Presentation Material
Abstract
In most Active Directory post-exploitation scenarios, the initial focus of red teamers for lateral movement is often the Local Security Authority Subsystem Service (LSASS) process. However, due to its extensive monitoring, any competent Endpoint Detection and Response (EDR) system will detect and flag such activities.
In this presentation, we will delve into innovative methods for navigating Microsoft Azure Active Directory (now Entra ID) based environments and achieving our objectives with greater stealth. We will discuss searching for authentication tokens in memory and on disk for Microsoft 365 applications and how these can be exploited. Additionally, we will examine chromium-based applications utilizing WebView technology, exploring how they are constructed and the potential vulnerabilities where secrets may be exposed.
We will cover lateral movement within cloud environments, the use of long-lived Single Sign-On (SSO) tokens, conditional access policies, and other specific features of Entra ID that can make your next threat emulation exercise undetectable by defenders.
Finally, we will provide defenders with valuable tips on monitoring these techniques and suggest other defense-in-depth practices. Join us to enhance your knowledge of both offensive and defensive strategies in this evolving landscape.
AI Generated Summary
This talk addresses post-exploitation techniques for modern Windows 10/11 environments within cloud-centric corporate networks, assuming initial access as an unprivileged user. The core research shifts focus from traditional on-premises Active Directory credential harvesting (e.g., LSASS dumping) to stealing authentication tokens from cloud-native applications to achieve persistence and lateral movement while minimizing detection.
Key findings revolve around Chromium-based WebView2 applications (e.g., Microsoft Teams, Outlook, Co-pilot), which run numerous utility processes. Attackers can target specific “storage service” and “network service” subtype processes to dump memory and extract OAuth 2.0 access tokens (short-lived, scoped) and refresh tokens (longer-lived). A critical technique involves exploiting the “family of client IDs” trust relationship within Microsoft’s ecosystem; a refresh token obtained from one application (e.g., Teams) can be exchanged for access tokens for other services (e.g., Power Apps, Azure Resource Manager), enabling broad network pivoting without touching monitored on-prem systems. For long-term persistence, the talk details harvesting Primary Refresh Tokens (PRTs) from TPM-protected storage, often via hijacked communication between browser extensions and native binaries, to obtain SSO tokens valid for weeks.
Practical tools include custom PowerShell for targeted process mini-dumps and Python scripts using the MSAL library to exchange tokens, deliberately avoiding high-detection tools like Rubeus. The primary implication is that the attack surface has shifted from the endpoint to cloud API token abuse. Defenders must monitor for token theft from WebView processes, scrutinize token scopes and family-of-client-ID configurations in Entra ID, and detect anomalous token exchanges across service families, as traditional privilege escalation is no longer a prerequisite for significant data exfiltration.