Pass-Through Authentication

Hybrid Identity - PTA • No password hash synchronization of any form to the cloud takes place in PTA but Identity synchronization still takes place. • Useful in enforcing on-prem password policies as the authentication is validated on-prem. The communication with cloud is done by an authentication agent and not the on-prem DC. • Only outbound communication (Ports 80 and 443) from the authentication agent to Entra ID. Attacking Azure © Altered Security. All rights reserved 221AlteredSecurity Hybrid Identity - PTA Attacking Azure © Altered Security. All rights reserved 222AlteredSecurity Hybrid Identity - PTA - Abuse • The Authentication Agent communicates to Entra ID on behalf of on- prem DC. If we can compromise the authentication agent, it is possible to verify authentications for ANY synced user even if the password is wrong! • That is, you just need valid userPrincipalName and use any password with that! Skeleton key attack for Entra ID! • On the other hand, if we can compromise a Global Administrator, we can install an authentication agent in our own infrastructure that will authorize all login attempts. Attacking Azure © Altered Security. All rights reserved 223AlteredSecurity Lateral Movement- PTA - On-Prem to Cloud • Once we have admin access to an Entra ID Connect server running PTA agent, run the following command from AADInternals to insert a backdoor. (Needs to be run as Administrator and needs VC++) Install-AADIntPTASpy • Once the backdoor is installed, we can authenticate as any user synced from on- prem without knowing the correct password! • Also, it is possible to see the correct password of on-prem users authenticating on the cloud using the below command on the machine where the backdoor is installed Get-AADIntPTASpyLog -DecodePasswords • The DLL used for injection and passwords are stored, by default, in a hidden directory C:\PTASpy Attacking Azure © Altered Security. All rights reserved 224AlteredSecurity Lateral Movement- PTA - Cloud to On-Prem • We can register a new PTA agent after getting GA privileges by setting it on an attacker controlled machine. Once the agent is setup, we can repeat the previous steps to authenticate using any password and also, get the passwords in clear-text Install-AADIntPTASpy • Once the backdoor is installed, we can authenticate as any user synced from on- prem without knowing the correct password! • Also, it is possible to see the correct password of on-prem users authenticating on the cloud using the below command on the machine where the backdoor is installed Get-AADIntPTASpyLog -DecodePasswords