Entra Connect Attacker Tradecraft Explored by SpecterOps Team
/ 1 min read
🔄 Understanding Entra Connect Attacker Tradecraft: Exploiting User Credentials Across Domains. The article delves into the mechanics of the Entra sync engine, focusing on how an attacker can leverage a compromised sync account in one domain to manipulate user credentials in another domain within the same Entra tenant. It outlines the provisioning rules, join rules, and transformations that govern how user objects are created and linked in the metaverse. The author provides a step-by-step walkthrough of the attack process, emphasizing the importance of identifying partially synced users and the implications of cloud filtering. Additionally, it highlights the need for proper detection and prevention measures to safeguard against such attacks, particularly for users inheriting permissions from the Users OU.
