Lateral movement is one of the key factors in Red Team engagements. While various attack methods exist in Active Directory environments, the options for lateral movement are limited in Entra ID-based environments. However, the Pass-the-Certificate attack technique introduced by @rubin_mor in 2020 remains a valid option. Through reverse engineering of undocumented features in Windows, we have confirmed that this technique can be extended to multiple protocols and can be used to gain access to Entra-joined devices. In some scenarios, it is even possible to bypass MFA restrictions to move laterally across devices.

In this presentation, we will share insights into the mechanism of lateral movement using P2P certificates, present attack scenarios with a demo, and introduce a new tool for compromising Entra-joined devices with multi-protocol support. Finally, we will highlight the risks posed by this technique and discuss security measures for Entra ID-based enterprise infrastructure.