Architecture

Password Hash Syncronization:

  • All password hashes between on-prem AD and Entra ID are sync'd via DCSync.

  • All on-prem users can access Entra ID resources (Teams, M365, Sharepoint, etc).

    • Easy to pivot from on-prem because all user are available. MSOL account is a juicy target because it's used to sync passwords.

Pass Through Authentication:

  • PTA agent is used to authenticate against an on-prem server. Password hashes are not sync'd.

  • Agents can be modified or new ones can be installed from attacker perspective.

ADFS:

  • On-prem AD is in charge of authentication to the cloud.

    • CAPs do not apply to ADFS logins.

Azure Lighthouse:

  • Used by MS(S)Ps to manage multiple environments at once.

    • IR wants to understand how the client was onboarded (subscription or resource group level).

      • Where are password hashes stored?

Last updated