Recent techniques for lateral movement within Active Directory have emerged that circumvent authentication measures and enable data exfiltration.

At Black Hat USA 2025, Dirk-Jan Mollema unveiled sophisticated attack vectors that exploit hybrid Active Directory and Microsoft Entra ID environments, revealing how attackers can achieve complete tenant compromise through previously unknown lateral movement techniques. These methods expose critical vulnerabilities in Microsoft’s authentication infrastructure, allowing unauthorized access to Exchange Online, SharePoint, and Entra ID without traditional authentication barriers. One key technique involves injecting backdoor keys into the OnPremAuthenticationFlowPolicy, enabling attackers to forge Kerberos tickets and bypass multi-factor authentication undetected. By adding custom symmetric keys with identifiers like 13371337-ab99-4d21-9c03-ed4789511d01 into the policy’s KeysInformation array, threat actors can generate RC4-encrypted Kerberos tickets for any domain user, making detection extremely challenging due to the lack of visibility in Microsoft’s audit logs.

Another devastating attack vector exploits Exchange hybrid deployments through certificate-based authentication abuse. Attackers can extract Exchange hybrid certificates from on-premises servers using tools like ADSyncCertDump.exe, allowing them to request Service-to-Service (S2S) actor tokens from Microsoft’s Access Control Service (ACS). These unsigned bearer tokens, which contain the service principal identifier 00000002-0000-0ff1-ce00-000000000000, provide unrestricted access to Exchange Online and SharePoint without user context validation. The S2S tokens exploit the trustedfordelegation property, enabling attackers to impersonate any user within the tenant for 24-hour periods. Critically, these tokens generate no audit logs during issuance or usage, operate without Conditional Access policy enforcement, and remain non-revocable once issued, effectively granting Global Administrator privileges across the entire Microsoft 365 environment.

Recent techniques for lateral movement within Active Directory have emerged that circumvent authentication measures and enable data exfiltration.

Chinese cybercriminals breached the security of as many as 115 million payment cards in the United States.

Cybercriminals are utilizing legitimate drivers to disable antivirus programs and weaken the security measures of a system.

Akira Ransomware is actively exploiting a zero-day vulnerability in SonicWall Firewall devices.

SonicWall has issued a warning about a rise in cyberattacks aimed at their Generation 7 firewalls over the past 72 hours.

Similar Posts