Advanced AD Lateral Movement Tactics Enabling Stealth and Exfiltration

In a groundbreaking presentation at Black Hat USA 2025, security researcher Dirk-jan Mollema revealed a suite of advanced lateral movement techniques that exploit the hybrid trust model between on-premises Active Directory (AD) and Microsoft Entra ID.

Despite recent hardening efforts, these techniques demonstrate that attackers with domain control can still subvert authentication, bypass multifactor protections, and quietly exfiltrate data—all without generating useful logs.

Microsoft’s hybrid identity design unifies multiple on-premises AD domains under a single Entra ID tenant.

While this flat structure simplifies user management, it also pools all synced accounts—regardless of their original domain—into one security boundary.

Attackers who gain full control of any on-prem AD environment can leverage Entra ID Connect credentials, federation services, or password hash synchronization configurations to issue valid authentication tokens for any hybrid user.

Because Entra ID treats all custom domains equally, compromise of a single synchronization component or federation key grants tenant-wide access.

The underlying Access Control Service issues long-lived, non-revocable JWT actor tokens trusted for delegation.

Recent patches have limited certain account-overwriting attacks and revoked service-principal modification rights, but many high-impact paths remain available.

Forged Tokens and Credential Theft

Mollema detailed two primary methods for forging authentication tokens:

• Golden SAML and Kerberos Silver Tickets: By compromising AD FS token-signing certificates or seamless Single Sign-On (SSO) Kerberos keys, attackers forge SAML assertions or Kerberos service tickets that Entra ID will accept—often bypassing MFA claims entirely. Both signing certificates and seamless SSO keys are multi-domain in scope, enabling impersonation of any synced account.
  
• Service-to-Service (S2S) Actor Tokens: Exchange hybrid deployments use OAuth for on-prem Exchange to access Exchange Online. These unsigned tokens—valid for 24 hours—allow full mailbox and SharePoint access, and can impersonate any user with “trustedfordelegation” rights. Microsoft has since blocked new first-party service-principal credentials, but existing tokens remain dangerous and unlogged.

Furthermore, compromised Entra ID Connect servers expose both database-encrypted passwords and certificate-private keys.

Attackers can overwrite hybrid passwords, convert cloud-only accounts to hybrid, and assign arbitrary credentials to service principals.

Despite a 2024 permissions lockdown that removed many Graph API rights from the sync account, residual service principal privileges can still be abused for persistence and stealth.

Undocumented Backdoors and Policy Manipulation

Several of Mollema’s techniques exploit undocumented or poorly documented Graph API endpoints and internal policy configurations:

• Soft Matching for Account Takeover: Cloud-only userPrincipalNames can be hijacked via on-premises attribute collisions, instantly converting these accounts into hybrid identities that Entra ID trusts. Eligible administrative roles remain vulnerable despite global administrator protections.
  
• Conditional Access and SSO Policy Backdoors: The hybrid synchronization account can modify Conditional Access policies, disable MFA requirements, or insert rogue seamless SSO encryption keys into policy-defined domains. These backdoor keys persist until rotated, enabling undetectable SSO token injection.
  
• Exchange Federation Configuration: Attackers can patch federation metadata—such as federatedIdpMfaBehavior—to accept or bypass MFA from a compromised AD FS instance. With Domain.ReadWrite.All privileges, they can also alter federation certificates, undermining future authentication flows.

Mollema addressed that most of these “features” are by-design behaviours rather than software bugs, highlighted by Microsoft’s eventual classification of the Graph API impersonation vector as a vulnerability.

While some mitigations are now mandatory—such as splitting Exchange hybrid service principals and enforcing stricter API scopes—organizations must actively audit their hybrid configurations.

Monitoring Exchange-initiated audit logs with tailored KQL queries and rotating federation and SSO keys frequently are critical steps.

As hybrid cloud deployments remain ubiquitous, defenders must assume an attacker may already hold on-premises domain control.

Only by reducing trust assumptions, implementing rigorous least-privilege policies, and maintaining visibility on token issuance can enterprises close the gap between AD and Entra ID.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.