As with all lateral motion methods, the abuse of CTS implies an assumed compromise of privileged credentials inside a tenant. For an assault to work, each the supply and goal tenant must have Azure AD Premium P1 or P2 licenses for CTS to be accessible. The attacker must have entry to an account with safety administrator position to configure cross-tenant entry insurance policies, a hybrid id administrator position to vary cross-tenant synchronization configuration, or a cloud admin or software admin position to assign new customers to an present CTS configuration. So, relying on the present cross-tenant entry insurance policies and CTS configuration in a tenant, in addition to the privileges obtained by the attacker, there are alternative ways by which this may be abused for lateral motion or persistence.
In Vectra AI’s proof-of-concept assault, it’s assumed that the tenant already has cross-tenant entry insurance policies configured to different tenants. First, the attacker would use the admin command shell to record all tenants with which the present tenant has entry insurance policies with. Then they’d proceed to assessment every of the insurance policies to determine a tenant for which an outbound coverage exists. This implies the present tenant is configured to sync customers into that concentrate on tenant.
The subsequent step can be to find the ID of the applying operating contained in the compromised tenant that’s chargeable for performing the synchronization so its configuration might be modified. The Vectra researchers created and revealed a PowerShell script that automates your complete course of.
“There is no such thing as a easy method to discover the CTS sync software linked to the goal tenant,” the researchers mentioned. “The attacker can enumerate by means of service principals within the tenant making an attempt to validate credentials with the goal tenant to in the end discover the applying that hosts the sync job to the goal tenant. It may be carried out by means of a easy module like this.”
After figuring out the sync software, the attacker can add the compromised account they have already got credentials for to the sync scope or can assessment the applying’s sync scope, which, for instance, may point out that every one customers from a selected group are being synchronized into the goal tenant. They may then attempt to immediately or not directly add their compromised consumer to that group.
Along with utilizing a compromised tenant as a supply for lateral motion, CTS can be used as a backdoor to keep up persistence to a compromised tenant. For instance, the attacker may create an inbound cross-tenant entry coverage into the sufferer tenant to permit an exterior tenant underneath their management to sync customers into it. They may then allow the “computerized consumer consent” possibility as properly so the synced consumer doesn’t get prompted for consent.
