We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
AAD Joined Machines - The New Lateral Movement
Discover the new lateral movement method using Azure AD joined machines and P2P certificates, exploring PKINIT, NegoX, GSS API, PLT, and HTTP protocols to authenticate to SMB and Azure AD resources without a KDC.
- Azure AD joined machines can be used for lateral movement via P2P certificates.
- P2P certificates can be used to authenticate to other Azure AD joined devices without the need for a KDC.
- The Kerberos pkinit protocol can be used to authenticate to SMB resources.
- The NegoX protocol can be used to authenticate to Azure AD resources without the use of a KDC.
- The NegoX protocol has three main stages: metadata generation, Kerberos request, and verify message.
- The verify message contains a checksum over the previous messages and is used to verify the authenticity of the communication.
- The attacker can use the GSS API to provide an interface for Negra X and can use the KDC to obtain a ticket.
- The attacker can use the PLT to obtain a ticket and can use the TGT to obtain a TGS ticket.
- The attacker can use the Kerberos protocol to authenticate to SMB resources.
- The attacker can use the HTTP protocol to authenticate to Azure AD resources.
- The attacker can use the Azure AD authentication package to authenticate to Azure AD resources.
- The Azure AD authentication package provides a network standard for authentication and can be used to authenticate to Azure AD resources.
- The attacker can use the NegoX protocol to authenticate to Azure AD resources without the use of a KDC.
- The NegoX protocol has three main stages: metadata generation, Kerberos request, and verify message.