logo

AAD Joined Machines - The New Lateral Movement

Conference:  Black Hat USA 2022

2022-08-10

Summary

The presentation discusses lateral movement attacks and how to mitigate them.
  • Lateral movement attacks involve using stolen credentials to move between devices
  • The primary refresh token (PRT) can be used to obtain an Azure ID certificate
  • Traffic analysis and Windows Event can be used to detect suspicious logins
  • Mitigation strategies include enabling SMB signing and patching devices
The presenter demonstrated how an attacker can use a relay server to authenticate to a victim machine and dump hashes. They also showed how modifying cable messages can bypass network verification and allow for successful authentication.

Abstract

With the evolvement of Azure and Pass-Through authentication, many organizations are connecting devices to Azure AD, making authentication and management easier. Azure AD devices can be connected only to Azure AD and no longer to On-Prem AD. Which makes them no longer support Kerberos or NTLM, raising the question of how attackers can get access to those machines.This talk will cover new research of an authentication mechanism designed to allow authentication between Azure AD joined machines. We will examine and understand the foundation of the new network protocol, present a way (and a tool) to perform "Pass-The-Certificate" attack and finally, we will go over an open-source solution that can help you hunt for attacks.Why go through all this trouble? Because Azure AD joined devices support NTLM for local accounts (which are not used for AADJ machines), and Kerberos is not available. This means that old school attacks like Pass-The-Hash or Pass-The-Ticket are mitigated. With the new authentication protocol, we bring these kinds of attacks back to the table.

Materials:

Tags: