As enterprises shift from on-premises to cloud systems, hybrid cloud solutions have become essential for optimizing performance, scalability, and user ease. However, risks arise when poorly configured environments connect to the cloud. A compromised Microsoft Active Directory can fully compromise a synchronized Microsoft Entra ID tenant, undermining the integrity and trust of connected services.
Researchers at Horizon3.ai recently published a fascinating analysis on how on-premise misconfigurations in hybrid Microsoft environments can be exploited by attackers using well-documented techniques. In this case, the attack chain can lead to full compromise of the Entra Tenant. In complex enterprise environments, such misconfigurations are all too common. It’s critical for security teams to understand the tactics attackers use and strategies to close these points of vulnerability. Here we take a closer look at the attack chain and offer some additional mitigation strategies.
MITRE ATT&CK Technique(s) |
Attack Chain Step |
|
1 |
T1557.001 |
NBT-NS traffic from Host 1 is poisoned to relay a netNTLM credential to Host 2 — an SMB server that doesn’t require signing. |
2 |
T1003.002, T1078.003 |
Host 2 SAM database dump exposes a local administrator credential that is reused on Host 3 and Host 4. |
3 |
T1003.001, T1078.002, T1078.003, T1219 |
Shared local admin credential is used to run a remote access trojan (RAT) on Host 3 and perform an LSASS dump, discovering a domain administrator credential (HOST3$). |
4 |
T1003.004, T1078.002, T1078.003 |
Shared local administrator credential is used to remotely dump LSA on Host 4, revealing another domain administrator credential (Admin2). |
5 |
T1087.004, T1003 |
Admin2’s credentials used to query AD, determining that the domain uses Entra Connect; credential dumping techniques used to harvest the cloud credential for Entra Connect. |
6 |
T1003.003, T1558 |
HOST3$’s credentials used to perform an NTDS dump on another Domain Controller (DC2), discovering the credential utilized to sign Kerberos tickets for Azure cloud services when Seamless SSO is enabled. |
7 |
T1528 |
Entra Connect credential used to log into Entra tenant. Refresh token obtained for easier long-term access. |
8 |
T1087 |
Analysis of AzureHound data reveals on-premise user Global Administrator (EntraAdmin) within the Entra Tenant. |
9 |
T1558.002 |
Silver ticket attack used to forge Kerberos Service Ticket for Entra Admin. |
10 |
T1098 |
Access granted to the Microsoft Graph cloud service, without being prompted for MFA, with Global Administrator privileges. |
Fortunately, this hacking exercise was carried out by white hat pentesters. The researchers at Horizon3.ai noted that, with absolutely no prior knowledge of the company’s environment, it took the NodeZero tool only an hour to compromise the on-premises AD domain, and the associated Entra ID tenant was compromised in less than two hours.
The team at Horizon3.ai included a set of solid initial mitigation recommendations. These include:
In addition to those, we recommend specific strategies to close common security gaps in Microsoft Entra ID environments.