I'd like to discuss including Entra Connect servers as tier 0 assets. Again, its a question of known abuse paths and whether default configuration allows so.
This article claims:
"... if an organization uses Password Hash Synchronization, Entra connect has the privileges to perform a DCSync, which allows it to sync all attributes (including password hashes) from domain controllers. This means that the account that Entra uses in the on-prem AD is Domain Admin equivalent (which is why the system AD Connect is installed on should be treated as Tier 0). " - but this is from 2019 and a lot has changed since then.
Another highly regarded source recommends treating them as tier 0 assets. The same does Microsoft themselves
Here is a fairly recent PoC to GA (Tier 0) in Azure
There is another abuse path here for going to Tier 0 (Global Admin) in Azure with the sync account, assuming there is a vulnerable security principal to hijack.
What do you think?
I'd like to discuss including Entra Connect servers as tier 0 assets. Again, its a question of known abuse paths and whether default configuration allows so.
This article claims:
"... if an organization uses Password Hash Synchronization, Entra connect has the privileges to perform a DCSync, which allows it to sync all attributes (including password hashes) from domain controllers. This means that the account that Entra uses in the on-prem AD is Domain Admin equivalent (which is why the system AD Connect is installed on should be treated as Tier 0). " - but this is from 2019 and a lot has changed since then.
Another highly regarded source recommends treating them as tier 0 assets. The same does Microsoft themselves
Here is a fairly recent PoC to GA (Tier 0) in Azure
There is another abuse path here for going to Tier 0 (Global Admin) in Azure with the sync account, assuming there is a vulnerable security principal to hijack.
What do you think?