Back to Intelligence

Auth Stack Hijacking: Detecting Decade-Long Persistence in Isolated Networks

SA
Security Arsenal Team
June 13, 2026
5 min read

A recent report from BleepingComputer has unveiled a chilling reality of modern advanced persistent threats (APTs): Chinese state-sponsored actors successfully hijacked a target organization's authentication stack, maintaining persistence for a staggering ten years. This wasn't a transient smash-and-grab; it was a strategic, long-term compromise of the identity layer.

For defenders, this is a wake-up call. If an adversary controls your authentication flow, they control your reality. They can bypass MFA, impersonate admins at will, and exfiltrate data without tripping traditional "login failure" alarms. This post dissects the mechanics of auth stack hijacking and provides the detection logic and hardening steps you need to evict these dormant occupants.

Technical Analysis

The Attack Vector: Authentication Stack Compromise

Rather than compromising individual endpoints, the actors targeted the core identity provider (IdP) or the authentication middleware governing the isolated network. By embedding themselves into the auth flow, the actors achieved full visibility into administrative activities.

  • Affected Component: Enterprise Identity Providers (IdP) and Authentication Services (e.g., AD FS, custom SAML/OIDC implementations, or RADIUS servers in segmented networks).
  • Mechanism: The attackers likely manipulated the trust relationships or the signing certificates used by the IdP, or injected malicious modules into the authentication pipeline. This allows them to forge valid tokens or intercept and approve requests silently.
  • Persistence Mechanism: Persistence is achieved not through registry keys or scheduled tasks on user workstations, but by maintaining a foothold on the authentication servers themselves—often the most critical, yet least frequently reimaged, assets in a Windows environment.
  • Exploitation Status: Confirmed active exploitation in the wild. The ten-year duration indicates a highly sophisticated, low-observable operational security (OpSec) posture designed to blend in with legitimate administrative traffic.

Detection & Response

Detecting this type of compromise requires a shift from alerting on "bad logins" to alerting on "weird auth behavior." We need to hunt for modifications to the identity infrastructure itself.

SIGMA Rules

YAML
---
title: Suspicious Modification of IdP Configuration Files
id: 8a4b2c1d-9e6f-4a3b-8c5d-1e2f3a4b5c6d
status: experimental
description: Detects modifications to critical Identity Provider configuration files or web.config which may indicate an attempt to hijack the auth flow.
references:
  - https://attack.mitre.org/techniques/T1556/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.credential_access
  - attack.t1556
logsource:
  category: file_change
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Microsoft Identity Server\'
      - '\ADFS\'
      - '\inetpub\adfs\'
      - 'web.config'
  filter:
    User|contains:
      - 'AUTHORITY\SYSTEM'
      - 'NT SERVICE\'
  condition: selection and not filter
falsepositives:
  - Legitimate administrator patching or configuration updates
level: high
---
title: Unusual Process Spawn by Auth Service
id: 9c5d3e2f-0a7b-5c4d-9e6f-2a3b4c5d6e7f
status: experimental
description: Detects the identity service spawning suspicious child processes like PowerShell or CMD, often used for persistence or discovery.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - 'wsmprovhost.exe'
      - 'Microsoft.IdentityServer.ServiceHost.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
  condition: selection
falsepositives:
  - Rare administrative troubleshooting scripts
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious modifications to Identity Provider administrative roles or trust settings
IdentityInfo
| where AccountType contains "Admin"
| join kind=inner (SecurityEvent
| where EventID in (4672, 4720, 4728, 4732, 4756)
| project SubjectUserName, SubjectLogonId, EventID, Activity, ComputerName) on AccountName
| where TimeGenerated > ago(30d)
| summarize count() by bin(TimeGenerated, 1h), SubjectUserName, ComputerName, EventID
| where count_ > 5 // Threshold for bulk admin actions
| project TimeGenerated, SubjectUserName, ComputerName, EventID, count_
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for persistence mechanisms on Auth Servers (AD FS/IdP)
-- Look for unusual services or scheduled tasks running as Service accounts
SELECT 
  Name, 
  BinPath, 
  StartType, 
  ServiceType, 
  UserAccount
FROM services()
WHERE
  UserAccount =~ "svchost" 
  OR BinPath =~ "powershell" 
  OR BinPath =~ "cmd"
  OR Name =~ "HealthService" -- Commonly abused for persistence
ORDER BY Name

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Audit and Harden Authentication Stack Configuration
.DESCRIPTION
    Reviews the integrity of IdP configurations and checks for trust relationship anomalies.
#>

Write-Host "Starting Authentication Stack Audit..." -ForegroundColor Cyan

# Check for recent modifications to ADFS config if present
$adfsPath = "C:\inetpub\adfs\config"
if (Test-Path $adfsPath) {
    Write-Host "Checking ADFS Configuration Files..." -ForegroundColor Yellow
    Get-ChildItem -Path $adfsPath -Recurse -File `
    | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } `
    | Select-Object FullName, LastWriteTime, Length
} else {
    Write-Host "ADFS path not found on this host." -ForegroundColor Gray
}

# Audit Group Membership for Privileged Identities
Write-Host "Auditing Domain/Enterprise Admins..." -ForegroundColor Yellow
try {
    Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, objectClass
    Get-ADGroupMember -Identity "Enterprise Admins" -Recursive | Select-Object Name, SamAccountName, objectClass
} catch {
    Write-Host "Active Directory module not available or insufficient permissions." -ForegroundColor Red
}

Write-Host "Audit Complete. Review results for anomalies." -ForegroundColor Green

Remediation

Immediate Actions:

  1. Credential Reset: Assume all credentials handled by the compromised auth stack are compromised. Force a password reset for all accounts in the affected directory, focusing on privileged accounts first.
  2. Token Signing Rotation: If using an IdP like AD FS, immediately rotate the Token-Signing and Token-Decrypting certificates. This invalidates any forged tokens the attackers may have generated.
  3. Trust Review: Audit all federated trust relationships configured in the IdP. Remove any unknown or legacy trusts immediately.

Long-Term Hardening:

  1. Implement Phishing-Resistant MFA: Move beyond SMS or TOTP. Adopt FIDO2/WebAuthn or Certificate-Based Authentication (CBA) to bind identity to hardware, making it significantly harder for attackers to hijack the auth flow remotely.
  2. Zero Trust Architecture: Segment the authentication servers themselves. Ensure that management planes are strictly isolated from data planes and that lateral movement from an IdP server is impossible.
  3. Infrastructure as Code (IaC) for Identity: Treat auth configuration as code. Monitor drift. If a config changes without a merge request in your repository, alert immediately.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachchinese-aptauth-stackpersistence

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action