Introduction

Oftentimes during an assessment, the need arises to rapidly deploy new infrastructure. Whether it be a redirector for command and control, a phishing server or a simply server to be used for SOCKS proxying, deployment automation can save a ton of time so the focus can be on the fun stuff and not small, tedious tasks.

A lot of blogs tend to focus on AWS, Azure or GCP which are great platforms for offensive security infrastructure but there isn’t a lot out there talking about using Akamai’s Linode platform. I’ve been using Linode for a long time and it’s a great and relatively easy platform to use for operations since they offer several services such as compute, storage, StackScripts (more on that later) and a robust marketplace.

Introduction

Most modern organizations today are hybrid environments consisting of both traditional on-premises Active Directory and Entra ID. Often times on-prem Active Directory accounts are synced with Entra ID. While this setup has it’s many benefits, it can also lead to Azure tenant compromise via the AZUREADSSOACC$ machine account. In this blog, we explore how threat actors can abuse this account to pivot from on-prem AD to Azure, leveraging synced Global Administrator accounts to compromise cloud resources. We’ll outline the attack methodology, highlight its impact, and provide actionable defenses to secure your hybrid identity environment.