H3-2024-0037
Azure Cloud Kerberos Trust Abuse
| Category | CREDENTIALS |
| Base Score | 4.2 |
Description
The cloud Kerberos trust relationship between the on-premises domain and Microsoft Entra ID can be abused to perform lateral movement or privilege escalation by modifying hybrid user properties in Entra ID. Lateral movement allows attackers to move between synchronized identities in Entra ID and the on-premises domain, while privilege escalation allows the attacker to perform actions as a privileged user from within the on-premises domain.
Impact
Attackers with access to privileged Microsoft Entra ID credentials can perform lateral movement to the on-premises domain by abusing the cloud Kerberos trust that exists between Microsoft Entra ID and the on-premises domain. As a result, the attacker can obtain the NT hash, or TGT, of a domain user. If Microsoft Entra Connect Sync is enabled on the domain, the MSOL account can be targeted to obtain DCSync privileges that are capable of dumping all credentials from the on-premises domain controller.