Hackers of India

Beyond On-Premises: Exploring the Post-Domain Admin Landscape in the Cloud

By Sriraam Natarajan , Venkatraman Kumar on 01 Jun 2023 @ Securityfest
πŸ“Ή Video πŸ”— Link
#red-teaming #azure #active-directory #privilege-escalation #cloud-pentesting
Focus Areas: ☁️ Cloud Security , πŸͺͺ Identity & Access Management , 🚨 Incident Response , 🎯 Penetration Testing

Presentation Material

Abstract

Organizations are increasingly relying on cloud services from Azure, as there is native support from Microsoft. After obtaining Domain Admin privileges, it is essential to always think of attack paths or scenarios to escalate our privileges or describe the maximum impact. One such thing is escalating privileges to Azure Services. This talk demonstrates attack paths for obtaining Global Administrator privileges on Azure AD from domain admin privileges on the on-premise network. Multiple domains can be registered under a single tenant, hence after obtaining global admin privileges on Azure it is possible for the adversary to gain administrative access over these domains.

Presented at Security Fest 2023.

AI Generated Summary

The talk detailed attack paths for compromising Azure Active Directory in hybrid environments, starting from a foothold in an on-premises Active Directory network. The core research identified that Azure AD Connect synchronization accounts (MSOL accounts) often possess high privileges, including Domain Admin rights on-premises and Global Administrator rights in Azure, making them critical high-value targets.

Key techniques were presented for exploiting four primary hybrid authentication methods:

  1. Password Hash Synchronization: Attackers with domain admin privileges can dump the clear-text password of the MSOL account from the Azure AD Connect server’s LSA secrets. This credential grants direct control over the Azure tenant, allowing modification of any synchronized user, including Global Administrators.
  2. Seamless SSO: The computer account AZUREADSSOACC$ is created in the domain. Its NTLM hash can be dumped by a domain admin to forge Kerberos tickets for any user, enabling Azure access without passwords.
  3. Pass-through Authentication (PTA): The PTA agent service on the Azure AD Connect server processes authentication requests. A tool called PTA Spy can inject into this process to silently capture clear-text credentials as they are validated.
  4. Active Directory Federation Services (ADFS): The token-signing certificate on the ADFS server can be stolen by an administrator to forge SAML tokens, impersonating any user, including Global Admins, to access Azure resources.

Practical implications include bypassing common mitigations. Even if MFA is enabled on a Global Administrator, attackers can target accounts with equivalent privileges (e.g., Password Administrator, Helpdesk Administrator) or service accounts where MFA is often disabled. Remote credential dumping techniques (e.g., via WMI or SMB) were highlighted to evade endpoint detection.

Future work involves extending these synchronization attack patterns to other cloud providers like Google Workspace and AWS, and integrating all exploitation methods into a single tool for adversary simulation. The research underscores that a single compromised on-premises domain can lead to full compromise of an entire cloud tenant and its associated domains.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.