1、#SECTORCA BlackHatEventsThe(Un)Rightful Heir:My dMSA Is Your New Domain Admin#SECTORCA BlackHatEventsThe Great Mystery of MSAsdMSAgMSA#SECTORCA BlackHatEventswhoamiYuval GordonSecurity Researcher at AkamaiYuG0rd#SECTORCA BlackHatEventsAgendaIntroduction to service accountsIntroduction to service acc
2、ountsDeep dive to Deep dive to dMSAdMSABadSuccessorBadSuccessor prepre-patchpatchBadSuccessorBadSuccessor postpost-patchpatch#SECTORCA BlackHatEventsService accountsService accountsDaily ticket-TGTRide ServiceRide Operator Service accountStory by Elad Shamir Kerberos Delegation Attacks#SECTORCA Blac
3、kHatEventsLegacy service accountsManaged service accounts(MSAgMSA)Service accountsService accounts#SECTORCA BlackHatEventsWhy g(MSA)s Didnt Take OverNot fully supportedOperational frictiondMSA(delegated MSA)(delegated MSA)“dMSAs secret cant be retrieved or found anywhere other than on the DC”Microso
4、ft Documentation#SECTORCA BlackHatEventsMigration Flow#SECTORCA BlackHatEventsdMSA Migration PhasesStartWaitComplete#SECTORCA BlackHatEventsAuthentication Flow before migrationSQL ServiceDCSQL_SRV$AS-REQ:svc_sqlAS-REP:svc_sql#SECTORCA BlackHatEventsDMSA$svc_sqlAccounts are linkedsvc_sql is grantedpe
5、rmissions on DMSA$dMSA Migration-start#SECTORCA BlackHatEventsAuthentication flow during migrationSQL ServiceDCSQL_SRV$AS-REQ:svc_sqlAS-REP:svc_sqlAdditional info:Will be superseded by DMSA$LDAP UPDATE:Allow SQL_SRV$access DMSA$#SECTORCA BlackHatEventsMeme now we wait/Spongebob#SECTORCA BlackHatEven
6、tsConfigurationsDMSA$svc_sqldMSA Migration-complete#SECTORCA BlackHatEventsAuthentication flow after migrationSQL ServiceDCSQL_SRV$AS-REQ:svc_sqlKRB-ERR:Superseded by DMSA$AS-REQ:DMSA$AS-REP:DMSA$#SECTORCA BlackHatEventsdMSAdMSA migration migration-privilegesprivileges#SECTORCA BlackHatEventsPrivile