Black Hat Presentation Highlights Lateral Movement Techniques from Compromised On-Premise Active Directory to Microsoft Entra ID

The Black Hat presentation addresses techniques for lateral movement from a compromised on-premise Active Directory (AD) environment to Microsoft Entra ID (formerly Azure AD). The speaker, Dian from Outsider Security, details hybrid attacks exploiting configurations such as ADFS, Seamless Single Sign-On (SSO), and Entra ID Connect. Known methods include stealing ADFS signing keys or Kerberos keys for Seamless SSO, allowing the impersonation of hybrid users. A soft matching vulnerability (fixed in 2019 for active administrators, but not for eligible admins under PIM) enables the conversion of cloud-only accounts to hybrid accounts. The AD Connect Dump tool extracts synchronization credentials, including certificates stored in a TPM, to bypass restrictions. The speaker reveals that the Entra ID Connect synchronization account could modify policies via the graph.windows.net API (version 1.61-internal), including authentication policies, password reset policies, and external authentication. These permissions were restricted in December 2023. Exchange Hybrid shares a service principal with Exchange Online, granting it Global Admin privileges. By exploiting service-to-service tokens (valid for 24 hours, non-revocable), an attacker can impersonate any user to access Exchange, SharePoint, or even Entra ID via graph.windows.net. Microsoft fixed this vulnerability in April 2024 (CVE not specified) and mandates the separation of service principals by October 2025. Detection of these attacks is limited, with few or no logs generated.