private key
- Credential Acquisition via Registry Hive Dumping
- Full User-Mode Dumps Enabled System-Wide
- Kirbi File Creation