高级 Active Directory 到 Entra ID 横向移动技术.pdf

1、#BHUSA BlackHatEventsAdvanced Active Directory to Entra ID Advanced Active Directory to Entra ID lateral movement techniqueslateral movement techniquesDirk-jan MollemaAbout me Dirk-jan Mollema From The Hague,Netherlands Hacker/Researcher/Founder/Trainer Outsider Security Talks at Black Hat/DEF CON/B

2、lueHat/Troopers/x33fcon Author of several Active Directory and Entra ID toolsmitm6ldapdomaindumpadidnsdumpBloodHound.pyntlmrelayx/krbrelayxROADtoolsSocials Blog/talks:dirkjanm.ioTwitter/X:_dirkjanBlueSky:dirkjanm.ioAgenda Domains in AD and in Entra ID Existing hybrid attacks Policies ExchangeDomains

3、Domains in AD vs Entra Domains in Active Directory Are logical containers with their own structure.Are part of a forest of one or multiple domains,which acts as the security boundary.In Entra ID Domains are custom domains that you can use for sending email or as a suffix for userPrincipalNames.Entra

4、 has a flat structure,which means there is no difference between users in one domain versus another domain.Domains in hybrid AD/Entra ID We can sync multiple AD domains/forests to the same tenant.All users from these domains will be“pooled”together in Entra ID.However,we can configure authentication

5、(managed/federated)on a per domain basis.This is what confuses people(including me).In Entra ID,there is no boundary between different custom domains.However,there is a difference between synced accounts and“cloud-only”accounts.Entra ID hybrid setupMicrosoft Entra Tenant identity layerDomain 1Domain

6、 2Managed(PHS)Federated(AD FS)AD DS 1AD DS 2Entra IDOn-premisesSyncSyncAuthDomain 3Domain NEntra ID hybrid attacks from ADEntra ID cloud only usersManaged(PHS)Federated(AD FS)AD DS 1AD DS 2Entra IDOn-premisesSyncSyncIssue auth tokensEntra ID hybrid usersDomain 1Domain 2Write passwordHybrid domain co