Bypassing Entra ID Conditional Access Like APT: A Deep Dive Into Device Authentication Mechanisms for Building Your Own PRT Cookie
Entra ID Conditional Access is a security feature that apply the right access controls for securing Microsoft cloud infrastructure. Conditional Access takes signals from various sources into account when making access decisions. One of the major signals is Deivce; Conditional Access can require device marked as compliant or Microsoft Entra hybrid joined device for authentication. In this talk, we will dive into the internal workings of identifying device when authenticating to Entra ID. The device certificate and session key are key components of device identification, and they are mostly protected by TPM (Trusted Platform Module). During the research into the protocols, we have discovered how attackers can interact with the device certificate and key, and eventually bypass device authentication of Conditional Access without even needing Administrator privileges on the device. There are several patches against abusing the device identities. However, we have implemented this attack through reverse-engineering Microsoft authentication library and there is no-fix, as we have reported this to Microsoft. In this talk, we will walk your through all the details of the device authentication flow and attacks into the mechanisms for bypassing Conditional Access. Also, we will give some insights into how to defend and detect this attack.
By:
Yuya Chudo | Senior Advisor, Secureworks Japan K. K.
Takayuki Hatakeyama | Senior Advisor, Secureworks Japan K. K.
Full Abstract & Presentation Materials:
www.blackhat.c...