When installing the Azure AD Connect tool a user must be created with sufficient permissions to synchronize password hashes to the cloud. What happens if this account is compromised?
In the previous article we explained the differences between on-premise Active Directory Domain Services (AD DS), Azure Active Directory (AAD) and Azure Active Directory Domain Services (AADDS).
We briefly explained that Azure Active Directory allows for users to authenticate to cloud applications using the same credentials of the on-premise Active Directory Domain Services. This happens using a tool called Azure Active Directory Connect that syncs the passwords to the cloud using Password Hash Synchronization (PHS).
During the installation of the Azure Active Directory Connect tool, you will be asked to either create a new AD account or use an existing one.
If you choose to create a new one, the tool will create a user with the prefix MSOL_ followed by a random string.
From the description of the account, we can see that “This account must have directory replication permissions in the local Active Directory and write permission on certain attributes to enable Hybrid Deployment.”
If you choose to use an existing AD account, you must ensure the correct permissions are applied.
Once the installation is completed, you can login to your Azure portal and see that the users are syncing to the cloud.
What happens if the sync user is compromised?
Let us consider a scenario where the sync user is compromised. This could happen because:
- The server with Azure Active Directory Connect database is breached
- A sync user was created with a guessable password
- Another user with password change/reset permissions was compromised
- A user with local admin privileges on the DC is compromised
- Sync user password hash we retrieved by some other means
Note here that an attacker wouldn’t need the actual password of the sync user. The password hash will be enough to proceed.
If the user is compromised, the attacker will have replication permissions in the local Active Directory and write permission on certain attributes
These permissions will allow the attacker to perform a technique known as DCSync. This is when a user, with replication permissions (necessary for Azure Active Directory Connect) can act as a DC and request a sync of user password hashes.
Using every pentesters favorite tool, it looks something like this.
On the left hand, we can see a successful DCSync attack, where the compromised user (with replication permissions) is used to retrieve the hash of the krbtgt user. This opens the door to other attacks.
On the right hand side is a comparison to a failed attempt when trying a DCSyn with a regular user without enough permissions.
Azure Active Directory Connect Security
Microsoft states clearly that the infrastructure hosting the Azure Active Directory Connect tool must be treated as a Domain Controller and secured as such. The sync user pocesses high privileges that allows it to retrieve any user’s password hash to sync to the cloud. Which makes it a very valuable target.
MITRE ATT&CK References