Daniel Heinsen is a red team operator, offensive tools developer, and security researcher at SpecterOps. Prior to working at SpecterOps, Daniel spent over 10 years within the U.S. Department of Defense as a software developer and capabilities specialist. Daniel has experience in offensive tool development, Windows internals, and web application exploitation. Since joining SpecterOps, Daniel has directed his research focus to novel initial access vectors and AWS. He maintains several projects at https://github.com/hotnops and posts to his blog at https://medium.com/@hotnops.
Microsoft has introduced a variety of protocols to abate the issue of authenticating to Azure AD and AD seamlessly. In the Windows Hello For Business setup, Cloud Kerberos Trust has been introduced to enable users to authenticate to Azure AD and still be able to access resources protected by legacy authentication mechanisms, like Kerberos. While this deployment model offers greater convenience, the ability to forge authentication material is delegated to Azure AD. This ability can be abused by attackers to breach the Cloud/On-Premises security boundary in a variety of ways.
In this talk, we will discuss the implications of entrusting an external entity with such a sensitive capability and the existential issue of synchronizing data between two equally important sources of truth. We will demonstrate how an attacker can abuse Cloud Kerberos Trust to authenticate as non-synced on-premises users, violating the security boundary between Azure AD and Active Directory and ensuring that attackers don't need to rely on a misconfiguration such as an administrator being synced to Azure AD. Lastly, we will discuss how to mitigate the issue and how to identify potential misconfigurations that may lead to issues unique to your environment.