Many modern enterprises operate in a hybrid environment, where Active Directory is used together with Azure Active Directory. In most cases, identities will be syncronized from the on-premises Active Directory to Azure AD, and the on-premises AD remains authoritive.
The article discusses the work of a particular individual or group and their approach to exploiting the Cloud Kerberos Trust in Azure AD to gain Domain Admin privileges. The attack requires a Global Admin account, a hybrid account that can be modified, and a victim account in the on-premises Active Directory with Domain Admin or equivalent privileges. The Global Admin account is used to obtain an access token and modify the hybrid account with the desired SAM name and SID. The modified hybrid account is then used to request a PRT, which includes a partial TGT. The partial TGT is used to request the full TGT, which contains the NT hash of the victim account. The NT hash is then used to perform a DCSync attack, which allows the attacker to forge their own TGTs and gain Domain Admin privileges.
The article also provides information on how to prevent and detect the attack. The attack can be prevented by using the tools available in Azure AD to protect highly privileged identities, and by not syncing AD admin accounts to Azure AD. Additionally, the RODC object created by Azure AD can be used to add additional accounts and groups to the “Denied password replication” list. This will block both the Kerberos authentication and the NT hash recovery, preventing the attack from succeeding. On the detection side, changes to the hybrid object are logged and show the actor and the modified “LastDirSyncTime” property. Since Global Admin accounts should not be using the synchronization API, this is a clear sign of something irregular going on.
The article gives a shout-out to the individual or group for their hard work and dedication to the topic, and provides examples of their work, highlighting the successes and failures they have encountered along the way. It also looks at the potential applications of their work, considering how their findings could be used in other areas. The tools used in the attack are available on the ROADtools and ROADtools hybrid GitHub pages. In conclusion, the article provides an in-depth look at the work of a particular individual or group and their approach to a certain topic, and provides information on how to prevent and detect the attack.
📓 Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
👉🏽 Many modern enterprises operate in a hybrid environment, where Active Directory is used together with Azure Active Directory. In most cases, identities will be syncronized from the on-premises Active Directory to Azure AD, and the on-premises AD remains authoritive. 👉🏽 Discussion of exploiting Cloud Kerberos Trust in Azure AD for Domain Admin privileges. 👉🏽 Global Admin account used to obtain access token and modify hybrid account. 👉🏽 Modified hybrid account used to request Partial TGT and then Full TGT. 👉🏽 NT hash of victim account used to perform DCSync attack, gaining Domain Admin access. 👉🏽 Prevention through tools in Azure AD and not syncing AD admin accounts. 👉🏽 Use of RODC object to add accounts and groups to "Denied password replication" list. 👉🏽 Detection through logging changes to hybrid object and modified "LastDirSyncTime" property. 👉🏽 Acknowledgment and examples of individual or group's work. 👉🏽 Consideration of potential applications of findings in other areas. 👉🏽 Information on tools used in attack available on GitHub pages.
#CloudKerberosTrust #AzureAD #DomainAdminPrivileges #PreventionAndDetection #ROADCtools