Advanced Active Directory to Entra ID lateral movement techniques

Presented at DEF CON 33 (2025), Aug. 8, 2025, 1 p.m. (45 minutes).

Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much “the cloud” trusts data from on-premises. The reason for this is that many threat actors, including APTs, have been making use of known lateral movement techniques to compromise the cloud. In this talk, we take a deep dive together into Entra ID and hybrid trust internals. We will introduce several new lateral movement techniques that allow us to bypass authentication, MFA and stealthily exfiltrate data using on-premises AD as a starting point, even in environments where the classical techniques don’t work. All these techniques are new, not really vulnerabilities, but part of the design. Several of them have been remediated with recent hardening efforts by Microsoft. Very few of them leave useful logs behind when abused. As you would expect, none of these “features” are documented. Join me for a wild ride into Entra ID internals, undocumented authentication flows and tenant compromise from on-premises AD. References: - [link](https://dirkjanm.io/assets/raw/Im%20in%20your%20cloud%20bluehat-v1.0.pdf) - [link](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference) - [link](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) - [link](https://www.semperis.com/blog/smtp-matching-abuse-in-azure-ad/)

Presenters:

• Dirk-jan Mollema
  Dirk-jan Mollema is a security researcher focusing on Active Directory and Microsoft Entra (Azure AD) security. In 2022 he started his own company, Outsider Security, where he performs penetration tests and reviews of enterprise networks and cloud environments. He blogs at dirkjanm.io, where he publishes his research, and shares updates on the many open source security tools he has written over the years. He presented previously at TROOPERS, DEF CON, Black Hat and BlueHat, is a current Microsoft MVP and has been awarded as one of Microsoft’s Most Valuable Researchers multiple times.

Similar Presentations:

• DEF CON 33 (2025) / Original Sin of SSO: macOS PRT Cookie Theft & Entra ID Persistence via Device Forgery
• DEF CON 32 (2024) / Laundering Money
• DEF CON 33 (2025) / EntraGoat - A Deliberately Vulnerable Entra ID Environment Demo