{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Integration between On-premises Active Directory (AD) and Azure AD is facilitated by Azure AD Connect, offering various methods that support Single Sign-on (SSO). Each method, while useful, presents potential security vulnerabilities that could be exploited to compromise cloud or on-premises environments:
- Pass-Through Authentication (PTA):
- Possible compromise of the agent on the on-prem AD, allowing validation of user passwords for Azure connections (on-prem to Cloud).
- Feasibility of registering a new agent to validate authentications in a new location (Cloud to on-prem).
{% content-ref url="pta-pass-through-authentication.md" %} pta-pass-through-authentication.md {% endcontent-ref %}
- Password Hash Sync (PHS):
- Potential extraction of clear-text passwords of privileged users from the AD, including credentials of a high-privileged, auto-generated AzureAD user.
{% content-ref url="phs-password-hash-sync.md" %} phs-password-hash-sync.md {% endcontent-ref %}
- Federation:
- Theft of the private key used for SAML signing, enabling impersonation of on-prem and cloud identities.
{% content-ref url="federation.md" %} federation.md {% endcontent-ref %}
- Seamless SSO:
- Theft of the
AZUREADSSOACC
user's password, used for signing Kerberos silver tickets, allowing impersonation of any cloud user.
- Theft of the
{% content-ref url="seamless-sso.md" %} seamless-sso.md {% endcontent-ref %}
- Cloud Kerberos Trust:
- Possibility of escalating from Global Admin to on-prem Domain Admin by manipulating AzureAD user usernames and SIDs and requesting TGTs from AzureAD.
{% content-ref url="az-cloud-kerberos-trust.md" %} az-cloud-kerberos-trust.md {% endcontent-ref %}
- Default Applications:
- Compromising an Application Administrator account or the on-premise Sync Account allows modification of directory settings, group memberships, user accounts, SharePoint sites, and OneDrive files.
{% content-ref url="az-default-applications.md" %} az-default-applications.md {% endcontent-ref %}
For each integration method, user synchronization is conducted, and an MSOL_<installationidentifier>
account is created in the on-prem AD. Notably, both PHS and PTA methods facilitate Seamless SSO, enabling automatic sign-in for Azure AD computers joined to the on-prem domain.
To verify the installation of Azure AD Connect, the following PowerShell command, utilizing the AzureADConnectHealthSync module (installed by default with Azure AD Connect), can be used:
Get-ADSyncConnector
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.