In ransomware attacks, attackers excel in the lateral movement phase. They are very familiar with the internal workings of Active Directory and can quickly escalate from a regular user to domain administrator privileges (access to the entire network).
However, Entra ID works differently. Similar ransomware attacks do not occur here (or at least, it is not known to me), and even the techniques for lateral movement will have to be different (Entra ID operates internally differently). And as I often say, to know how to defend, I must first understand how attackers attack.
During the summer holidays, I immersed myself in study materials and put together a series of internal trainings. It consists of 3 parts (almost 6 hours of video):
- Entra ID: Attack Surface
- Entra ID: Lateral Movement and Persistence (this article)
- Entra ID: Defense
Microsoft Entra ID – Lateral Movement & Persistence
In the previous part, I initially explained how Entra ID (AAD: Azure Active Directory) differs from Active Directory and why it is necessary to start focusing on Entra ID. Then we discussed the possible ways to gain an initial foothold into the Entra ID/O365 environment.
In this part, we will continue with:
- The Purpose of the Attack: This should have been the start of the whole series, but I forgot.🤷♂️ Why attackers carry out attacks and how knowing their goal helps us in defense.
- Lateral Movement/Privilege Escalation: How attackers gain access to additional data, devices, and higher user privileges.
- Persistence: How attackers maintain access to the compromised environment for as long as possible despite administrators’ attempts to remove them.
As always, I hope you will find the training enjoyable and that it will bring you new information, knowledge, or perspective (slides).
May your networks stay secure,
Martin