fwd:cloudsec 2023

Elad Shamir

Elad is a cybersecurity professional primarily focused on security research and delivering offensive security services. His global career has spanned from Israel to Australia, and now finds him in the United States, where he is a member of the renowned SpecterOps team.

Elad excels in identifying security flaws in complex systems and weaponizing intended functionality for offensive capabilities, with particular prowess in Windows and Active Directory environments. Throughout his journey, Elad has remained committed to learning, refining, and sharing his knowledge and expertise to better secure organizations in an ever-evolving cyber threat landscape.


I Trusted You: A Demonstrated Abuse of Cloud Kerberos Trust
Daniel Heinsen, Elad Shamir

Microsoft has introduced a variety of protocols to abate the issue of authenticating to Azure AD and AD seamlessly. In the Windows Hello For Business setup, Cloud Kerberos Trust has been introduced to enable users to authenticate to Azure AD and still be able to access resources protected by legacy authentication mechanisms, like Kerberos. While this deployment model offers greater convenience, the ability to forge authentication material is delegated to Azure AD. This ability can be abused by attackers to breach the Cloud/On-Premises security boundary in a variety of ways.
In this talk, we will discuss the implications of entrusting an external entity with such a sensitive capability and the existential issue of synchronizing data between two equally important sources of truth. We will demonstrate how an attacker can abuse Cloud Kerberos Trust to authenticate as non-synced on-premises users, violating the security boundary between Azure AD and Active Directory and ensuring that attackers don't need to rely on a misconfiguration such as an administrator being synced to Azure AD. Lastly, we will discuss how to mitigate the issue and how to identify potential misconfigurations that may lead to issues unique to your environment.

Inside & Outside
Salon B