Azure password hash sync abuse

  • Updated on Jun 26, 2023
  • Published on May 7, 2023
Prev Next

Attack technique

Technique name: Azure Password Hash Sync Abuse (on-prem to cloud lateral movement)

MITRE ATT&CK
Tactic: Lateral Movement
Technique: Use Alternate Authentication Material

Technique description
Azure AD can be used as an Identity management solution both on pure cloud infrastructures, so as on hybrid environments.
Azure AD Password Hash Synchronization (PHS) is one of Azure AD Hybrid Identity methods, which provides the ability to synchronize on-prem AD objects to Azure AD objects.
When using Azure AD PHS, Azure AD Connect synchronizes the hashes of Active Directory passwords toward Azure AD.
There are multiple user accounts that are responsible for the synchronization functionality to work properly, one of them is the "Azure AD Connect Account".
This is an Azure AD user account, and its UPN (User Principal Name) will be in the following format: Sync__@.
This user account is granted a dedicated role, named "Directory Synchronization Accounts".
Abuse of Azure PHS infrastructure can lead to different outcomes, including lateral movement from On-Premises AD towards Azure AD. There are multiple ways for an attacker to abuse the Azure PHS infrastructure's components to laterally move between those parts of the organizational infrastructure, including:

  • Azure AD Connect Sync Account abuse (credential theft) - Abuse of extracted credentials from Azure AD Connect server to conduct unwanted activities.
  • Azure AD Soft-match abuse - Abuse of the Soft-match functionality, to update a password of Azure AD user account to gain unauthorized access.

Insights from threat intelligence
In recent years we have seen different attacks that abuse the Synchronization between On-Premises infrastructure and Azure AD cloud infrastructure, in addition, different attack tools that provide the ability to conduct such malicious activities had been published, which makes it much easier for the potential attacker to abuse this kind of environments.
An example of On-Prem to Cloud (Azure AD) lateral movement techniques that had been used by malicious actors can be found in a recent article published by Microsoft's Threat Intelligence, describing the operations conducted by a nation-state actor known by the name "MERCURY" which is linked with the Iranian government. According to this information "MERCURY" worked with "DEV-1084" and their attack techniques included lateral movement from on-premises to cloud, using a known tool named "AADInternals", that had been used to extract credentials from the AD Connect server.

References
On-Prem AD to Azure AD by MERCURY
PHS Soft-Matching Abuse


Threat hunting theses breakdown

Thesis 1: Suspicious sign-ins by Azure AD Connect Sync account


Relevant data sources

  • Azure Sign-in Logs


Thesis explanation

Threat actor that gets unauthorized administrative access to AD Connect Server can use it to extract credentials of sensitive user accounts that are related to On-Prem to Cloud synchronization functionality. One of those user accounts is an Azure AD user account, and its UPN will be in the following format: Sync__@. The credentials can be used by the malicious actor to get access to Azure AD and to leverage it to access different services, so as conduct different activities.
In this thesis, we looked for Sign-in events by "Sync" Azure AD Accounts, with non-standard "App Display Name" attribute, to identify sign-ins that don't align with the characteristics of the known "Azure AD user account".
This method provided us with a good way to identify abnormal usage of the "Azure AD user account".


Recommended investigation flow

  • Check the Source IP address from which the abnormal Sign-ins had been conducted:
    • Is this IP a known organizational IP?
    • If not, what can you tell about this IP? (Geolocation information, ASN, other logs related to this IP, etc.)
  • Look for suspicious operations initiated by the Sync account after the suspicious sign-in:
  • Are you aware of this kind of activity conducted by organizational personnel using this user account?
  • Are there any highly suspicious activities conducted by this user account, such as:
    • Update Service Principal
    • Add Service Principal Credentials
    • Add Owner to Service Principal
    • Add delegated permissions grant
  • Look for suspicious events that occurred on the Azure AD Connect server prior to the sign-in activity
    • Use EDR Logs & Windows Event Logs to identify:
      • Suspicious Sign-ins
      • Suspicious executions
      • Suspicious file creations
      • Identification of lateral movement toward to Azure AD Connect server


Thesis 2: PHS soft-matching abuse - malicious password sync


Relevant data sources

  • Azure Audit Logs


Thesis explanation

During initial Azure AD Connect setup and synchronization, a “Source Anchor” attribute is chosen. This attribute uniquely identifies a user object between AD and Azure AD. Azure AD Connect performs matching by looking at this attribute and matches user objects between Azure AD and AD using one of two techniques: Hard matching and Soft (SMTP) matching.
Assuming we have an Azure AD user, not synced to the on-prem AD. We can create a new user on the on-prem with the same proxy address and UPN (the attributes that the soft synchronization is being based on) and then its password will be copied to the Azure AD user. That way we can laterally move (and potentially escalate privileges) from on-prem access to cloud access.

In this thesis, we look for Azure Audit logs with the event type of "Update User" with the following conditions:

  • “Source Anchor” is included in the modified properties
  • The new value for “Source Anchor” is not empty
  • The old value for “Source Anchor“ is empty - Non-empty value indicates the user is already synced to an on-prem user. Hence, such an ‘update user’ event implies a soft match sync occurred.
  • The UPN of the user who initiated the change is “Sync_*” - this user is created automatically when the Azure AD Connect is configured to work with PHS (default). This user is granted the special Directory Synchronization Accounts role and used to write information to Azure AD as part of the sync tasks.

These characteristics can provide us with an indication of potential abuse of the Soft sync mechanism to force a password synchronization of an on-prem user account that the attacker chose, towards an Azure AD user account.


Recommended investigation flow

  • Identify the "synced" user account (i.e. the Azure AD user account of which the password had changed).
  • Examine the activities related to this "synced" user account:
    • Look for related logs, on different Azure log sources, including Azure Sign-in logs, Azure Audit logs, Azure Activity logs.
    • From which IP the related activities had originated (Geolocation information, ASN, other logs related to this IP, etc.).
    • Were those IPs had been in use by this user account before?
    • What type of activities had been conducted by this user account after the password synchronization?
      • Creation of new user accounts
      • Creation of new Azure resources
      • Export of resources
      • Add/remove permissions
      • Etc.
  • Identify the reason behind the edit of the suspicious synchronization (Soft-sync):
    • To get an understanding of who initiated the synchronization on the On-prem AD level:
      • Look at event ID 4738 - "a user account was changed"
      • Look at event ID 4720 - "a user account was created"
      • The events above should provide information about the sync activity
  • After identifying the reason/initiator of the suspicious synchronization, check the activities conducted by the user account that originated the synchronization:
    • Does this user is being regularly used for synchronization?
    • Were there any other suspicious activities conducted by this user account (before/after the edition/creation of On-prem user account)?
    • Relevant log sources should be mainly: EDR Logs, Windows Event logs.


Hunting queries

https://gist.github.com/axon-git/73a987a45b1ee2eaac60788455c0fab7


Recommended mitigations

  • To get comprehensive visibility of Azure Sign-ins it is highly recommended to ingest all of the following Azure Sign-in categories to Hunters:
    • SignInLogs
    • NonInteractiveUserSignInLogs
    • ServicePrincipalSignInLogs
    • ManagedIdentitySignInLogs
  • Ingest Azure Audit Logs
  • Enable and configure Conditional Access Policies to reduce the risk of unwanted access using stolen credentials of Azure AD User.
  • It is highly recommended to have an EDR in place on organizational Azure AD Connect Servers.
  • Limit the accessibility to the AD Connect servers on the network level, so only required access towards them will be allowed (e.g. access from specific servers, from specific IP addresses, using specific ports, etc.)
  • It is recommended to harden the Azure AD Connect server. Microsoft suggests hardening it based on guidance provided in the following links:
  • Limit administrative access toward Azure AD Connect servers only to domain administrators.
  • Deny the use of NTLM authentication with the AADConnect server.
  • Enable Multi-Factor Authentication (MFA) for all users that have privileged access in Azure AD or in AD.
  • It is recommended to disable Soft Matching on your tenant (as long as it is not absolutely required for business needs).
  • Disable Hard Match Takeover (as long as it is not absolutely required for business needs).
  • Use Hunters' Asset tagging feature to configure Azure AD Connect Servers as sensitive assets.
  • For additional recommendations for Azure AD Connect server and services, you can use Microsoft's documentation: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#harden-your-azure-ad-connect-server


Hunters content

  • Suspicious Sign-ins by Azure AD Connect Sync Account
  • Soft Match Sync to gain Access to Azure