Add AD to Entra pivot techniques from recent talk

Author: chack

src/SUMMARY.md

@@ -504,9 +504,11 @@
     - [Az - Cloud Kerberos Trust](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-kerberos-trust.md)
     - [Az - Cloud Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md)
     - [Az - Connect Sync](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync.md)
+    - [Az - Connect Sync Policy Abuse](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync-policy-abuse.md)
     - [Az - Domain Services](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-domain-services.md)
     - [Az - Federation](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-federation.md)
     - [Az - Hybrid Identity Misc Attacks](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-hybrid-identity-misc-attacks.md)
+    - [Az - Exchange Hybrid Impersonation (ACS Actor Tokens)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-exchange-hybrid-impersonation.md)
     - [Az - Local Cloud Credentials](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-local-cloud-credentials.md)
     - [Az - Pass the Certificate](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md)
     - [Az - Pass the Cookie](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-cookie.md)

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md

@@ -16,12 +16,16 @@ This section covers the pivoting techniques to move from a compromised Entra ID
 
 - [**Connect Sync**](az-connect-sync.md): How to abuse Connect Sync to move from the cloud to on-premises AD and the other way around.
 
+- [**Connect Sync Policy Abuse**](az-connect-sync-policy-abuse.md): How to abuse Connect Sync access to modify internal policies (e.g., enable Seamless SSO or add external auth methods) and pivot from AD to Entra ID.
+
 - [**Domain Services**](az-domain-services.md): What is the Azure Domain Services Service and how to pivot from Entra ID to the AD it generates.
 
 - [**Federation**](az-federation.md): How to abuse Federation to move from the cloud to on-premises AD and the other way around.
 
 - [**Hybrid Misc Attacks**](az-hybrid-identity-misc-attacks.md): Miscellaneous attacks that can be used to pivot from the cloud to on-premises AD and the other way around.
 
+- [**Exchange Hybrid Impersonation (ACS Actor Tokens)**](az-exchange-hybrid-impersonation.md): How to abuse Exchange Hybrid to impersonate users across Exchange/SharePoint/Entra ID and pivot from AD to Entra ID.
+
 - [**Local Cloud Credentials**](az-local-cloud-credentials.md): Where to find credentials to the cloud when a PC is compromised.
 
 - [**Pass the Certificate**](az-pass-the-certificate.md): Generate a cert based on the PRT to login from one machine to another.
@@ -39,4 +43,3 @@ This section covers the pivoting techniques to move from a compromised Entra ID
 
 {{#include ../../../banners/hacktricks-training.md}}
 
-

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-connect-sync-policy-abuse.md

@@ -0,0 +1,38 @@
+# Az - Connect Sync Policy Abuse
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+The **Entra ID Connect Sync** account (or its service principal) can access **internal Graph endpoints** (notably `graph.windows.net` internal API versions). With that access it can **modify tenant policies** beyond simple directory sync, which enables **new pivot paths from on‑prem AD to Entra ID**.
+
+The techniques below are based on practical research and are especially relevant in hybrid environments where Connect Sync is present but ADFS/Seamless SSO are not explicitly enabled.
+
+## Attack Paths
+
+### Enable Seamless SSO by Adding Kerberos Keys
+
+If the sync principal can modify the **On‑Premises Authentication Policy**, it can **add new key material** for Seamless SSO. This effectively **backdoors Seamless SSO** even if it was not enabled before.
+
+High‑level flow:
+
+- Use Connect Sync credentials (user or service principal) to obtain tokens for `graph.windows.net` internal API.
+- Modify the **On‑Premises Authentication Policy** and **add KeyCredentials** for a target domain.
+- Use the newly added key to **forge Kerberos tickets** for **hybrid users**, enabling SSO‑based cloud authentication.
+
+This enables AD‑to‑Entra impersonation without needing to steal existing key material. In practice, policy changes are **poorly logged** (often only “policy changed” without details).
+
+### Abuse Authentication Methods Policy to Bypass MFA
+
+The sync principal can also modify **Authentication Methods Policy** (e.g., adding external authentication methods). This can allow an attacker to:
+
+- **Add a custom external method** as a valid MFA provider.
+- Combine this with SSO/ADFS token forging to **satisfy MFA** requirements for hybrid users.
+
+This is useful when MFA is enforced but the policy itself can be modified via internal Graph endpoints.
+
+## References
+
+- https://www.youtube.com/watch?v=rzfAutv6sB8
+
+{{#include ../../../banners/hacktricks-training.md}}

src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-exchange-hybrid-impersonation.md

@@ -0,0 +1,42 @@
+# Az - Exchange Hybrid Impersonation (ACS Actor Tokens)
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Basic Information
+
+In **Exchange Hybrid** deployments, the on‑prem Exchange server shares a **service principal identity** with Exchange Online. If an attacker compromises the on‑prem Exchange server, they can often **export the hybrid certificate** and use it to request **client‑credentials tokens** as Exchange Online.
+
+This opens multiple pivot paths into Entra ID and other services.
+
+## Attack Paths
+
+### Modify Federation Configuration via Exchange
+
+Exchange Hybrid can **write domain federation configuration**. This can be abused to:
+
+- **Add a new token‑signing certificate** for a federated domain.
+- **Relax MFA claims acceptance** for ADFS‑issued tokens.
+
+Once a malicious token‑signing cert is added (or MFA acceptance is loosened), an attacker can **forge ADFS tokens** and impersonate hybrid users in Entra ID.
+
+### ACS Actor Tokens → Impersonate Any User
+
+Exchange can request **ACS actor tokens** that include **`trusted for delegation`**. Those tokens allow **service‑to‑service impersonation** across Exchange and other Microsoft 365 services.
+
+Impact:
+
+- **Impersonate any mailbox user** in Exchange Online.
+- **Access SharePoint/OneDrive** as any user (Exchange uses those services under the hood).
+- **Impersonate Entra ID users** via `graph.windows.net` by crafting tokens with the target **`netId`**.
+
+These actor tokens are **not subject to Conditional Access** and are typically valid for long periods (e.g., ~24 hours). With them, an attacker can perform **Entra ID admin actions** (e.g., create a Global Admin), resulting in full tenant compromise.
+
+### Detection Notes
+
+Entra audit logs may show **odd mixed identities** (the impersonated user UPN combined with **Exchange Online** as the display name), which can be a detection signal for this abuse path.
+
+## References
+
+- https://www.youtube.com/watch?v=rzfAutv6sB8
+
+{{#include ../../../banners/hacktricks-training.md}}