Demystifying the Arcane of Lateral Movement between Azure & On-Prem AD

September 27, 2024 (GMT +8)
09:45
Ballroom 1 & 2
     

In a hybrid identity environment, enterprises can integrate and leverage the advantages of cloud and on-premises systems. However, attackers often exploit the blurred trust boundaries between these environments. To the best of our knowledge, this talk would enumerate multiple trust, control, and data flow relationship relationships between Azure and on-premises Active Directory (AD), thus demonstrating how these mechanisms could be abused for lateral movement between the two.

The presentation will be divided into two parts. The first part will explore various techniques for lateral movement from on-premises systems to the cloud. This section will cover methods for stealing user cloud credentials, including multiple phishing techniques and ways of extracting cloud credentials from endpoints, thereby gaining access to the cloud environment by passing the token or cookie. The second part will focus on techniques for lateral movement from the cloud back to on-premises. This section will examine how to abuse mechanisms that have been well-known such as Cloud Kerberos Trust and Microsoft Intune and some obscure techniques such as abusing Azure LAPS, hybrid connections, and adding users as local administrators on the device during Microsoft Entra join to achieve the goal.

Both parts would classify the relationships between cloud and on-premises systems, summarizing the prerequisites for these attacks, such as the mechanisms that need to be enabled and the required permissions, what privileges can be gained from these attacks, and how to detect and mitigate them.

Speaker

Echo Leee Echo Lee is a cybersecurity researcher at CyCraft Technology, specializing in network and cloud security. He has presented at several industry conferences, including InfoSec Taiwan and CyberSec. Additionally, Echo has served as a lecturer for training courses for government agencies and universities.

« Back