Untrusted DLL Loaded by Azure AD Sync Service

  1[metadata]
  2creation_date = "2024/10/14"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/02/14"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic", "Matteo Potito Giorgio"]
 11description = """
 12Identifies the load of a DLL without a valid code signature by the Azure AD Sync process, which may indicate an attempt
 13to persist or collect sensitive credentials passing through the Azure AD synchronization server.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Untrusted DLL Loaded by Azure AD Sync Service"
 20references = [
 21"https://blog.xpnsec.com/azuread-connect-for-redteam/",
 22"https://medium.com/@breakingmhet/detect-azure-pass-through-authentication-abuse-azure-hybrid-environments-ed4274784252",
 23"https://learn.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-pass-through-authentication"
 24]
 25risk_score = 73
 26rule_id = "f909075d-afc7-42d7-b399-600b94352fd9"
 27severity = "high"
 28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend", "Data Source: Sysmon", "Resources: Investigation Guide"]
 29timestamp_override = "event.ingested"
 30type = "eql"
 31
 32query = '''
 33any where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and
 34(
 35 (event.category == "library" and event.action == "load") or
 36 (event.category == "process" and event.action : "Image loaded*")
 37) and
 38
 39not (?dll.code_signature.trusted == true or file.code_signature.status == "Valid") and not
 40
 41  (
 42   /* Elastic defend DLL path */
 43   ?dll.path :
 44         ("?:\\Windows\\assembly\\NativeImages*",
 45          "?:\\Windows\\Microsoft.NET\\*",
 46          "?:\\Windows\\WinSxS\\*",
 47          "?:\\Windows\\System32\\DriverStore\\FileRepository\\*") or
 48
 49   /* Sysmon DLL path is mapped to file.path */
 50   file.path :
 51         ("?:\\Windows\\assembly\\NativeImages*",
 52          "?:\\Windows\\Microsoft.NET\\*",
 53          "?:\\Windows\\WinSxS\\*",
 54          "?:\\Windows\\System32\\DriverStore\\FileRepository\\*")
 55  )
 56'''
 57note = """## Triage and analysis
 58
 59> **Disclaimer**:
 60> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 61
 62### Investigating Untrusted DLL Loaded by Azure AD Sync Service
 63
 64Azure AD Sync Service facilitates identity synchronization between on-premises directories and Azure AD, crucial for seamless authentication. Adversaries may exploit this by loading malicious DLLs to intercept credentials. The detection rule identifies untrusted DLLs loaded by the Azure AD Sync process, focusing on those lacking valid signatures and excluding known safe paths, thus highlighting potential credential access threats.
 65
 66### Possible investigation steps
 67
 68- Review the process details for AzureADConnectAuthenticationAgentService.exe to confirm its legitimacy and check for any unusual behavior or anomalies.
 69- Examine the specific DLL file path that triggered the alert to determine if it is located in an unexpected or suspicious directory.
 70- Investigate the code signature status of the DLL to understand why it is untrusted, and verify if the DLL should have a valid signature.
 71- Check the system for any recent changes or installations that could have introduced the untrusted DLL, focusing on the timeframe around the alert.
 72- Analyze the event logs for any other suspicious activities or related alerts that might indicate a broader compromise or attack pattern.
 73- Correlate the alert with other security tools or logs to gather additional context and determine if this is part of a larger attack campaign.
 74
 75### False positive analysis
 76
 77- DLLs from legitimate software updates or installations may trigger alerts if they are not yet recognized as trusted. Users can monitor these occurrences and verify the legitimacy of the software source before adding exceptions.
 78- Custom or in-house developed applications might load DLLs that lack valid signatures. Users should ensure these applications are from a trusted source and consider signing them or adding their paths to the exclusion list.
 79- DLLs located in non-standard directories that are part of legitimate software operations can be flagged. Users should verify the software's legitimacy and update the exclusion list with these specific paths if necessary.
 80- Temporary files or DLLs created during software installation or updates might be flagged. Users should confirm the installation process and temporarily exclude these paths during the update period.
 81- Security or monitoring tools that dynamically load DLLs for legitimate purposes may be misidentified. Users should verify the tool's activity and add it to the exclusion list if it is deemed safe.
 82
 83### Response and remediation
 84
 85- Immediately isolate the affected Azure AD Sync server from the network to prevent further unauthorized access or data exfiltration.
 86- Terminate the AzureADConnectAuthenticationAgentService.exe process to stop the execution of the untrusted DLL and prevent potential credential dumping.
 87- Conduct a thorough review of the loaded DLLs on the affected server to identify and remove any malicious or unauthorized files.
 88- Restore the server from a known good backup taken before the incident to ensure the system is free from compromise.
 89- Change all credentials that may have been exposed or compromised, focusing on those related to Azure AD and on-premises directory services.
 90- Implement application whitelisting to prevent unauthorized DLLs from being loaded by critical processes like Azure AD Sync.
 91- Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems are affected."""
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1003"
 98name = "OS Credential Dumping"
 99reference = "https://attack.mitre.org/techniques/T1003/"
100
101
102[rule.threat.tactic]
103id = "TA0006"
104name = "Credential Access"
105reference = "https://attack.mitre.org/tactics/TA0006/"