Hopping Accross Devices: Expanding Lateral Movement through Pass-the-Certificate Attack

Lateral movement is one of the key factors in Red Team engagements. While various attack methods exist in Active Directory environments, the options for lateral movement are limited in Entra ID-based environments. However, the Pass-the-Certificate attack technique introduced by @rubin_mor in 2020 remains a valid option. Through reverse engineering of undocumented features in Windows, we have confirmed that this technique can be extended to multiple protocols and can be used to gain access to Entra-joined devices. In some scenarios, it is even possible to bypass MFA restrictions to move laterally across devices.

In this presentation, we will share insights into the mechanism of lateral movement using P2P certificates, present attack scenarios with a demo, and introduce a new tool for compromising Entra-joined devices with multi-protocol support. Finally, we will highlight the risks posed by this technique and discuss security measures for Entra ID-based enterprise infrastructure.

Gaining Global Administrator’s privilege in Entra ID is not the ultimate goal in Red Team engagements to fully assess the actual risks of its tenant being compromised and we sometime have to compromise devices within the tenant to leak critical information.

Entra ID-based environments are inherently secure, offering fewer options to gain access to Entra-joined devices compared to the various lateral movement methods available in Active Directory environments.

To execute commands on Entra-joined devices with Global Administrator privileges, scripts can be run through Intune. However, not all targets use Intune for device management. Or, commands can be executed through Azure CLI or the Azure portal, which is often restricted by MFA.

Another option is to gain access to Entra-joined devices using P2P certificates. Lateral movement using P2P certificates was discovered by @rubin_mor in 2020. Although there is very little information on this technique, through reverse engineering of undocumented Windows features, we have discovered that this method can be extended to compromise Entra-joined devices using multiple protocols such as SMB, WinRM, and RDP. In some scenarios, MFA fails to prevent this attack, even when protected by Entra ID Conditional Access. Therefore, this technique offers a viable option for lateral movement across devices and poses significant security risks when environments are not properly configured.

In this talk, we will first delve into the internal authentication mechanism of P2P certificates, known as PKU2U (Public Key User-to-User). We will then present attack scenarios based on our research, including a live demo, and introduce a new tool for compromising Entra-joined devices with multi-protocol support. Finally, we will highlight the risks posed by this technique and discuss security measures for Entra ID-based enterprise infrastructure.