Untrusted DLL Loaded by Azure AD Connect Authentication Agent

  1[metadata]
  2creation_date = "2024/10/14"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2026/04/24"
  6
  7[rule]
  8author = ["Elastic", "Matteo Potito Giorgio"]
  9description = """
 10Identifies the load of an untrusted DLL by the Azure AD Connect Authentication Agent, which may
 11indicate an attempt to persist or intercept credentials passing through the Pass-through Authentication service.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Untrusted DLL Loaded by Azure AD Connect Authentication Agent"
 18references = [
 19    "https://blog.xpnsec.com/azuread-connect-for-redteam/",
 20    "https://medium.com/@breakingmhet/detect-azure-pass-through-authentication-abuse-azure-hybrid-environments-ed4274784252",
 21    "https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-pass-through-authentication",
 22]
 23risk_score = 73
 24rule_id = "f909075d-afc7-42d7-b399-600b94352fd9"
 25severity = "high"
 26tags = [
 27    "Domain: Endpoint",
 28    "OS: Windows",
 29    "Use Case: Threat Detection",
 30    "Tactic: Credential Access",
 31    "Data Source: Elastic Defend",
 32    "Data Source: Sysmon",
 33    "Resources: Investigation Guide",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39library where host.os.type == "windows" and process.name : "AzureADConnectAuthenticationAgentService.exe" and
 40
 41not dll.code_signature.trusted == true and
 42not dll.path : (
 43    "?:\\Windows\\assembly\\NativeImages*",
 44    "?:\\Windows\\Microsoft.NET\\*",
 45    "?:\\Windows\\WinSxS\\*",
 46    "?:\\Windows\\System32\\DriverStore\\FileRepository\\*"
 47)
 48'''
 49
 50note = """## Triage and analysis
 51
 52### Investigating Untrusted DLL Loaded by Azure AD Connect Authentication Agent
 53
 54#### Possible investigation steps
 55
 56- Is the loader the expected Azure AD Connect PTA service on the expected host?
 57  - Focus: `process.name`, `process.executable`, `process.code_signature.subject_name`, `process.code_signature.trusted`, and `host.id`.
 58  - Implication: escalate if the loader is not the standard Microsoft PTA service binary or its signer/path differs from the recognized sync-host installation; lower suspicion only when the loader is the expected service on a recognized Entra Connect host. Identity does not clear the DLL load.
 59
 60- What module loaded, and does its identity and path fit a recognized component?
 61  - Focus: `dll.path`, `dll.hash.sha256`, `dll.code_signature.subject_name`, `dll.code_signature.trusted`, and `dll.pe.original_file_name`; compare the module path with the service path from step 1 to assess side-loading from temp, download, user-writable, UNC, or paths outside the expected service directory.
 62  - Implication: escalate when the module is untrusted, renamed, newly signed by an unexpected publisher, or outside the service's expected directory tree; lower suspicion only when hash, original name, signer status, and path fit a recognized agent component or security tool loaded by this service.
 63
 64- Was the module recently dropped, renamed, or placed by a different process?
 65  - Focus: `dll.Ext.relative_file_creation_time`, `dll.Ext.relative_file_name_modify_time`, and file events where `file.path` equals the alert `dll.path` on `host.id`. $investigate_2
 66  - Hint: if recency fields or file events are absent, treat provenance as unresolved rather than benign; expand the time range to the creation or rename time when the recency fields point outside the default pivot.
 67  - Implication: escalate when a different process recently wrote, renamed, or timestomped the DLL; lower suspicion when provenance shows a recognized updater or tooling writer that explains this maintenance event on the sync host.
 68
 69- Does the service's startup and lineage context fit normal Azure AD Connect operations?
 70  - Focus: process start event for `process.entity_id`: `process.parent.executable`, `process.parent.command_line`, and `process.command_line`. $investigate_3
 71  - Implication: escalate if the service was started, restarted, or manipulated by an unusual parent, script, or interactive admin tool; lower suspicion when lineage matches normal service-control or agent-update activity.
 72
 73- Was the service handling sign-ins around the load, and which identities may have been exposed?
 74  - Focus: if Windows Security authentication telemetry is collected, recover the service session from `process.Ext.authentication_id`, then query events on `host.id` where `winlog.event_data.TargetLogonId` matches it.
 75  - Hint: this exposure pivot depends on an additional data source that may not be collected on every PTA host; read `winlog.event_data.TargetUserName`, `source.ip`, `event.outcome`, and `winlog.event_data.AuthenticationPackageName`. Missing authentication telemetry is unresolved, not benign.
 76  - Implication: escalate credential exposure when successful sign-ins or repeated attempts overlap the load because a malicious module could access PTA credentials handled by the service; bound exposure as lower only when authentication records show the service was idle and the module, provenance, and lineage evidence also fit benign activity.
 77
 78- If earlier findings remain suspicious, do additional module loads or related alerts show broader service or host compromise?
 79  - Focus: related alerts for the same service `process.entity_id`. $investigate_0
 80  - Hint: review related alerts for `host.id` only if local evidence remains suspicious; test one adjacent variant: signed-but-new DLLs in the same PTA service tree. $investigate_1
 81  - Implication: escalate scope when the same service process or host has service-tampering, credential-access, persistence, or unusual module-load alerts; keep scope local only when local evidence is benign and related-alert review is clean; preserve and escalate if related-alert coverage is unavailable and the module remains suspicious.
 82
 83- Escalate when the PTA service loads an unrecognized module, provenance is suspicious, lineage is abnormal, or sign-ins could have been exposed; close only when loader, module, path, writer, and host context all fit a repeatable maintenance pattern on the sync host; preserve and escalate if mixed or incomplete.
 84
 85### False positive analysis
 86
 87- Azure AD Connect upgrades, agent reinstallation, or a recognized endpoint-security component can legitimately load modules into the service. Confirm only when `dll.hash.sha256`, `dll.code_signature.subject_name`, `dll.path`, `process.parent.executable`, writer provenance, and `host.id` align with the same maintenance or tooling workflow, and no adjacent service-tampering alerts appear. If this is a first-seen pattern and records are unavailable, keep it unconfirmed rather than closing on a partial match.
 88- Build exceptions only after the benign workflow is fully confirmed, using `host.id`, exact `dll.path`, stable `dll.hash.sha256`, and the recognized `process.parent.executable` or writer process. Avoid exceptions on `process.name`, `user.id`, or all untrusted modules alone.
 89
 90### Response and remediation
 91
 92- If confirmed benign, reverse containment and document `host.id`, `process.entity_id`, `dll.path`, `dll.hash.sha256`, and the recognized maintenance or tooling context. Create an exception only if that same pattern recurs across prior alerts.
 93- If suspicious but unconfirmed, preserve the alert export, service process identity, loaded DLL sample and hash, writer evidence, and surrounding Windows Security records. Apply reversible containment first, such as removing the host from PTA rotation or restricting administrative access, and escalate to host isolation only if likely credential exposure or broader host tampering is confirmed and the outage impact is acceptable. Do not delete the DLL or stop the service before collecting evidence.
 94- If confirmed malicious, use endpoint response to isolate the host if it is available; otherwise escalate with `host.id`, `process.entity_id`, module path and hash, writer process, and the potentially exposed identity set to the team that can remove the server from service. Before stopping the service or deleting files, collect the DLL, any feasible memory capture, and related `dll.path` artifacts. Review other PTA or Azure AD Connect hosts and identities that authenticated around the load before eradicating the unauthorized module and persistence artifacts, then rotate or reset confirmed or likely exposed Azure AD Connect, PTA, or user credentials and revalidate the service configuration before returning the host to rotation.
 95- Post-incident hardening: restrict write access to the Azure AD Connect Authentication Agent directories, review administrative access to the PTA host, retain image-load, file, process, and authentication telemetry, and record which telemetry sources limited the investigation.
 96"""
 97
 98setup = """## Setup
 99
100This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
101
102Setup instructions: https://ela.st/install-elastic-defend
103
104### Additional data sources
105
106This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
107
108- [Sysmon Event ID 7 - Image Loaded](https://ela.st/sysmon-event-7-setup)
109"""
110
111[rule.investigation_fields]
112field_names = [
113    "@timestamp",
114    "host.name",
115    "host.id",
116    "process.entity_id",
117    "process.executable",
118    "process.command_line",
119    "process.code_signature.subject_name",
120    "process.code_signature.trusted",
121    "process.parent.command_line",
122    "process.Ext.authentication_id",
123    "dll.path",
124    "dll.pe.original_file_name",
125    "dll.code_signature.subject_name",
126    "dll.code_signature.trusted",
127    "dll.Ext.relative_file_creation_time",
128]
129
130[[transform.investigate]]
131label = "Alerts associated with the same service process instance"
132description = ""
133providers = [
134  [
135    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
136    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
137    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
138  ]
139]
140relativeFrom = "now-48h/h"
141relativeTo = "now"
142
143[[transform.investigate]]
144label = "Alerts associated with the Azure AD Connect host"
145description = ""
146providers = [
147  [
148    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
149    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
150  ]
151]
152relativeFrom = "now-48h/h"
153relativeTo = "now"
154
155[[transform.investigate]]
156label = "File events for the loaded module"
157description = ""
158providers = [
159  [
160    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
161    { excluded = false, field = "file.path", queryType = "phrase", value = "{{dll.path}}", valueType = "string" },
162    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
163  ]
164]
165relativeFrom = "now-24h"
166relativeTo = "now"
167
168[[transform.investigate]]
169label = "Process start for the authentication service"
170description = ""
171providers = [
172  [
173    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
174    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" },
175    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
176  ]
177]
178relativeFrom = "now-1h"
179relativeTo = "now"
180
181[[rule.threat]]
182framework = "MITRE ATT&CK"
183
184[[rule.threat.technique]]
185id = "T1003"
186name = "OS Credential Dumping"
187reference = "https://attack.mitre.org/techniques/T1003/"
188
189[[rule.threat.technique]]
190id = "T1556"
191name = "Modify Authentication Process"
192reference = "https://attack.mitre.org/techniques/T1556/"
193
194[[rule.threat.technique.subtechnique]]
195id = "T1556.007"
196name = "Hybrid Identity"
197reference = "https://attack.mitre.org/techniques/T1556/007/"
198
199[rule.threat.tactic]
200id = "TA0006"
201name = "Credential Access"
202reference = "https://attack.mitre.org/tactics/TA0006/"
203
204[[rule.threat]]
205framework = "MITRE ATT&CK"
206
207[[rule.threat.technique]]
208id = "T1574"
209name = "Hijack Execution Flow"
210reference = "https://attack.mitre.org/techniques/T1574/"
211
212[[rule.threat.technique.subtechnique]]
213id = "T1574.001"
214name = "DLL"
215reference = "https://attack.mitre.org/techniques/T1574/001/"
216
217[rule.threat.tactic]
218id = "TA0005"
219name = "Defense Evasion"
220reference = "https://attack.mitre.org/tactics/TA0005/"