HackTricks CloudAz - Lateral Movement (Cloud - On-Prem)
Reading time: 4 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
This section covers the pivoting techniques to move from a compromised Entra ID tenant into the on-premises Active Directory (AD) or from a compromised AD to the Entra ID tenant.
Pivoting Techniques
-
Arc Vulnerable GPO Desploy Script: If an attacker can control or create an AD computer account and access the Azure Arc GPO deployment share, they can decrypt the stored Service Principal secret and use it to authenticate to Azure as the associated service principal, fully compromising the linked Azure environment.
-
Cloud Kerberos Trust: How to pivot from Entra ID to AD when Cloud Kerberos Trust is configured. A Global Admin in Entra ID (Azure AD) can abuse Cloud Kerberos Trust and the sync API to impersonate high-privilege AD accounts, obtain their Kerberos tickets or NTLM hashes, and fully compromise on-prem Active Directory—even if those accounts were never cloud-synced—effectively bridging cloud-to-AD privilege escalation.
-
Cloud Sync: How to abuse Cloud Sync to move from the cloud to on-premises AD and the other way around.
-
Connect Sync: How to abuse Connect Sync to move from the cloud to on-premises AD and the other way around.
-
Domain Services: What is the Azure Domain Services Service and how to pivot from Entra ID to the AD it generates.
-
Federation: How to abuse Federation to move from the cloud to on-premises AD and the other way around.
-
Hybrid Misc Attacks: Miscellaneous attacks that can be used to pivot from the cloud to on-premises AD and the other way around.
-
Local Cloud Credentials: Where to find credentials to the cloud when a PC is compromised.
-
Pass the Certificate: Generate a cert based on the PRT to login from one machine to another.
-
Pass the Cookie: Steal Azure cookies from the browser and use them to login.
-
Primary Refresh Token/Pass the PRT/Phishing PRT: What is the PRT, how to steal it and use it to access Azure resources impersonating the user.
-
PtA - Pass through Authentication: How to abuse Pass-through Authentication to move from the cloud to on-premises AD and the other way around.
-
Seamless SSO: How to abuse Seamless SSO to move from on-prem to cloud.
-
Another way to pivot from could to On-Prem is abusing Intune
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.