While working on another blog post I looked at different lateral movement paths an attacker can use, when she has compromised the Azure AD Connect server. Since this is the gateway to the cloud environment there already is quite some research available.
This article examines an alternative lateral movement path for an attacker who has compromised the Azure AD Connect server. The attacker can use the credentials of the “Azure AD Connector account”, which is a member of the “Directory Synchronization Accounts” role, to gain access to the cloud environment. This role grants extensive permissions, including the ability to update applications and service principals. If the attacker finds an application with the permissions “Application.ReadWrite.All”, “AppRoleAssignment.ReadWrite.All”, or “RoleManagement.ReadWrite.Directory”, they can use this to gain global admin permissions without needing to reset the password. The article provides a proof of concept script to demonstrate the attack and advice on how to detect it.
The article then goes on to discuss how to detect and mitigate the attack. It suggests treating the alert “AAD Connect private key extraction attempt” with high priority and using Microsoft Defender for Cloud Apps (MDA) and Microsoft Sentinel to detect each step of the attack path. It also explains how to detect changes to high privileged roles in Azure AD, unusual sensitive actions performed by the Azure AD Connect account, and potential malicious sign-ins from the Azure AD Connect account. Additionally, it covers how to use IdentityInfo based detections.
For mitigation strategies, the article suggests limiting the usage of sensitive API permissions, using location-based conditional access, restricting application execution on the AAD Connect server, treating the AAD Connect as a control plane asset, and using authentication policies and authentication silos. It emphasizes the importance of understanding the complexity of cloud environments and trying out different attack methods to better understand the alerts that your tooling is capable of. It also encourages readers to combine already documented attack paths to find ways that may be not documented in depth yet. Finally, it provides links to additional resources for further reading.
📓 From on-prem to Global Admin without password reset
👉🏽 While working on another blog post I looked at different lateral movement paths an attacker can use, when she has compromised the Azure AD Connect server. Since this is the gateway to the cloud environment there already is quite some research available. 👉🏽 Examines lateral movement path of attacker who has compromised Azure AD Connect server. 👉🏽 Attacker uses credentials of "Azure AD Connector account" to gain access to cloud. 👉🏽 Directory Synchronization Accounts role grants extensive permissions. 👉🏽 Attacker can gain global admin permissions without resetting password. 👉🏽 Provides proof of concept script for the attack and detection advice. 👉🏽 Suggests treating "AAD Connect private key extraction attempt" with high priority. 👉🏽 Recommends using Microsoft Defender for Cloud Apps and Microsoft Sentinel to detect the attack. 👉🏽 Explains how to detect changes to high privileged roles, unusual actions, and malicious sign-ins. 👉🏽 Gives mitigation strategies: limit API permissions, use conditional access, restrict application execution, etc. 👉🏽 Emphasizes the importance of understanding cloud environments and combining attack paths.
#AzureAD #Compromise #Credentials #Detection #Mitigation