 Hello, and welcome to From On-Prem to the Cloud session. My name is Seri, and I will be presenting during the next 45 minutes. What this session is all about. In this session, I'm going to show you how you may get access to the Cloud AD, Microsoft Cloud AD, when you have some sort of access, some level of access on-premises. So that's going to be the path from On-Prem AD to the Cloud AD. And this session will be based on live demo, so you will not see a lot of slides here. Most of the time, I'm going to show you how to do it live. Before I start to show you this, let me say a few words about myself. My name is Sergi, once again. I'm a pentastor instructor conference, because I speak at different conferences like conferences from Microsoft, Headquarter, Global Azure, Security B sites, Wild West Hack and Fast, Here and Adversary Village, and so on. And if you want to contact me after this session, you want to ask me something, or you want to see what other sessions I have, and you want to watch them, here's the LinkedIn. Usually, I announce my other talks. I have a number of certifications and awards. You can see some of them listed. But I hope that's not your goal to listen about me and the whole session. And so let me jump to agenda and let's start our content. All right, so what we're going to cover here. In this session, I'm going to show you first, what is Azure AD Connect and how it may be compromised. So that's a classic way to integrate on-prem AD to the cloud, Azure AD Connect, and how it may be compromised, what may be the bad configuration. Then I'm going to show you a new offering from Microsoft, which is Azure AD Connect Cloud Sync. And we will see how that may be compromised as well. Then we will bypass MFA and authentication prompt and start to enumerate the cloud. But for enumeration, I must also bypass MZ or MSI. And finally, we're going to quickly talk, what should we do to mitigate those problems? All right, as I mentioned before, this session will be based on live demos. So I'm going to switch to demo and let's get started. So first, I want to show you what Azure AD Connect is, just in case if you haven't worked with that before. So Azure AD Connect, that's the tool from Microsoft, free tool, of course. And this tool may be used to synchronize your on-premise AD to the cloud AD. And when you can configure this tool, one of the things that you must do, you must connect to your on-prem AD here. So you will type enterprise admin user name and password. And AD Connect will create an account that will be used for synchronization. So let me show you this because I already have that configured. If I go to the main controller and go to users, so here is an account, msol underscore something, something. And that just the regular user, if I go to member of, just the main user, so nothing special with this account. But that account may have number of permissions, extra permissions if you enable some features. One of the features that we just very popular called password hash sync. If you turn this feature on, account for synchronization, let's this ADDS connector account, will have extra permission. It will have permission to replicate Active Directory. So those permissions, replicate directory changes and replicate directory changes all. Now, let me show you where they are. So in my AD Connect, I enable password hash sync. And by the way, it's very recommended option. So most companies, they enable password hash sync. So passwords, password hash, of course, synchronized from on-prem to the cloud as well. We use that for resiliency. And so that's enabled for many companies. If I go to properties of my domain, go to security, and find this MSL. So here are those permissions. They are delegated. So that's just a normal, typical configuration of AD Connect. Now, where we may have the problem? The problem is if someone can own this account, an attacker, if he or she owns that account, will have those permissions. And those permissions are quite high. So let me show you how I can own this account first, and then what I can do with those privileges. This account, we don't know the password of this account, so we must find the password first. Let me jump back to AD Connect. Let me show you how we can get that password. Let me cancel that. So to get the password, this password is stored in AD Connect database. If I open this table, Management Agent. And let me remove those columns I don't need. And let me just keep a few of them and run that. Now, if I look for credentials, look at this. So it says username is here. MSL underscore something something. And password also here, but password is encrypted. Not that simple, so you will not be able to just take password in a plain text. All right, but there's another way how can we get password? We must decrypt that. To decrypt password, what we must do, we must become the main, no, sorry, not main, we must become local administrator on this AD Connect server. So AD Connect administrator can decrypt this password. Decryption process is quite tedious if you do it manually, but luckily we have people, we have good researchers, and they give us tools and one of the tools called AD Connect Dump. So if you just run AD Connect Dump, look at this. I have a password from this SQL database and decrypt it. So by the way, so you may find this tool on GitHub and you may also find the article from author of this tool and he explains how to do all of this manually if you want to do it manually. But manual process will take a while, so I will not be able to fit into my session. All right, let me copy this password. And now I can do some, now I have now an old user. And now what I can do with this credentials, let me open first command prompt on the different machine. At the same time, I'm going to run this different user. Let's type MSIL user and click okay. It will take some time before command prompt will appear. So let me first check who am I here. I'm a user JDo, let's take a look if I have permissions to enumerate a C drive for the main controller. No, access denied, so I'm just a regular, maybe I'm a local admin, but I'm not the administrator on the main controller, so I don't have the main admin permissions. All right, let's try something else. Let's type who am I here. And this user, this command prompt from MSIL user, let's try to enumerate the main controller as well. Access denied again. So no luck. But we don't really need that at this moment because now we have permission to replicate directory changes. With this permission, I can synchronize, I can replicate information and password hashes of any user in the company, in this network, in this domain. So let me go to see tools. Oh, Mimicats. And let me run where we'll known tool called Mimicats. Now, in Mimicats, what I want to do, I want to say DC, LSA dump DC sync, and I want to synchronize information about trainer, and trainer he is, he or she is the main administrator. So let's see that. Now I can see hash, password hash of this user. Now let's go to... Let's open Mimicats again. Let's run Mimicats here. And let's say, privileged debug. And I will run command, which is very well known, called pass the hash. I will copy this NTLM and base here. And now I have another command prompt. Let's try to DRDC. Fingers crossed. Yay! Now I have access to the main controller. That means I became the main administrator. So when we have... When we have AD connect, when we have AD connect, and password hash sync is enabled, which is quite common, what may happen, this account for ADDS account will have quite a lot of permissions. And so you must be very careful when you delegate permissions, who is AD connect administrator? So please be careful with AD connect administrators. Don't provide these permissions to middle level administrators because they can become the main admins quite easily. All right, so that's the first thing. That's a classic configuration. AD connect, when we install the whole server inside of our network, and so we can compromise like this. There are some other ways how can we achieve this result, because if you Google a lot, you will find some other ways, if you have like a pass-through authentication and some other ways to authenticate and AD connect, how they may also be compromised. So I'm not going to show you all of those ways to compromise AD connect. Just check this one and make sure only the main administrators can manage AD connect. All right, so we discussed the AD connect, how it may be used to synchronize accounts and the more important how we can compromise that and what misconfigurations, what should you not do. Let's take a look on another option, which is Azure AD cloud sync, Azure AD connect cloud sync. Cloud sync, that's when we don't have the full engine on-premises, so we don't install the full server. The actual engine will be in the cloud. But on-prem, we just going to install agent. So let's take a look here. Here, lightweight agent installation mode. So we just install agent on-premises. So that misconfiguration, it doesn't support all the features of AD connect, so nowadays, not that popular, but I guess because that's the new offering from Microsoft, it will have more and more features later on. So what if you decide to switch to cloud sync? How it will look like? Let me just go to the cloud. And if I go to Azure AD, so here we can, in Azure Active Directory, we can find Azure AD connect blade. And under that, there's a managed Azure AD cloud sync. Click here. And so what I must do first, I must download agent and install to one of the servers. If I switch to that server, look at this. So I have a server where I have this AD connect installed. And how can you find this AD connect presence if you go to services, find Microsoft AD connect provision agent. So this agent is installed. And so what you can do here, by the way, don't worry about degradation. It's because my demo environment was turned off for a long time. So if I go to configuration, here in the cloud, I can configure my sync. Also, by the way, I can synchronize password hashes as well. And if we synchronize password hashes, so we may face the same issue that the passwords may be replicated by the account. But the problem here with this cloud sync, not the problem that's like a difference between AD connect and cloud sync. In case of cloud sync, we don't have server. We don't have like user account. We don't have SQL database where this account is stored. So that's a bit different. Let's take a look how it will be configured in case of AD connect cloud sync. If I click on the agent, I can find that the agent is working on behalf of a group managed service account, or GMSA. And so in case of GMSA, there's no password which is stored locally. So that's the account in Active Directory on Productive Directory. And some sort of servers may retrieve password of this account from AD. Let me show you this. If I go to the main controller, here is a group managed service account. Nothing here. If I go to properties. So if you go to attribute editor, you may find here like information about password, password ID, password interval, because this password will be changed by the service account. All right. So now I can see that this account is not typical. But how we can take this account over? Let me go back to my server. I'm going to open PowerShell Let me type one command. Let me just type this. Now it says that this account, there's a principle that allow to retrieve managed password and this principle is agent. So the name of this principle is agent. Let's take a look who, a hostname, not who am I, hostname. And I can see the agent. That's the current server. So if I'm an administrator on this server, which is agent server, I can achieve literally the same. So let me show you a few ways how can we do it. So first way, I can open command prompt, but let me do it as an administrator because I must be a local administrator. I'm going to go to see tools. And here I'm going to run psexec. And in my psexec, I'm going to open cmd as this agent account. I don't need to know any passwords because this specific server may retrieve this password from AD. All right. Now if I open mimicats and run this lsa.dc sync, yes, I was able to replicate information about hashes. All right. That's the most simple way to do it. If you can just locally run that and execute mimicats on this machine. But maybe that's not the case. Maybe you cannot run mimicats here. And we need to do it in a different manner. So let me clear the screen. I also need command prompt as an administrator. And let me open PowerShell as local system. So let's say who am I? I'm local system. So we know that agent can retrieve password. So if I become the machine local system, it means I'm an agent now. I'm a local machine. And so I can try to retrieve password from Active Directory. Let me do it like this. Not the password itself, by the way. It will be hash. And so now I extract password hash. What can I do next? Yes, pass the hash. And so that account will allow me to run elevated permissions. How to do pass the hash here, it is before I don't think I need to show it to you again. All right. So that's two ways how we can extract credentials. And with those credentials, we can get access to the main administrator permissions. But you may say, wait a second, this session is called from on-prem to the cloud. And yes, you use something cloud-based like AD Connect, but you did not show us how to become a cloud administrator. You just showed how to become local admin, I mean the main admin based on the AD Connect installation or AD Connect cloud sync, but not how to elevate in the cloud. Yes, let me show you this. So if you are the main administrator, that means that you can connect to literally any workstation or server in your network, right? Probably yes. So, and let me jump to demo again. Let me show you one interesting thing. When you have your cloud environment, you probably have IT professionals, developers, and they use their tool called AZ CLI. Let me just type it. Let's say AZ account list. And let's output as a table. And look at this. So it shows me my subscriptions. All right. Now let's do the same on the different machine. Let me open CMD. And let me just, let me even copy and paste. Copy and paste. Fingers crossed it should fail. Please fail. Yeah. So it says you must log in to Azure first. But why, when I opened CMD from here, it didn't tell me anything. It just executed the command. The reason is I already logged in here and the token was cached. And token will be cached here. If you go to your user profile, there's a folder called that azure. Subfolder called that azure. So if you go there, if you take all of those files, you may take only a few of them, but let me take all of them except config. And let's say I want to add that to archive. Let's keep seven zip. That's fine. And so here is seven zip archive. Let me copy this to this workstation. Extract that. Fingers crossed. Come on. Come on. Yeah. So now I can see list of subscriptions. Did I have any MFA prompts? No. Any password prompts? No. But this account has MFA enabled and of course it has password. But because we use cached token, we don't need to present all of this. We can just steal token, import that to the different machine, like just copy and paste and you're all set. And you are in the cloud. And so now it depends on my permissions. I can do something. So let's try to do something. Let's say I want to create new user, which is called... I will call this user azurehound. Let's create that. And the password will be quite strong. Don't worry. I'm going to remove this user later on. So you will not be able to use this user. And also let me assign permissions. Reader. All right. So now I have user with reader permissions on the subscription level. So what I can do with this user, I want to enumerate subscription and I will use quite well-known tool called azurehound. So have you heard about this? Azure... Azure... Azure Hound. So you probably heard about Bloodhound, which is like, you know, from premises. Azure Hound, that's the cloud version of Bloodhound. All right. So what I can do with this Azure Hound? I can enumerate. This time I can enumerate Azure. In the same manner I did that in Premiere D with Bloodhound, I can do this, I can do something similar in case of Azure Hound. Let me show you this pretty quickly. I'm going to... find my Azure Hound locally. Let me copy this. And let me... Let me paste that to desktop. Oh, I even have a folder here. Oh, it's already there. So Azure Hound is easier. Now, what I want to do, I want to navigate to it. And let's say import. Import module. Azure Hound. Come on. Azure Hound. And look at this. It says that was blocked by your empty virus software. So I want to enumerate, but I cannot do it because something, some empty virus doesn't allow me to do it. So what is that? That's called AMSI or MZ shortly. And so it's trying to test the PowerShell commands and PowerShell modules. I'm trying to run from PowerShell, or not only PowerShell, by the way, but it's time PowerShell. So what I'm going to do now, I want to bypass MZ. How can we do it? I want to give you all the details about that because that's not a goal of the session. But let me try to show it to you really quickly. So I'm going to open PowerShell. Open PowerShell. And let me run a tool called Frida Trace. And what I need to do, I must tell to Frida process ID of my PowerShell window. So it's 400. Nice. Let's say 400. All right. Now, if I type command like getService that was that was fine. And here I can see output from MZ, let me mean MSI output. And every time I can see this MSI context. So what this context is all about, let me copy this. And this time I want to open WinDebug, debugger. All right. I'm going to attach PowerShell. And so let me just DC into this address. And look at this. So it says here I can see something with title MSI, like header header, MSI header. So if I remove this header MSI will stop the work. How can we remove this header? Let me detail like that. How can I remove this header? I can do 3D debugger or I can even do it from PowerShell. Let me just type something like this. And now if I try to do something like invoke Mimicats, Mimicats it will fail because I don't have this module. But antivirus will not block it. Yeah, antivirus did not block it. All right, let me try to use this bypass. Here. And let's try to import that again. Yeah, that's working. That's working. And so now I just need to run something like invoke Azure Hound. But to do it, I must first connect to Azure AD. So let me say connect Azure AD, Azure Hound and password. So let's keep that first. Now, what I can do, I can say invoke Azure Hound and now it will start to collect information from my Azure AD. From Azure in general, including Azure AD. Of course, it depends on my permissions, but because I delegate permissions to read everything, so it may collect a lot of information. And so the output will be soon here in this folder. So for the second time, let me jump to my Bloodhound GUI. I already pre-create the Azure Hound file. So let me just say upload data. And here is Azure Hound collection. And now statistics here is not very nice if I just close that and run it again. Let's see. Yay, we have, look at this az applications, az devices, az groups, users, tenant, subscriptions. So we learn a lot. Unfortunately, or maybe fortunately we don't have pre-built queries for Azure. So we must run our custom queries. We must run our custom query. So let me run a custom query. Oh, damn it. Let me just first copy here, paste here. And now I can see like accounts I have in my environment and those accounts. And you may say, wait a second, why the hell is that? Because quite hard to understand. Yes, unfortunately currently that is not super friendly, but at least I can build a graph in a similar manner, like Blahound. There's a very nice article you may find here. Azure Hound Cypher Chit-Chit. And here's a number of those queries that I will try to and it will return some data that you want. All right. All right. I hope that that demo convinced you a lot to that you should protect your AT Connect server or if you prefer to use Cloud Sync, you must protect Agent and you should not provide permissions, even to level administrators to manage those servers because they may easily escalate to the main administrators and from the main administrators to cloud administrators. There's a number of ways to achieve that. If you are a cloud administrator using Intune, you may become the main administrator. So when you have Hybrid AD, you must protect both environments pretty well because from one environment you may get access to another and vice versa. So, the last slide here and it will be slide. So what you can do to protect your environment better. So if you want to avoid compromising AD forced account, first of all, keep in mind, so AD Connect or Cloud Sync, they Agent, they are tier zero. So it means that you should not allow regular administrators management, AD Connect management. Do not allow administrator, server administrator to manage Agent or AD Connect server because they may become the main admins quite easily. So, please use principle of these privileges. Also, by the way, if you use Azure AD Connect Cloud Sync, it may be considered more secure because configuration may be done in the cloud on premise you have only Agent, but keep in mind, you should not allow access to this server, add an access to this server to middle level administrators. When we're talking about credentials, when I can steal credentials, here, good idea will be use previous access workstation and run administration and administrator or run development from the separate workstation, which is not part of those, your infrastructure. So it will have multiple layers of protection. MZ Bypass Here you may audit partial commands and also use PowerShell constraint language. Of course, it's possible to bypass this language as well, but the more you have, the better the more secure you are. And enumeration with Azure Hound in this case, principle of these privileges, that's the best thing you can do because to enumerate, to get information from Azure AD, you must run that command with some sort of permissions. So if you don't have those permissions you will not be able to run it. All right. So that is about mitigations. So whatever, please keep in mind the configuration ADConnect or even ADConnect nowadays, that's quite typical. Quite typical and password hashing also enabled. So make sure you will not become the victim even your users inside the company they may do something like this. Maybe they are not malicious, maybe they are not going to steal data from the company, but at least maybe they want to have more permissions, like middle level admin want to have just in case to have domain admin permissions as well. So make sure that you control access to ADConnect server or maybe cloud sync if you going to use that in the future. Make sure you connect, you configure permissions correctly. All right. So I hope that session was informative and if you have any questions, it's time to ask those questions. Of course you may ask questions during this session as well but now because I'm finishing go ahead and ask them now if you have. If not thank you anyway and the best thing I can recommend you is to check your own environment and make sure you don't have those not the best, not the most optimal configurations. All right. Thank you very much. Bye-bye. Enjoy the conference.