Black Hat USA 2025 | Advanced Active Directory to Entra ID Lateral Movement Techniques

Is there a security boundary between Active Directory and Entra ID in a hybrid environment? The answer to this question, while still somewhat unclear, has changed over the past few years as there has been more hardening of how much “the cloud” trusts data from on-premises. The reason for this is that many threat actors, including APTs, have been making use of known lateral movement techniques to compromise the cloud from AD.

In this talk, we will take a deep dive together into Entra ID and hybrid AD trust internals. We will introduce several new lateral movement techniques that allow us to bypass authentication, MFA and stealthily exfiltrate data using on-premises AD as a starting point, even in environments where the classical techniques didn’t work. All these techniques are new, not really vulnerabilities, but part of the design. Several of them have been remediated with recent hardening efforts by Microsoft. Very few of them leave useful logs behind when abused. As you would expect, none of these “features” are documented.

Join me for a wild ride into Entra ID internals, undocumented authentication flows and tenant compromise from on-premises AD.

By:
Dirk-jan Mollema | Security Researcher, Outsider Security

Presentation Materials Available at:
https://blackhat.com/us-25/briefings/schedule/#advanced-active-directory-to-entra-id-lateral-movement-techniques-46500Black HatRead More