05-26, 13:20–14:00 (Europe/Stockholm), Main stage
Organizations are increasingly relying on cloud services from Azure, as there is native support from Microsoft. After obtaining Domain Admin privileges, it is essential to always think of attack paths or scenarios to escalate our privileges or describe the maximum impact. One such thing is escalating privileges to Azure Services. This talk would demonstrate attack paths for obtaining Global Administrator privileges on Azure AD from domain admin privileges on the on-premise network. Multiple domains can be registered under a single tenant, hence after obtaining global admin privileges on Azure it is possible for the adversary to gain administrative access over these domains.
This presentation aims to provide an overview of how to escalate privileges to Azure services, specifically focusing on how to obtain Global Administrator privileges on Azure AD from domain admin privileges on an on-premise network. It covers the introduction to Azure Services and Azure Active Directory, including the differences between on-premise and Azure Active Directory environments and the concept of Hybrid Identity. It also covers the three authentication methods supported to achieve Hybrid Identity Management for Enterprises which are Password Hash Synchronization (PHS), Pass-Through Authentication, and Active Directory Federation Services (AD FS).
The presentation goes on to explain the techniques for performing unauthenticated and authenticated enumeration of Azure tenants and gathering critical information such as the configuration of the on-premise server at which Azure AD Connect Service is running, the list of Cloud-only users and synced users, and the list of Global Administrators. It also covers enumerating the ACLs based on current privileges, exploring paths to Azure Key Vault, and gathering information about users who have control over Azure Services and special permissions on Azure groups/users.
The presentation then delves into the attack paths and vectors for privilege escalation to Azure, including Pass-Through Authentication (PTH), Seamless Single Sign-On, and Active Directory Federation Services. It covers techniques for identifying and targeting the server at which AD Connect Service is running, extracting the credentials of service accounts with Domain Admin privileges, and obtaining the privileges of Global Administrator in Azure Tenant. Additionally, it covers bypassing MFA and other controls that are implemented on Azure AD/On-Premises Servers.
Takeaways:
- Participants will gain hands-on experience in abusing the configuration & servers present in the network to attain access to Azure services.
- This talk would also help the participants explore tactics in lateral movement and privilege escalation phases of the cyber kill chain.
- Participants will also be given access to our exploitation tool kit which detects and exploits the misconfiguration for escalating privileges from on-prem to the Azure AD.
Sriraam Natarajan from India is an ardent information security practitioner with over 3+ years of specialized experience in red teaming, adversary simulation, penetration testing, and web application security. He enjoys doing Red Teaming exercises and researching new attack vectors, exploits, and evasion techniques. He also had a talk at Lehack Conference. He does coding to automate the boring stuff using Python and Rust. He is currently working as a Security Analyst in Cyber Security Works. He also holds the Certified Red Team Professional Certification.
Venkatraman Kumar is a seasoned security researcher, red teamer, and conference speaker with over 5 years of industry experience in information security and programming. His main areas of expertise include network penetration testing, red teaming exercises, adversary simulation, and active directory attacks. He has presented at notable security conferences such as LeHack, BSides, and Diana Initiative. In addition to his professional pursuits, he is an avid problem solver, constantly engaged in solving CTFs, Hackthebox Labs, and conducting independent research. He is also the author of the popular resource https://www.thehackersprint.com/. Currently, he works as a security analyst at Cyber Security Works.