Asia-24-Chudo-Bypassing-Entra-ID-Conditional-Access-Like-APT.pdf

1、#BHASIA BlackHatEventsBypassing Bypassing EntraEntra ID Conditional Access Like APTID Conditional Access Like APTA Deep Dive Into Device Authentication Mechanisms for Building Your Own PRT Cookie Speaker:Yuya ChudoContributor:Takayuki Hatakeyama#BHASIA BlackHatEventsWhoamiYuya ChudoSenior Advisor Se

2、cureworks Japan K.KProvides red teaming service for enterprises mainly in Japan#BHASIA BlackHatEventsAgendaIntroductionMicrosoft Entra ID Device Authentication Mechanism Device Authentication Internals and AbuseDemoMitigationConclusion#BHASIA BlackHatEventsIntroductionIntroduction#BHASIA BlackHatEve

3、ntsSpear-phished&Compromised Active DirectoryDumped credentials with Dumped credentials with Domain Admin privilegeDomain Admin privilegeAttacker(me)Corporate DeviceActive Directory#BHASIA BlackHatEventsPivoting to the Cloud Cracked Passwordaadadmin/qwerty1234AttackerMicrosoft Entra ID#BHASIA BlackH

4、atEventsBlocked by Entra ID Conditional Access#BHASIA BlackHatEventsConditional Access in Microsoft Entra ID“brings signals together,to make decisions,and“brings signals together,to make decisions,and enforce organizational policies.”enforce organizational policies.”User/GroupDeviceApplicationNetwor

5、k#BHASIA BlackHatEventsRequires Corporate Device for AccessDevice based Conditional Access PolicyRequire Microsoft Entrahybrid joined deviceMarked as compliant#BHASIA BlackHatEventsBlocked by Entra ID Conditional AccessHow Can We Bypass Device-BasedConditional Access Policy?#BHASIA BlackHatEventsGoa

6、lBypass device-based Condtional Access policy and gain access as any user with their credentials#BHASIA BlackHatEventsMicrosoft Entra ID Microsoft Entra ID DeviceDevice AuthenticationAuthentication MechanismMechanism#BHASIA BlackHatEventsDevice Registration#1 Device key and Transport key are generat