Blog: Passwordless & Identity Security Insights | HYPR

Key Takeaways From Horizon3.ai’s Analysis of an Entra ID Compromise

Written by Martin Gallo, Sr. Product Manager, HYPR | Jun 18, 2024 12:59:27 AM

As enterprises shift from on-premises to cloud systems, hybrid cloud solutions have become essential for optimizing performance, scalability, and user ease. However, risks arise when poorly configured environments connect to the cloud. A compromised Microsoft Active Directory can fully compromise a synchronized Microsoft Entra ID tenant, undermining the integrity and trust of connected services.

Researchers at Horizon3.ai recently published a fascinating analysis on how on-premise misconfigurations in hybrid Microsoft environments can be exploited by attackers using well-documented techniques. In this case, the attack chain can lead to full compromise of the Entra Tenant. In complex enterprise environments, such misconfigurations are all too common. It’s critical for security teams to understand the tactics attackers use and strategies to close these points of vulnerability. Here we take a closer look at the attack chain and offer some additional mitigation strategies.

The Attack Chain

Using the NodeZero™ tool:

 

 

MITRE ATT&CK Technique(s)

Attack Chain Step

1

T1557.001

NBT-NS traffic from Host 1 is poisoned to relay a netNTLM credential to Host 2 — an SMB server that doesn’t require signing.

2

T1003.002, T1078.003

Host 2 SAM database dump exposes a local administrator credential that is reused on Host 3 and Host 4.

3

T1003.001, T1078.002, T1078.003, T1219

Shared local admin credential is used to run a remote access trojan (RAT) on Host 3 and perform an LSASS dump, discovering a domain administrator credential (HOST3$).

4

T1003.004, T1078.002, T1078.003

Shared local administrator credential is used to remotely dump LSA on Host 4, revealing another domain administrator credential (Admin2).

5

T1087.004, T1003

Admin2’s credentials used to query AD, determining that the domain uses Entra Connect; credential dumping techniques used to harvest the cloud credential for Entra Connect.

6

T1003.003, T1558

HOST3$’s credentials used to perform an NTDS dump on another Domain Controller (DC2), discovering the credential utilized to sign Kerberos tickets for Azure cloud services when Seamless SSO is enabled.

7

T1528

Entra Connect credential used to log into Entra tenant. Refresh token obtained for easier long-term access.

8

T1087

Analysis of AzureHound data reveals on-premise user Global Administrator (EntraAdmin) within the Entra Tenant.

9

T1558.002

Silver ticket attack used to forge Kerberos Service Ticket for Entra Admin.

10

T1098

Access granted to the Microsoft Graph cloud service, without being prompted for MFA, with Global Administrator privileges.

 

Fortunately, this hacking exercise was carried out by white hat pentesters. The researchers at Horizon3.ai noted that, with absolutely no prior knowledge of the company’s environment, it took the NodeZero tool only an hour to compromise the on-premises AD domain, and the associated Entra ID tenant was compromised in less than two hours.

Prevention Strategies

The team at Horizon3.ai included a set of solid initial mitigation recommendations. These include:

  • Prevent NTLM Relay: Disabling NBT-NS and enforcing SMB Signing would have prevented the initial access technique used, although other vectors can be used for initial domain access. 
  • Use LAPS: Reuse of credentials for Local Administrators enabled key lateral movements that lead to the discovery of Domain Administrator credentials. 
  • Treat Entra Connect as a Tier-0 Resource: Install Entra Connect on a non-DC server (with LAPS enabled) and adequately protected with an EDR solution.  
  • Do not Use On-Premises Accounts for Entra Administrator Roles: Microsoft recommends limiting the number of Entra Administrators and their level of privilege.  

Further Critical Recommendations

In addition to those, we recommend specific strategies to close common security gaps in Microsoft Entra ID environments.

  • Use HYPR as a complement to LAPS to ensure administrators access their devices and systems using a phishing-resistant authentication method.
  • Review and revise your PAM (Privileged Access Management) program. The Static Domain Admin password should be rotated after it is used / checked out. You should also reduce the viability of the Domain Admin Credential in Cache.
  • Use secure passwordless SSO methods such as HYPRspeed that don’t rely on shared secrets and instead leverage public key cryptography.
  • Enforce the use of phishing-resistant passwordless MFA methods, such as HYPR, for privileged Entra users access.
  • Begin migration to Entra ID from legacy on-prem technology. While not a small project, it will reduce the threat model of older protocols that rely on hash/passwords.