Azure AD / Entra ID

Azure / Intra ID Post exploitation

An on-premises AD can be integrated with Azure AD using Azure AD Connect with the following methods:

Password Hash Sync (PHS)
Pass-Through Authentication (PTA)
Federation

AD FS

Azure AD Connect is installed on-premises and has a high privilege account both in on AD and Azure AD

Azure

PHS

What is password hash synchronization with Microsoft Entra ID? - Microsoft Entra IDMicrosoftLearn

Password Hash Sync (PHS) shares users and their password hashes from on-premises AD to Azure AD.

A new users MSOL_ is created which has Synchronization rights (DCSync) on the domain

MSOL (Microsoft Online Services) account

Attack Paths

Forest Druid - Concentrez-vous sur votre périmètre de niveau 0Purple Knight

SeamlessPass

Obtain Microsoft 365 access tokens using on-premises Active Directory Kerberos tickets for organizations with Seamless SSO (Desktop SSO) enabled

GitHub - Malcrove/SeamlessPass: A tool leveraging Kerberos tickets to get Microsoft 365 access tokens using Seamless SSOGitHub

EntraTokenAid

GitHub - zh54321/EntraTokenAid: A pure PowerShell solution for Entra OAuth authentication, enabling easy retrieval of access and refresh tokensGitHub

TokenSmith

GitHub - JumpsecLabs/TokenSmith: TokenSmith generates Entra ID access & refresh tokens on offensive engagements. It is suitable for both covert adversary simulations and penetration tests with the tokens generated working out of the box with many popular Azure post exploitation tools.GitHub

BAADTokenBroker

Leverage device-stored keys (Device key, Transport key etc..) to authenticate to Microsoft Entra ID.

GitHub - secureworks/BAADTokenBrokerGitHub

GraphRunner

GitHub - dafthack/GraphRunner: A Post-exploitation Toolset for Interacting with the Microsoft Graph APIGitHub

0365/IntraID exfiltration

Teamfiltration

GitHub - Flangvik/TeamFiltration: TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accountsGitHub

Mitigation

The following security controls should be implemented to mitigate a Microsoft Entra Connect compromise:

Disable hard match takeover. This prevents the source of authority for objects in Microsoft Entra ID from changing to Active Directory. If the source of authority for a Microsoft Entra ID object is changed to Active Directory, then changes made to the Active Directory object overwrite the object’s properties in Microsoft Entra ID, including the password hash. If this setting is not disabled, and PHS is enabled, malicious actors can use this feature to take control of Microsoft Entra ID objects and gain privileged access to cloud-based resources and services.
Disable soft matching. After initial synchronisation between Active Directory and Microsoft Entra ID, there is no requirement to keep soft matching enabled. If soft matching is enabled, it attempts to match new Active Directory objects with existing Microsoft Entra ID objects. If no match is found, then a new Microsoft Entra ID object is provisioned. Malicious actors can use this feature to provision a new user object they control in Microsoft Entra ID and gain privileged access to cloud-based resources and services.
Do not synchronise privileged user objects from AD DS to Microsoft Entra ID. Use separate privileged accounts for AD DS and Microsoft Entra ID. If malicious actors compromise an AD DS domain and gain access to a privileged user object that synchronises with Microsoft Entra ID, then this gives them access to Microsoft Entra ID and they can quickly expand the compromise from AD DS systems to cloud-based services and resources.
Enable MFA for all privileged users in Microsoft Entra ID. This makes it harder for malicious actors to take control of a privileged user object in Microsoft Entra ID as they need the additional authentication factor required by MFA.
Limit access to Microsoft Entra Connect servers to only privileged users that require access. This may be a smaller subset of privileged users than the Domain Admins security group, which reduces the number of user objects malicious actors can target to gain access to Microsoft Entra Connect servers.
Restrict privileged access pathways to Microsoft Entra Connect servers to jump servers and secure admin workstations using only the ports and services that are required for administration. Microsoft Entra Connect servers are classified as ‘Tier 0’ assets within Microsoft’s ‘Enterprise Access Model’.
Ensure passwords for Microsoft Entra Connect server local administrator accounts are long (30-character minimum), unique, unpredictable and managed. Microsoft’s Local Administrator Password Solution (LAPS) can be used to achieve this for local administrator accounts. Local administrator accounts can be targeted by malicious actors to gain access to Microsoft Entra Connect servers. For this reason, these accounts need to be protected from compromise.
Only use Microsoft Entra Connect servers for Microsoft Entra Connect and ensure no other non-security-related services or applications are installed. This reduces the attack surface of Microsoft Entra Connect servers as there are fewer services, ports and applications that may be vulnerable and used to compromise a Microsoft Entra Connect server.
Encrypt and securely store backups of Microsoft Entra Connect and limit access to only Backup Administrators. Backups of Microsoft Entra Connect servers need to be afforded the same security as the actual Microsoft Entra Connect servers. Malicious actors may target backup systems to gain access to critical and sensitive computer objects, such as Microsoft Entra Connect servers.
Centrally log and analyse Microsoft Entra Connect server logs in a timely manner to identify malicious activity. If malicious actors gain privileged access to Microsoft Entra Connect servers, this activity should be identified as soon as possible, increasing response time and limiting impact.