Breaking Azure AD joined endpoints in zero-trust environments

How much trust is zero trust anyway? As more security controls are added to protect cloud accounts, much of that trust ends up on a users endpoint, where long-term credentials are stored which comply with strict security policies, such as Multi Factor Authentication and device compliancy.

To secure these credentials, hardware protection with a Trusted Platform Module is used where possible. But how effective are these security controls? I have been researching Azure AD device security for the past two years and have broken quite some security controls I encountered.

In this talk I’ll demonstrate how and what the consequences of these attacks are.

When a device is joined to Azure AD, several cryptographic secrets are stored in a secure part of the device’s hardware (Trusted Platform Module). These cryptographic secrets are used to prove authentication is happening from that device and the credentials were not simply extracted to elsewhere. When I first started looking at this implementation, there were several issues with it. The secrets to device authentication, although protected by a TPM, could be extracted using mimikatz by dumping the lsass process. During the following months, I researched other attack avenues that could accomplish the same without needing to dump the lsass process. In fact, I discovered it was possible to bypass the protection by the TPM in its entirety and obtain long-lived trusted access tokens without even needing Administrator privileges on the device. Meanwhile, Microsoft improved the authentication flow and changed how the TPM is used during authentication.

In this talk I walk you through all the details of the discovery of these vulnerabilities, and how they were eventually patched by Microsoft throughout 2021 and 2022.