One Article Review
| Source |  Mandiant |
|---|---|
| Identifiant | 8607043 |
| Date de publication | 2024-11-06 05:00:00 (vue: 2024-11-06 16:06:15) |
| Titre | (In) réglé sur les requins: abuser des autorisations intuniques pour les mouvements latéraux et l'escalade des privilèges dans les environnements natifs de l'entra id (In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments |
| Texte | Written by: Thibault Van Geluwe de Berlaere, Karl Madden, Corné de Jong
The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved laterally from the customer\'s on-premises environment to their Microsoft Entra ID tenant and obtained privileges to compromise existing Entra ID service principals installed in the tenant. In this blog post, we will show a novel way of how adversaries can move laterally and elevate privileges within Microsoft Entra ID when organizations use a popular security architecture involving Intune-managed Privileged Access Workstations (PAWs) by abusing Intune permissions (DeviceManagementConfiguration.ReadWrite.All) granted to Entra ID service principals. We also provide remediation steps and recommendations to prevent and detect this type of attack. Pretext The customer had a mature security architecture following Microsoft\'s recommended Enterprise Access model, including: An on-premises environment using Active Directory, following the Tiered Model. An Entra ID environment, synced to the on-premises environment using Microsoft Entra Connect Sync to synchronize on-premises identities and groups to Entra ID. This environment was administered using PAWs, which were not joined to the on-premises Active Directory environment, but instead were fully cloud-native and managed by Intune Mobile Device Management (MDM). IT administrators used a dedicated, cloud-native (non-synced) administrative account to log in to these systems. Entra ID role assignments (Global Administrator, Privileged Role Administrator, et cetera.) were exclusively assigned to these cloud-native administrative accounts. The separation of administrative accounts, devices and privileges between the on-premises environment and the Entra ID environment provided a strong security boundary: Using separate, cloud-native identities for Entra ID privileged roles ensures a compromise of the on-premises Active Directory cannot be used to compromise the Entra ID environment. This is a Microsoft best practice. Using separate physical workstations for administrative access to on-premises resources and cloud resources effectivel |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #microsoft |
| Tags | Threat Mobile Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.