Sign In

TR0.5 Hybrid Environment Mapping and Attack Surface

· Module 0 · Free
Operational Objective
The Visibility Problem: The triage responder who does not understand the environment cannot scope the incident. An alert on a single Linux server may be a standalone compromise — or it may be the lateral movement stage of an attack that started in M365, traversed a Windows endpoint, and reached the Linux server via SSH. Without knowing the environment's hybrid architecture — which accounts are synchronised between AD and Entra ID, which devices are hybrid-joined, which Linux servers are managed via Azure Arc, which M365 workloads connect to on-premises databases — the responder cannot determine the blast radius. This subsection teaches how to map the hybrid footprint BEFORE an incident, so the triage responder has a reference map when the alert fires.
Deliverable: The hybrid environment mapping checklist, the rapid environment snapshot commands (PowerShell, Graph API, native Linux), and the NE reference architecture as a worked example.
Estimated completion: 30 minutes
NORTHGATE ENGINEERING — HYBRID ENVIRONMENT MAPENTRA ID + M365810 users, 1 tenantExchange, SharePoint, TeamsDefender XDR, SentinelON-PREM AD + WINDOWS2 DCs, 1 forest, 1 domain480 workstations, 35 serversEntra Connect sync (PHS)LINUX INFRASTRUCTURE12 servers (DB, web, container)3 K8s clusters (AKS + on-prem)Syslog → Sentinel, no Defender agentEntra ConnectSSH from ADHYBRID ATTACK PATHSAiTM → Token Theft → BEC | Beacon → LSASS → SSH Lateral | Entra Connect → DCSyncAD CS → Golden Cert → Cloud Access | Container Escape → Host → AD | Pass-the-PRT → MFA Bypass

Figure TR0.5 — Northgate Engineering hybrid environment. 810 users across 3 environments connected by Entra Connect sync and SSH access paths. 6 documented hybrid attack paths enable cross-environment lateral movement.

The rapid environment snapshot

The triage responder needs answers to 5 questions within the first 2 minutes of any incident. These questions determine whether the alert is environment-scoped (single system) or cross-environment (hybrid attack chain):

Question 1: Does this identity exist in Entra ID?

1
2
3
4
5
6

// Check if the compromised account has a cloud identity
IdentityInfo
| where AccountName has "svc-dbadmin" or AccountUpn has "svc-dbadmin"
| project AccountName, AccountUpn, IsAccountEnabled, Department, 
    AccountObjectId, OnPremisesDistinguishedName
| take 5

If the account exists in Entra ID with an OnPremisesDistinguishedName: it is synchronised from on-prem AD via Entra Connect. A compromise of this account affects BOTH on-prem AD AND Entra ID. If the account exists only in Entra ID (no OnPremisesDistinguishedName): it is cloud-only.

Question 2: Is this device hybrid-joined?

1
2
3
4
5
6

// Check device registration status
DeviceInfo
| where DeviceName == "DESKTOP-NGE042"
| project DeviceName, JoinType, OSPlatform, AadDeviceId, 
    OnboardingStatus, MachineGroup
| take 1

JoinType values: AzureADJoined (cloud-only), HybridAzureADJoined (on-prem AD + Entra ID), AzureADRegistered (BYOD). Hybrid-joined devices have credentials in BOTH on-prem AD and Entra ID — a Primary Refresh Token (PRT) that can be replayed for cloud access without MFA (the Pass-the-PRT attack from TR2.2).

Question 3: Is this Linux server managed/monitored?

1
2
3
4

// Check Syslog ingestion for the server
Syslog
| where Computer == "SRV-NGE-BRS-DB01"
| summarize LastEvent = max(TimeGenerated), EventCount = count() by Computer

If the Syslog table has recent events: the server forwards logs to Sentinel. If the query returns empty: the server does NOT forward syslog — the triage relies entirely on local log analysis, and the cross-environment KQL queries from TR4.9 will not have Linux-side data.

Question 4: What connects to this system?

1
2
3
4
5
6
7

// Network connections TO the compromised system in the last 24 hours
DeviceNetworkEvents
| where RemoteIP == "10.1.2.50"  // Linux server IP
| summarize Connections = count(), 
    Devices = make_set(DeviceName, 20),
    Ports = make_set(RemotePort)
    by RemoteIP

This reveals all Windows devices that connected to the compromised Linux server — the potential lateral movement sources. Each device in the result set should be checked for compromise indicators.

Question 5: What data does this system access?

The business impact depends on what data the compromised system holds or connects to. A compromised web server that serves static content is LOW impact. A compromised database server holding customer PII is HIGH impact triggering GDPR Article 33 notification requirements. The environment map should document: server role → data classification → regulatory exposure.

Common hybrid attack paths at NE

The 6 NE attack chains demonstrate specific hybrid attack paths:

CHAIN-HARVEST: Cloud identity → M365 BEC. Path: AiTM phishing → session token theft → inbox rule creation → financial fraud. Environment boundary crossed: none (cloud-only attack), but DETECTION requires endpoint telemetry (the phishing email was delivered to the endpoint).

CHAIN-DRIFT: Cloud → Windows → Linux. Path: compromised identity → endpoint beacon deployment → LSASS credential dump → SSH lateral movement to Linux server. This is the cross-environment chain that TR4.9 fully traces.

CHAIN-PRIVILEGE: AD → Entra ID. Path: Kerberoasting → service account compromise → Entra Connect sync exploitation → cloud admin access. Environment boundary: on-prem AD to cloud via the Entra Connect sync mechanism.

CHAIN-ENDPOINT: Windows → AD. Path: phishing → beacon → DCSync → domain compromise. Classic Windows/AD attack path, contained within the on-prem environment.

CHAIN-MESH: Linux → container → host → AD. Path: web application vulnerability → container compromise → container escape (privileged mode) → host compromise → SSH to other servers → AD access via cached credentials. Multiple environment boundaries crossed.

CHAIN-FACTORY: Linux standalone. Path: SSH brute force → cryptominer deployment → persistence. Contained within the Linux environment, but the attacker may discover cached AD credentials on the Linux server (from Winbind/SSSD integration) and pivot to AD.

Building the environment map for your organisation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

# Active Directory: domains, forests, trusts, DCs
Get-ADDomain | Select-Object DNSRoot, Forest, DomainControllersContainer
Get-ADTrust -Filter * | Select-Object Name, Direction, TrustType
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address, OperatingSystem

# Entra ID: tenant, sync status, registered devices
Get-MgOrganization | Select-Object DisplayName, Id, VerifiedDomains
Get-MgServicePrincipal -Filter "displayName eq 'Azure AD Connect'" | Select-Object Id, AppId

# Linux: server inventory from Sentinel
Syslog | summarize LastSeen = max(TimeGenerated) by Computer | sort by LastSeen desc

# M365: licensed workloads
Get-MgSubscribedSku | Select-Object SkuPartNumber, ConsumedUnits

Document the results as the BASELINE environment map. During triage, any entity (user, device, server, application) not in the baseline warrants investigation — it may have been created by the attacker.

Try it: build your organisation's hybrid environment map

Run the 5 snapshot queries above against your production environment. Document: (1) How many identities are synced between AD and Entra ID? (2) How many devices are hybrid-joined? (3) Which Linux servers forward syslog to Sentinel? (4) What are the top 10 network connections between environments? (5) Which systems hold data subject to regulatory requirements? This document becomes your triage reference — consult it within the first 2 minutes of every incident to determine scope.

Compliance Myth: "Our environments are separate — AD is managed by infrastructure, M365 by the cloud team, Linux by DevOps. A compromise in one does not affect the others"

The myth: Separate management teams mean separate security boundaries. The infrastructure team’s AD and the cloud team’s M365 are independent environments.

The reality: Entra Connect synchronises identities between AD and Entra ID — a compromised AD account IS a compromised cloud account. Hybrid-joined devices hold PRTs that grant cloud access — a compromised endpoint IS a cloud access path. Linux servers authenticate against AD via SSSD/Winbind — a compromised Linux server may hold cached AD credentials. The management TEAMS may be separate, but the IDENTITY FABRIC connects all three environments. The 6 NE attack chains demonstrate that attackers traverse environment boundaries routinely — the boundary that matters is the identity boundary, not the management boundary.

Troubleshooting

“I do not have access to all three environments.” This is common — the SOC analyst may have Sentinel access but not AD admin or Linux root. Document which queries you CAN run and which require escalation. The environment map should note access requirements per query. During triage, request access through the emergency access procedure rather than waiting for normal change management.

“The organisation does not have an environment map.” Build one NOW using the queries above. The first incident where you need the map and do not have it will cost hours of scope determination that could have been done in minutes. The environment map is a preparation-phase deliverable (NIST Preparation, SANS Preparation) — not a triage-phase creation.

Beyond this investigation: Environment mapping connects to Entra ID Security (where the Entra Connect sync configuration, device registration states, and conditional access policies are secured), Practical GRC (where the environment map feeds into the risk register — each hybrid connection path is a risk that requires controls), and SOC Operations (where the environment map is maintained as a living document, updated whenever infrastructure changes occur).
Operational Artifact — Hybrid Environment Snapshot Template

Run these 5 queries at incident start to determine scope:

  1. Identity scope: IdentityInfo | where AccountName has "ACCOUNT" → cloud identity? synced? enabled?
  2. Device scope: DeviceInfo | where DeviceName == "DEVICE" → hybrid-joined? Defender onboarded?
  3. Linux monitoring: Syslog | where Computer == "SERVER" | summarize max(TimeGenerated) → syslog forwarding active?
  4. Connection scope: DeviceNetworkEvents | where RemoteIP == "SERVER_IP" → which endpoints connected?
  5. Data classification: Server role → data held → regulatory exposure (GDPR Art 33? NIS2 Art 23?)

If ANY query shows cross-environment linkage: the incident is hybrid. Triage ALL linked environments.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← TR0.4 The NE Attack Timeline TR0.6 Legal, Regulatory, and Chain-of-Custody →