Az - Lateral Movement (Cloud - On-Prem)
Az - Lateral Movement (Cloud - On-Prem)
On-Prem machines connected to cloud
There are different ways a machine can be connected to the cloud:
Azure AD joined
Workplace joined
Hybrid joined
Workplace joined on AADJ or Hybrid
Tokens and limitations
In Azure AD, there are different types of tokens with specific limitations:
Access tokens: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource.
Refresh tokens: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications.
Primary Refresh Tokens (PRT): Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device.
The most interesting type of token is the Primary Refresh Token (PRT).
pageAz - Primary Refresh Token (PRT)Pivoting Techniques
From the compromised machine to the cloud:
Pass the Cookie: Steal Azure cookies from the browser and use them to login
Phishing Primary Refresh Token: Phish the PRT to abuse it
Pass the PRT: Steal the device PRT to access Azure impersonating it.
Pass the Certificate: Generate a cert based on the PRT to login from one machine to another
From compromising AD to compromising the Cloud and from compromising the Cloud to compromising AD:
Another way to pivot from could to On-Prem is abusing Intune
This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/
References
Last updated