Zero Networks Labs

Apply AAD Conditional Access to psexec.exe & Other Attacker Admin Tools

Published June 02, 2022 by Nicholas DiCola

Azure Active Directory (AAD) Conditional Access is a great feature to enable identity driven access control to cloud applications. One limitation has been bringing that to on-premise network connections. Zero Networks Access Orchestrator can enable MFA on any network connection between assets. It also can integrate with any SAML based identity provider like Azure Active Directory. The impact? Security teams can apply Conditional Access policies to any network connection to hinder attackers from spreading inside your networks. Let’s take a look at how this works.

For this scenario, I will configure Conditional Access to require MFA and a “compliant” device to access.

1. I have created a test policy and the configured it to target just my user for testing purposes. You can expand to all users once verified.

2. I configure the cloud app for the Zero Networks SSO app. The guide to configure SSO is here.

3. For conditions, I set this to apply to all device platforms and any location. I want to make sure even if I open a connection at home over a VPN, this policy still applies.

4. Lastly, I configure a policy that allows access to be granted if both MFA and a compliant device are satisfied.

Once the policy is created, you will need to wait for a few minutes for AAD to apply it before testing.

To test, I will connect to our Hyper-V host using psexec.exe.

1. I open PowerShell and run psexec.exe \ofc-hyperv cmd

2. Once it tries to connect, Zero Networks detects this is part of a configured MFA policy.

3. The policy is configured to open a browser and I get a pop-up to sign in.

4. I enter my email and click Sign In with Microsoft. I WOULD NOT USE A PICTURE OF YOUR REAL EMAIL!

5. After going through the sign in with Microsoft, I get the following error because my machine is not compliant.

Let me go make my machine healthy and install those missing updates. ????

6. Ok, we are back with a healthy machine.

7. Now when I click Sign in with Microsoft I get the following:

8. Let’s click Approve.

9. And now we are connected with PSExec.

I know what you are thinking: “WAIT! Did you just…” and the answer is YES I DID apply a Conditional Access policy to a pssexec connection between 2 assets! And only Zero Networks can do it.

And the next time I connect, it’s a quick approve as I already have my token!

Contact us to find out how!