Unknown DLL was added to the AD FS Global Assembly Cache path

Cortex XDR Analytics Alert Reference by data source

Product

Cortex XDR

Last date published

2026-05-18

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent with eXtended Threat Hunting (XTH)
Detection Modules	Identity Analytics
Detector Tags	Active Directory Federation Services Analytics
ATT&CK Tactic	Persistence (TA0003) Privilege Escalation (TA0004)
ATT&CK Technique	Hijack Execution Flow (T1574)
Severity	Informational

Description

A new and unknown DLL was created within the Active Directory Federation Services (AD FS) Global Assembly Cache (GAC). Attackers may manipulate IdentityServer adapters to achieve persistence or execute malicious code within the AD FS environment.

Attacker's Goals

Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.

Investigative actions

Check if the AD FS service was stopped or restarted around the time of modification.
Identify the user or process responsible for the file creation.
Verify if the DLL is digitally signed by Microsoft.
Compare the modification timestamp of this DLL against others in the same directory.

Variations

Suspicious DLL was added to the AD FS Global Assembly Cache path

Synopsis

ATT&CK Tactic

ATT&CK Technique

Hijack Execution Flow (T1574)

Severity

Low

Description

Attacker's Goals

Attackers may inject malicious code into the AD FS server and manipulate the IdentityServer adapters to gain persistence.

Investigative actions

Check if the AD FS service was stopped or restarted around the time of modification.
Identify the user or process responsible for the file creation.
Verify if the DLL is digitally signed by Microsoft.
Compare the modification timestamp of this DLL against others in the same directory.