AAD Joined Machines - The New Lateral Movement

Presented at Black Hat USA 2022, Aug. 10, 2022, 10:20 a.m. (40 minutes).

With the evolvement of Azure and Pass-Through authentication, many organizations are connecting devices to Azure AD, making authentication and management easier. Azure AD devices can be connected only to Azure AD and no longer to On-Prem AD. Which makes them no longer support Kerberos or NTLM, raising the question of how attackers can get access to those machines.

This talk will cover new research of an authentication mechanism designed to allow authentication between Azure AD joined machines. We will examine and understand the foundation of the new network protocol, present a way (and a tool) to perform "Pass-The-Certificate" attack and finally, we will go over an open-source solution that can help you hunt for attacks.

Why go through all this trouble? Because Azure AD joined devices support NTLM for local accounts (which are not used for AADJ machines), and Kerberos is not available. This means that old school attacks like Pass-The-Hash or Pass-The-Ticket are mitigated. With the new authentication protocol, we bring these kinds of attacks back to the table.


Presenters:

  • Mor Rubin - Senior Security Researcher, Microsoft
    Mor Rubin is a cloud and identity threat researcher at Microsoft, focusing on Active Directory and Azure AD. He has a passion for creating tools to make life easier for researchers and to help make environments more secure. Mor actively publishes open-source tools to advance the state of Azure AD research.

Links:

Similar Presentations: