I will go over the recent NSA Document and break down the various methods an adversary would try in order to compromise your on-premises environment and gain access to your cloud resources. I also will give a brief into to identity for folks that need a quick recap.

00:00:00 - Intro
00:01:40 - Intro to Azure Authentication Methods
00:02:57 - Method 1 - Password Hash Sync
00:06:02 - Method 2 - Pass-through authentication
00:09:38 - Method 3 - Federation
00:11:40 - NSA TTP #1 - Method 1 - Forge Trusted Auth Tokens
00:13:28 - NSA TTP #1 - Method 2 - Add bad federated trust relationship
00:15:40 - NSA TTP #2 - Use Global admin to assign SPN creds
00:18:15 - NSA Recommendations
00:22:49 - 4 Principles to secure org from on-premises attacks

Solarwinds Breach | Animated Solarwinds Breach Attack Flow - EP1
   • SolarWinds Breach | Protecting from o...  

Solarwinds Breach | UCG is formed and CISA release a free tool - Sparrow.ps1 | EP3
   • Solarwinds Breach Update | UCG is for...  

Security Things Playlist
   • Security Things  

NSA - Detecting Abuse of Authentication Mechanisms
https://media.defense.gov/2020/Dec/17...

Protecting Microsoft 365 from on-premises attacks
https://techcommunity.microsoft.com/t...

Security Rapid Modernization Plan
https://docs.microsoft.com/en-us/secu...

Turn off ADFS authentication and move to Azure AD
   • Microsoft Entra ID: Cut off ADFS Auth...  

CISA - Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
https://us-cert.cisa.gov/ncas/alerts/...

Connect with me!
Twitter -   / teachjing  
LinkedIn -   / teachjing