With the evolvement of Azure and Pass-Through authentication, many organizations are connecting devices to Azure AD, making authentication and management easier. Azure AD devices can be connected only to Azure AD and no longer to On-Prem AD. Which makes them no longer support Kerberos or NTLM, raising the question of how attackers can get access to those machines.
This talk will cover new research of an authentication mechanism designed to allow authentication between Azure AD joined machines. We will examine and understand the foundation of the new network protocol, present a way (and a tool) to perform "Pass-The-Certificate" attack and finally, we will go over an open-source solution that can help you hunt for attacks.
Why go through all this trouble? Because Azure AD joined devices support NTLM for local accounts (which are not used for AADJ machines), and Kerberos is not available. This means that old school attacks like Pass-The-Hash or Pass-The-Ticket are mitigated. With the new authentication protocol, we bring these kinds of attacks back to the table.