Azure Active Directory brute force attack

Azure AD Seamless single sign on

Azure AD Seamless single sign on (SSO) Improved use of Azure AD Identity platform （ for example Microsoft 365） The user experience of the service . Configure seamless SSO after , Users who log on to their domain joined computers automatically log on to Azure AD .

seamless SSO Function use Kerberos agreement , This is a Windows Standard authentication methods for the network . In seamless SSO During configuration , It's local Active Directory (AD) Create a field named AZUREADSSOACC Computer object for , And assign the service principal name to it (SPN) “https://autologon. microsoftazuread-sso . com”. The name and AZUREADSSOACC The password hash of the computer object will be sent to Azure AD. The following automatic login windowstransport The endpoint accepts Kerberos Ticket ：

https:// automatic logon .microsoftazuread-sso . com//winauth/trust/2005/windowstransport

seamless SSO Automatically , No user interaction is required （ See chart 1）.

1. Users try to access Azure AD.
2. Azure AD The tenant that identifies the user is configured to use seamless SSO, And redirect the user's browser to automatic login .
3. The user's browser attempts to access Azure AD.
4. Autologon send out Kerberos Authentication challenge .
5. The user's browser attempts to authenticate as the logged in user and requests a ticket to grant a ticket (TGT).
6. Local AD take TGT Send to the user's browser .
7. The user's browser is from local AD Request automatic login access , And provide TGT As proof of identity .
8. Local AD Locate the appropriate computer object and create a service ticket (ST), This ticket uses AZUREADSSOACC The password hash of the computer account is encrypted .
9. The user's browser sends another automatic login request , And in the requested Authorization The header provides ST.
10. Autologon Use AZUREADSSOACC Password hash decryption for computer account ST, Issue to the user DesktopSSOToken The access token , And through the Azure AD 's redirect request sends this token to the user's browser .DesktopSSOToken yes Microsoft Encrypted opacity blob, So the actual content is unknown .
11. The user's browser uses DesktopSSOToken As a security assertion markup language ( SAML ) Assert to Azure AD Make another request .

Defects in the agreement

except windowstransport Outside the authentication endpoint , There is also a for user name and password authentication usernamemixed Endpoint ：

https:// automatic logon .microsoftazuread-sso . com//winauth/trust/2005/usernamemixed

chart 2 Shows the user name and password login process .

1. Contains the username and password XML The file is sent to usernamemixed Endpoint

1. Automatic login attempts to use the supplied credentials to Azure AD Authentication .
2. If authentication is successful , Automatic login will send a message containing DesktopSSOToken Access token XML file （ See chart 4）. If authentication is unsuccessful , Automatic login will generate an error （ See chart 5）.

1. If authentication is successful , Will DesktopSSOToken The access token is sent to Azure AD.

surface 1 Lists the error codes that may be returned . Not all error codes indicate violent attempts . for example , error AADSTS50053 Indicates that the user name and password are correct , But the account is locked .

CTU The researchers observed that , A successful authentication event will occur in step 4 Generate login log in . however , Automatic login pairs are not logged Azure AD Authentication of （ step 2）. This omission allows threat participants to exploit usernamemixed The endpoint performs an undetected violent attack .

Conclusion

Threat participants can use the automatic login username hybrid endpoint to perform violent attacks . This activity will not be recorded in Azure AD Login log , Therefore, it will not be detected . In this publication , Tools and Countermeasures for detecting brute force cracking or password injection attacks are based on log events .

CTU The analysis shows that the automatic login service is through Azure Active Directory Federation service (AD FS) Realized .Microsoft AD FS The documentation recommends that you disable the windowstransport End point's Internet visit . however , seamless SSO This access is required .Microsoft Only in Office 2013 2015 year 5 Previous version before monthly update Office The client needs usernamemixed Endpoint .

This utilization is not limited to the use of seamless SSO Organization . Threat participants can take advantage of any Azure AD or Microsoft 365 Auto login user name hybrid endpoint in the organization , Including the use of pass through authentication ( PTA ) Organization . No, Azure AD Password users are not affected .

In this publication , There are no known mitigation techniques to prevent the use of automatic login usernamemixed Endpoint . Multifactor Authentication ( MFA ) And conditional access ( CA ) Will not prevent the use of , Because they are applied after successful authentication .