LSA Secrets<\/strong><\/h2>\nLSA stands for Local Security Authority, used to manage the auditing, logging users onto the system, security policies, and storing credential materials such as service account passwords. Adversaries with SYSTEM access to a host may attempt to access LSA secrets. LSA secrets are stored in the registry here:<\/p>\n
HKEY_LOCAL_MACHINE\\\\SECURITY\\\\Policy\\\\Secrets.<\/p>\n
A pentester can also dump the credential materials present in the credential manager and Local Security Authority Subsystem Service to identify the cleartext password of the service account.<\/p>\n
![](\"https:\/\/lh4.googleusercontent.com\/jfoubQvnp2kGKSg5nmn2p0nR4b9Motk8iIgClI7PmyBp7ttI9M7j91L-pml-vAT7y-oa0TOGxeb_Tte-WgDi7bdmFTS3ZB3gF86NfWOKXclBQip9Q-J1bLIvq1xOmpFa9GOxXs-W\")
\nFig 5: <\/strong>Plaintext passwords for service accounts (azureadsync and oktasync) retrieved using crackmapexec via dumping LSA Secrets<\/p>\n![](\"https:\/\/lh5.googleusercontent.com\/dAwQO3cYfmn7-puUXgj925kEhafT3TY7uH27s99N2hrCrG5vj8JJlIL33qBmkBMX-akZ8_KXqFw5of36v-O17Dv8ZeEDaz41zDaaeyp_v7aTEGeFvXdEOneifM_pRboKyvq3pneX\")
<\/p>\n
Fig 6: <\/strong>Global Administrator Privileges<\/p>\nAzure Active Directory Single Sign-on<\/strong><\/h2>\nAzure Active Directory Seamless Single Sign-on (Azure AD Seamless SSO) automatically signs users in when they are on their corporate devices connected to the corporate network. When enabled, users do not need to type in their passwords to sign in to Azure AD or even type in their usernames.<\/p>\n
A machine account (AZUREADSSOACC) is created in the on-premise domain controller in each Active Directory forest that is synchronized with Azure AD.<\/p>\n
A computer account (AZUREADSSOACC) is created in the on-premise Active Directory in each AD forest that you synchronize to Azure AD (using Azure AD Connect).<\/p>\n
<\/h3>\nHow did CSW pentesters discover this issue?<\/strong><\/h2>\nIn one of their real-world engagements, in spite of possessing the plaintext password of a global administrator, CSW pentesters were unable to access the Azure AD Portal as the multifactor authentication (MFA) was enabled for all the global administrators.<\/p>\n
![](\"https:\/\/lh6.googleusercontent.com\/qjVrKTogKFxNTkzQng_TTUTUBUGa3rXWuRtezv3A0rkE1KdHdWmp5o_PqoDIRI6PQKzt4uxqN7e0gkt6xZj2pEQwKlg2HPTccPRNBEcWyNIa0r_RazcSvsyN9EQrwVhfkKdLi_HB\")
\nFig 7:<\/strong> MFA Is Enabled for Global Administrators<\/p>\nUpon further deep-dive enumeration, our team of pentesters found that a user who is part of the internal IT Team but not a global administrator, had certain special permissions over Azure Resources. This user explicitly had AzResetPassword privileges over all the users while having the MFA disabled.<\/p>\n
![](\"https:\/\/lh3.googleusercontent.com\/iuejNQsCKfeWJ-kJtsiqgNEpUUcuqfJELDTRoQyDxL8I5w_vpmnIr_b-O_Op2adpNHjWMYBakbnlLNon3rFwXnMEIRBzsK419h2h5biy-kWhZ0ZQJnHYFZSchlJEEdkhUfwWrP3E\")
\nFig 8:<\/strong> A user (part of the IT Team) who has AzResetPassword privileges over 146 accounts visualized via BloodHound<\/p>\nThis user also had privileges to modify the MFA settings. If our pentesters were to impersonate that user, they would be able to modify the MFA settings and attain global administrator privileges. But CSW pentesters did not have the cleartext password of the user.<\/p>\n
This is when our team found that the organization used Azure Active Directory single sign-on, with which they would be able to impersonate any user without their passwords (while keeping MFA disabled) via forging Kerberos tickets.<\/p>\n
<\/h3>\nHow does this work?<\/strong><\/h2>\n\n- \n
A user tries to access an Azure application (browser-based) from a domain-joined device present in the corporate network.<\/p>\n<\/li>\n
- \n
If the user has not signed in, the user is redirected to the sign-in page of Azure AD, where the user types the username.<\/p>\n<\/li>\n
- \n
Using JavaScript in the background, Azure AD returns a 401 response asking the browser to provide a Kerberos ticket, which is technically termed a Kerberos challenge.<\/p>\n<\/li>\n
- \n
The browser, in turn, requests a ticket from Active Directory for the AZUREADSSOACC$ computer account (which represents Azure AD).<\/p>\n<\/li>\n
- \n
Active Directory locates the computer account and returns a Kerberos ticket to the browser encrypted with the computer account’s secret (NTLM Hash).<\/p>\n<\/li>\n
- \n
The browser forwards the obtained Kerberos ticket to Azure AD, which decrypts it and identifies details such as the identity of the user, user privileges, etc.<\/p>\n<\/li>\n
- \n
After the evaluation, Azure AD returns a token (JWT) with which the user can access the Azure Resources.<\/p>\n<\/li>\n<\/ol>\n
Suppose a pentester has the privileges of a Domain Admin or access to edit properties of the AZUREADSSOACC$ account, in that case, they can impersonate any user in Azure AD using Kerberos (if MFA is not enabled).<\/p>\n
Note: The password of the AZUREADSSOACC$ account never changes unless it is manually modified.<\/p>\n
![](\"https:\/\/lh5.googleusercontent.com\/zKJ4YL3ToCDt-7LHmlA3BQ4M5hwtFJvWSqH01OB5s1y-6wIjpFa_VH1mxrzCl0g4zyCFQg3xZvQsVs9IOBUw53nQSgDK5tBvUYPfRc3jEZolFGqo_WzKFfJSLm8Omb8Pye6arYCF\")
<\/p>\n![](\"https:\/\/lh4.googleusercontent.com\/b1le0kU6num8t1OkGlHlup9YWA79roWugkt7GtZM8EKuWgTUDAdWmvhkZnv0KO_SVOW6b2kDh4B8D8GdpE38tBqofEPJdzEBEgJ5ALKU3-djS0pgPeGh3GFiyFUH9RByp73I1K87\")
![](\"https:\/\/lh4.googleusercontent.com\/RQbB5xcKC7rN0IENEK2dOnXbIsgfLPhydI2WSb-9qcyH02B3LuL6aX8DxLJPV8SezilDYYDR7_osnDKujHe8jIKdRCLAE59bjMu611lG5PIZuQwK8nPQluLABTbfJ_tFpYIaiAT-\")
![](\"https:\/\/lh4.googleusercontent.com\/IRNIY7KH9CPwk2AMN7OrnADKhdGc52y6zcJ5CToGuNp4mDUtt769SSr6WqWRq-WSxV9or7iinS0HCJZO0gQJ7oZNZtqxNu2_KayrI3hpuwKMtEAA5KnNTnObkmNSTFDsyxBvurRY\")
![](\"https:\/\/lh4.googleusercontent.com\/oo7AEfdTMh2QlAjry9vNxRbTvX5zlEqoXFCLtIDTvXpWs8Cx1lKTSeiZs4hRkSBQUWBFT4z-8pP3K2uc4yB2Q0OqE3U_2EiZJkIps79j17eW4zMFLbdOLnKikTjDnDam9crCEFMp\")
![](\"https:\/\/lh5.googleusercontent.com\/n5flEFdtlAMa6VMFya8j01BsaDaS9XPPC7XpOSQhelKccHDmleNKi7YOfm1O2ZgVN-uLzkda4m5Xhxh4DW6JVBoExt4netgyhEH1UsMfoLsOr6EyjnkPO5uApRubAYgKCe1kzR3N\")
![](\"https:\/\/lh5.googleusercontent.com\/J8cjlq8ovrKShBZQC2hzsyeYRKoIgNSQicwe6P-ItB09r1ehOKJYFj438Lqs7YyM8sBsMyXNVgRMFU4cignOib3-6GSPHfRl4M2rbPUii7z33Wtj_NZYSgqB1AAfQAy3y9PIE_xf\")
<\/p>\n