Detections
Analytics
Modify Authentication Process: Hybrid Identity
Description
Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to on-premises user identities in order to bypass typical authentication mechanisms, access credentials, and enable persistent access to accounts.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Entra ID | Read-only | HTTPS | Azure Users | ||
| Tenable Identity Exposure | Active Directory | Standard AD User | LDAP | List of Domain Computers and Users | ||
| Tenable Vulnerability Management | AD Start or Identity Scan | Active Directory | Authenticated AD User | LDAP | List of Domain Users | Plugin ID: 167250 |
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access, Defense Evasion, Persistence
Technique: Modify Authentication Process
Sub-Technique: Hybrid Identity
Platform: Entra ID
Products Required: Tenable Identity Exposure
Tenable Release Date: 2024 Q3