Microsoft has updated the Entra Connect Sync agent to use application registration and client credentials flow instead of user-based authentication, reducing credential export risks. However, attackers can still leverage this system by adding new certificates and persistent off-host access through token and proof of possession exploits. #EntraConnect #ApplicationRegistration
Keypoints
- The new Entra Connect Sync agent uses app registration with certificate authentication instead of user credentials.
- Attackers can still add new keys to application registrations without requiring elevated permissions due to key addition vulnerabilities.
- Adding a new certificate can be done with a valid access token and proof of possession, enabling persistent, off-host access.
- Detection of credential changes, such as additional keys, can help identify malicious activity.
- The updated system increases attack surface by making it easier for adversaries to manipulate application credentials stealthily.
Views: 7