fwd:cloudsec 2023

I Trusted You: A Demonstrated Abuse of Cloud Kerberos Trust
06-12, 16:20–17:00 (US/Pacific), Salon B

Microsoft has introduced a variety of protocols to abate the issue of authenticating to Azure AD and AD seamlessly. In the Windows Hello For Business setup, Cloud Kerberos Trust has been introduced to enable users to authenticate to Azure AD and still be able to access resources protected by legacy authentication mechanisms, like Kerberos. While this deployment model offers greater convenience, the ability to forge authentication material is delegated to Azure AD. This ability can be abused by attackers to breach the Cloud/On-Premises security boundary in a variety of ways.
In this talk, we will discuss the implications of entrusting an external entity with such a sensitive capability and the existential issue of synchronizing data between two equally important sources of truth. We will demonstrate how an attacker can abuse Cloud Kerberos Trust to authenticate as non-synced on-premises users, violating the security boundary between Azure AD and Active Directory and ensuring that attackers don't need to rely on a misconfiguration such as an administrator being synced to Azure AD. Lastly, we will discuss how to mitigate the issue and how to identify potential misconfigurations that may lead to issues unique to your environment.

Daniel Heinsen is a red team operator, offensive tools developer, and security researcher at SpecterOps. Prior to working at SpecterOps, Daniel spent over 10 years within the U.S. Department of Defense as a software developer and capabilities specialist. Daniel has experience in offensive tool development, Windows internals, and web application exploitation. Since joining SpecterOps, Daniel has directed his research focus to novel initial access vectors and AWS. He maintains several projects at https://github.com/hotnops and posts to his blog at https://medium.com/@hotnops.

Elad is a cybersecurity professional primarily focused on security research and delivering offensive security services. His global career has spanned from Israel to Australia, and now finds him in the United States, where he is a member of the renowned SpecterOps team.

Elad excels in identifying security flaws in complex systems and weaponizing intended functionality for offensive capabilities, with particular prowess in Windows and Active Directory environments. Throughout his journey, Elad has remained committed to learning, refining, and sharing his knowledge and expertise to better secure organizations in an ever-evolving cyber threat landscape.