As enterprises shift from on-premises to cloud systems, hybrid cloud solutions have become essential for optimizing performance, scalability, and user ease. However, risks arise when poorly configured environments connect to the cloud. A compromised Microsoft Active Directory can fully compromise a synchronized Microsoft Entra ID tenant, undermining the integrity and trust of connected services.
Researchers at Horizon3.ai recently published a fascinating analysis on how on-premise misconfigurations in hybrid Microsoft environments can be exploited by attackers using well-documented techniques. In this case, the attack chain can lead to full compromise of the Entra Tenant. In complex enterprise environments, such misconfigurations are all too common. It’s critical for security teams to understand the tactics attackers use and strategies to close these points of vulnerability. Here we take a closer look at the attack chain and offer some additional mitigation strategies.
The Attack Chain
Using the NodeZero™ tool:
MITRE ATT&CK Technique(s) |
Attack Chain Step |
|
1 |
T1557.001 |
NBT-NS traffic from Host 1 is poisoned to relay a netNTLM credential to Host 2 — an SMB server that doesn’t require signing. |
2 |
T1003.002, T1078.003 |
Host 2 SAM database dump exposes a local administrator credential that is reused on Host 3 and Host 4. |
3 |
T1003.001, T1078.002, T1078.003, T1219 |
Shared local admin credential is used to run a remote access trojan (RAT) on Host 3 and perform an LSASS dump, discovering a domain administrator credential (HOST3$). |
4 |
T1003.004, T1078.002, T1078.003 |
Shared local administrator credential is used to remotely dump LSA on Host 4, revealing another domain administrator credential (Admin2). |
5 |
T1087.004, T1003 |
Admin2’s credentials used to query AD, determining that the domain uses Entra Connect; credential dumping techniques used to harvest the cloud credential for Entra Connect. |
6 |
T1003.003, T1558 |
HOST3$’s credentials used to perform an NTDS dump on another Domain Controller (DC2), discovering the credential utilized to sign Kerberos tickets for Azure cloud services when Seamless SSO is enabled. |
7 |
T1528 |
Entra Connect credential used to log into Entra tenant. Refresh token obtained for easier long-term access. |
8 |
T1087 |
Analysis of AzureHound data reveals on-premise user Global Administrator (EntraAdmin) within the Entra Tenant. |
9 |
T1558.002 |
Silver ticket attack used to forge Kerberos Service Ticket for Entra Admin. |
10 |
T1098 |
Access granted to the Microsoft Graph cloud service, without being prompted for MFA, with Global Administrator privileges. |
Fortunately, this hacking exercise was carried out by white hat pentesters. The researchers at Horizon3.ai noted that, with absolutely no prior knowledge of the company’s environment, it took the NodeZero tool only an hour to compromise the on-premises AD domain, and the associated Entra ID tenant was compromised in less than two hours.
Prevention Strategies
The team at Horizon3.ai included a set of solid initial mitigation recommendations. These include:
- Prevent NTLM Relay: Disabling NBT-NS and enforcing SMB Signing would have prevented the initial access technique used, although other vectors can be used for initial domain access.
- Use LAPS: Reuse of credentials for Local Administrators enabled key lateral movements that lead to the discovery of Domain Administrator credentials.
- Treat Entra Connect as a Tier-0 Resource: Install Entra Connect on a non-DC server (with LAPS enabled) and adequately protected with an EDR solution.
- Do not Use On-Premises Accounts for Entra Administrator Roles: Microsoft recommends limiting the number of Entra Administrators and their level of privilege.
Further Critical Recommendations
In addition to those, we recommend specific strategies to close common security gaps in Microsoft Entra ID environments.
- Use HYPR as a complement to LAPS to ensure administrators access their devices and systems using a phishing-resistant authentication method.
- Review and revise your PAM (Privileged Access Management) program. The Static Domain Admin password should be rotated after it is used / checked out. You should also reduce the viability of the Domain Admin Credential in Cache.
- Use secure passwordless SSO methods such as HYPRspeed that don’t rely on shared secrets and instead leverage public key cryptography.
- Enforce the use of phishing-resistant passwordless MFA methods, such as HYPR, for privileged Entra users access.
- Begin migration to Entra ID from legacy on-prem technology. While not a small project, it will reduce the threat model of older protocols that rely on hash/passwords.
*** This is a Security Bloggers Network syndicated blog from HYPR Blog authored by Martin Gallo, Sr. Product Manager, HYPR. Read the original post at: https://blog.hypr.com/key-takeaways-from-the-entra-id-tenant-compromise