impr

Author: carlospolop

src/SUMMARY.md

@@ -442,22 +442,19 @@
       - [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md)
   - [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md)
   - [Az - Lateral Movement (Cloud - On-Prem)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md)
-    - [Az AD Connect - Hybrid Identity](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md)
-      - [Az - Hybrid Identity Misc Attacks](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-hybrid-identity-misc-attack.md)
-      - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md)
-      - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-federation.md)
-      - [Az - Cloud Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-sync.md)
-      - [Az - Connect Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-connect-sync.md)
-      - [Az - Domain Services](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-domain-services.md)
-      - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-pta-pass-through-authentication.md)
-      - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md)
-      - [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md)
+    - [Az - Arc vulnerable GPO Deploy Script](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md)
+    - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-kerberos-trust.md)
+    - [Az - Cloud Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md)
+    - [Az - Connect Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md)
+    - [Az - Domain Services](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-domain-services.md)
+    - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-federation.md)
+    - [Az - Hybrid Identity Misc Attacks](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-hybrid-identity-misc-attacks.md)
     - [Az - Local Cloud Credentials](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md)
-    - [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md)
     - [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md)
-    - [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md)
-    - [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md)
+    - [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md)
     - [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
+    - [Az - PTA - Pass-through Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pta-pass-through-authentication.md)
+    - [Az - Seamless SSO](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/seamless-sso.md)    
   - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
     - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
     - [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)

src/pentesting-cloud/azure-security/az-device-registration.md

@@ -32,7 +32,7 @@ But it **doesn't protect** against **sniffing** the physical connection between
 If you check the following page you will see that **stealing the PRT** can be used to access like a the **user**, which is great because the **PRT is located devices**, so it can be stolen from them (or if not stolen abused to generate new signing keys):
 
 {{#ref}}
-az-lateral-movement-cloud-on-prem/pass-the-prt.md
+az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md
 {{#endref}}
 
 ## Registering a device with SSO tokens

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md

@@ -1,66 +1,41 @@
 # Az - Lateral Movement (Cloud - On-Prem)
 
-## Az - Lateral Movement (Cloud - On-Prem)
-
 {{#include ../../../banners/hacktricks-training.md}}
 
-### On-Prem machines connected to cloud
-
-There are different ways a machine can be connected to the cloud:
-
-#### Azure AD joined
-
-<figure><img src="../../../images/image (259).png" alt=""><figcaption></figcaption></figure>
+## Basic Information
 
-#### Workplace joined
+This section covers the pivoting techniques to move from a compromised Entra ID tenant into the on-premises Active Directory (AD) or from a compromised AD to the Entra ID tenant.
 
-<figure><img src="../../../images/image (222).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large">https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large</a></p></figcaption></figure>
+## Pivoting Techniques
 
-#### Hybrid joined
+- [**Arc Vulnerable GPO Desploy Script**](az-arc-vulnerable-gpo-deploy-script.md): If an attacker can control or create an AD computer account and access the Azure Arc GPO deployment share, they can decrypt the stored Service Principal secret and use it to authenticate to Azure as the associated service principal, fully compromising the linked Azure environment.
 
-<figure><img src="../../../images/image (178).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large">https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large</a></p></figcaption></figure>
+- [**Cloud Kerberos Trust**](az-cloud-kerberos-trust.md): How to pivot from Entra ID to AD when Cloud Kerberos Trust is configured. A Global Admin in Entra ID (Azure AD) can abuse Cloud Kerberos Trust and the sync API to impersonate high-privilege AD accounts, obtain their Kerberos tickets or NTLM hashes, and fully compromise on-prem Active Directory—even if those accounts were never cloud-synced—effectively bridging cloud-to-AD privilege escalation.
 
-#### Workplace joined on AADJ or Hybrid
+- [**Cloud Sync**](az-cloud-sync.md): How to abuse Cloud Sync to move from the cloud to on-premises AD and the other way around.
 
-<figure><img src="../../../images/image (252).png" alt=""><figcaption><p><a href="https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large">https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large</a></p></figcaption></figure>
+- [**Connect Sync**](az-connect-sync.md): How to abuse Connect Sync to move from the cloud to on-premises AD and the other way around.
 
-### Tokens and limitations <a href="#tokens-and-limitations" id="tokens-and-limitations"></a>
+- [**Domain Services**](az-domain-services.md): What is the Azure Domain Services Service and how to pivot from Entra ID to the AD it generates.
 
-In Azure AD, there are different types of tokens with specific limitations:
+- [**Federation**](az-federation.md): How to abuse Federation to move from the cloud to on-premises AD and the other way around.
 
-- **Access tokens**: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource.
-- **Refresh tokens**: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications.
-- **Primary Refresh Tokens (PRT)**: Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device.
-- **Windows Hello for Business keys (WHFB)**: Used for passwordless authentication. It's used to get Primary Refresh Tokens.
+- [**Hybrid Misc Attacks**](az-hybrid-identity-misc-attacks.md): Miscellaneous attacks that can be used to pivot from the cloud to on-premises AD and the other way around.
 
-The most interesting type of token is the Primary Refresh Token (PRT).
+- [**Local Cloud Credentials**](az-local-cloud-credentials.md): Where to find credentials to the cloud when a PC is compromised.
 
-{{#ref}}
-az-primary-refresh-token-prt.md
-{{#endref}}
+- [**Pass the Certificate**](az-pass-the-certificate.md): Generate a cert based on the PRT to login from one machine to another.
 
-### Pivoting Techniques
+- [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login.
 
-From the **compromised machine to the cloud**:
+- [**Primary Refresh Token/Pass the PRT/Phishing PRT**](az-primary-refresh-token-prt.md): What is the PRT, how to steal it and use it to access Azure resources impersonating the user.
 
-- [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login
-- [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text.
-- [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it
-- [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it.
-- [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another
+- [**PtA - Pass through Authentication**](az-pta-pass-through-authentication.md): How to abuse Pass-through Authentication to move from the cloud to on-premises AD and the other way around.
 
-From compromising **AD** to compromising the **Cloud** and from compromising the **Cloud to** compromising **AD**:
+- [**Seamless SSO**](az-seamless-sso.md): How to abuse Seamless SSO to move from on-prem to cloud.
 
-- [**Azure AD Connect**](azure-ad-connect-hybrid-identity/index.html)
 - **Another way to pivot from could to On-Prem is** [**abusing Intune**](../az-services/intune.md)
 
-#### [Roadtx](https://github.com/dirkjanm/ROADtools)
-
-This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in [https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/](https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/)
-
-## References
-
-- [https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/)
 
 {{#include ../../../banners/hacktricks-training.md}}
 

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md

@@ -71,4 +71,3 @@ At this point, we can gather the remaining information needed to connect to Azur
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-