👻 Is Windows 2000 still haunting your Active Directory?

AD trusts created in the Win2k era never get the WITHIN_FOREST flag, even after later upgrades ➡️ you could misclassify safe internal trusts as risky external ones 💥
⚠️when "trustAttributes=0"

https://www.tenable.com/blog/active-directory-trust-misclassification-why-old-trusts-look-like-insecure-external-trusts

Microsoft hardened the Entra ID synchronization feature last year:
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
https://tenable.com/blog/despite-recent-security-hardening-entra-id-synchronization-feature-remains-open-for-abuse 🧵

The Directory Synchronization Accounts role has lost most of its Entra permissions... but it retains implicit permissions to call the undocumented synchronization API 😯 ➡️ reset hybrid users' passwords
And so does the new "On Premises Directory Sync Account" Entra role 👀

And what about the new "Microsoft Entra AD Synchronization Service" application? 🤔
It exposes a new permission: ADSynchronization.ReadWrite.All, which also allows to call the sync API when granted to a service principal ➡️ same impact

To summarize, these hardenings are great (and the new app will likely allow to support some security features), but it doesn't prevent everything or even introduces new cracks to monitor.
There's no magic to keep this feature working anyway 😉

🎥 Here's the recording of last week's webinar where I shared how to protect Entra ID from real-world attacks 🏴‍☠️, beginning with federation backdoors/privesc, using Tenable Identity Exposure

https://www.tenable.com/webinars/3-reasons-why-its-time-to-embrace-identity-as-part-of-exposure-management?utm_campaign=00032644&utm_promoter=tenable-research&utm_medium=social&utm_content=webinar-3-18-2025&utm_source=cn

You know how some system AD attributes cannot be edited even when Domain Admin?
"Error 0x20B1 The attribute cannot be modified because it is owned by the system."
This can be bypassed using the schemaUpgradeInProgress modify operation https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/a21db735-6025-4244-9cfe-6ce6582114a8 😉

Log-in as Domain or Schema admin
- Use ldp.exe and set the "schemaUpgradeInProgress" operation to 1 using Browse -> Modify
- Now you can clear this protected attribute
- Or set any value
Then stop it by setting "schemaUpgradeInProgress" to 0

⚠️ this is likely unsupported by Microsoft even though this method is advised to clean broken trust objects https://support.microsoft.com/en-us/topic/kb5040758-deleting-a-stale-corrupt-or-orphaned-trust-object-in-active-directory-a4995def-7b43-4f85-86dc-29a0c66323c9
And as described in the doc, this operation is not global: it's only effective in the same LDAP connection. It's why using ldp or LDIFDE helps

📃 How attackers can add a secondary token-signing certificate to an #EntraID federated authentication configuration for stealthier persistence & privesc 🙈
https://medium.com/tenable-techblog/stealthy-persistence-privesc-in-entra-id-by-using-the-federated-auth-secondary-token-signing-cert-876b21261106
Have you heard about the "nextSigningCertificate"? 😉

You'll also discover what this change means in the latest (final? 😢) version 0.9.3 of AADInternals by @DrAzureAD
"Modified ConvertTo-AADIntBackdoor to add backdoor certificate to NextSigningCertificate if the domain is already federated."
https://aadinternals.com/aadinternals/#version-info