Exploit Cross Tenant Sync

Description

exploit cross tenant sync module hosts multiple sub-modules that exploit the Cross Tenant Synchronization feature in Entra ID allowing users to execute lateral movement and establish persistence in the target environment.

Sub-modules under exploit cross tenant sync module:

• List Currently Accessible Tenants
• List Azure2Azure Template Applications in Tenant
• Find Target Tenants in Existing Cross Tenant Access Policy
• Inspect Deployed Cross Tenant Access Policy Configuration
• Find CTS Application of a Target Tenant
• Sync User to Target Tenant
• Add User to CTS Sync Group
• Deploy backdoor using Cross Tenant Synchronization

Trigger

MAAD Attack Arsenal -> "AzureAD" -> 1

MITRE ATT&CK Information

Tactic	Technique
Persistence	Create Account: Cloud Account

Additional Details

This module is based on the techniques discussed in this research blog: Exploiting Cross Tenant Synchronization

Revert module changes: No

Microsoft services accessed by module:

• Entra ID (Azure AD)

PowerShell module used:

• Microsoft.Graph.Identity.SignIns
• Microsoft.Graph.Applications
• Microsoft.Graph.Users
• Microsoft.Graph.Groups