As with all lateral movement techniques, the abuse of CTS implies an assumed compromise of privileged credentials inside a tenant. For an attack to work, both the source and target tenant need to have Azure AD Premium P1 or P2 licenses for CTS to be available. The attacker needs to have access to an account with security administrator role to configure cross-tenant access policies, a hybrid identity administrator role to change cross-tenant synchronization configuration, or a cloud admin or application admin role to assign new users to an existing CTS configuration. So, depending on the existing cross-tenant access policies and CTS configuration in a tenant, as well as the privileges obtained by the attacker, there are different ways in which this can be abused for lateral movement or persistence.
In Vectra AI’s proof-of-concept attack, it is assumed that the tenant already has cross-tenant access policies configured to other tenants. First, the attacker would use the admin command shell to list all tenants with which the current tenant has access policies with. Then they would proceed to review each of the policies to identify a tenant for which an outbound policy exists. This means the current tenant is configured to sync users into that target tenant.
The next step would be to locate the ID of the application running inside the compromised tenant that is responsible for performing the synchronization so its configuration could be modified. The Vectra researchers created and published a PowerShell script that automates the entire process.
“There is no straightforward way to find the CTS sync application linked to the target tenant,” the researchers said. “The attacker can enumerate through service principals in the tenant attempting to validate credentials with the target tenant to ultimately find the application that hosts the sync job to the target tenant. It can be done through a simple module like this.”
After identifying the sync application, the attacker can add the compromised account they already have credentials for to the sync scope or can review the application’s sync scope, which, for example, could indicate that all users from a particular group are being synchronized into the target tenant. They could then try to directly or indirectly add their compromised user to that group.
In addition to using a compromised tenant as a source for lateral movement, CTS can also be used as a backdoor to maintain persistence to a compromised tenant. For example, the attacker could create an inbound cross-tenant access policy into the victim tenant to allow an external tenant under their control to sync users into it. They could then enable the “automatic user consent” option as well so the synced user doesn’t get prompted for consent.