In most Active Directory post-exploitation scenarios, the initial focus of red teamers for lateral movement is often the Local Security Authority Subsystem Service (LSASS) process. However, due to its extensive monitoring, any competent Endpoint Detection and Response (EDR) system will detect and flag such activities.
In this presentation, we will delve into innovative methods for navigating Microsoft Azure Active Directory (now Entra ID) based environments and achieving our objectives with greater stealth. We will discuss searching for authentication tokens in memory and on disk for Microsoft 365 applications and how these can be exploited. Additionally, we will examine chromium-based applications utilizing WebView technology, exploring how they are constructed and the potential vulnerabilities where secrets may be exposed.
We will cover lateral movement within cloud environments, the use of long-lived Single Sign-On (SSO) tokens, conditional access policies, and other specific features of Entra ID that can make your next threat emulation exercise undetectable by defenders.
Finally, we will provide defenders with valuable tips on monitoring these techniques and suggest other defense-in-depth practices. Join us to enhance your knowledge of both offensive and defensive strategies in this evolving landscape.