当前位置:首页 > 报告详情

(不)合法的继承人:我的 dMSA 是你的新域名管理员.pdf

上传人: 竿*** 编号:982142 2025-11-29 60页 5.74MB

1、#SECTORCA BlackHatEventsThe(Un)Rightful Heir:My dMSA Is Your New Domain Admin#SECTORCA BlackHatEventsThe Great Mystery of MSAsdMSAgMSA#SECTORCA BlackHatEventswhoamiYuval GordonSecurity Researcher at AkamaiYuG0rd#SECTORCA BlackHatEventsAgendaIntroduction to service accountsIntroduction to service acc

2、ountsDeep dive to Deep dive to dMSAdMSABadSuccessorBadSuccessor prepre-patchpatchBadSuccessorBadSuccessor postpost-patchpatch#SECTORCA BlackHatEventsService accountsService accountsDaily ticket-TGTRide ServiceRide Operator Service accountStory by Elad Shamir Kerberos Delegation Attacks#SECTORCA Blac

3、kHatEventsLegacy service accountsManaged service accounts(MSAgMSA)Service accountsService accounts#SECTORCA BlackHatEventsWhy g(MSA)s Didnt Take OverNot fully supportedOperational frictiondMSA(delegated MSA)(delegated MSA)“dMSAs secret cant be retrieved or found anywhere other than on the DC”Microso

4、ft Documentation#SECTORCA BlackHatEventsMigration Flow#SECTORCA BlackHatEventsdMSA Migration PhasesStartWaitComplete#SECTORCA BlackHatEventsAuthentication Flow before migrationSQL ServiceDCSQL_SRV$AS-REQ:svc_sqlAS-REP:svc_sql#SECTORCA BlackHatEventsDMSA$svc_sqlAccounts are linkedsvc_sql is grantedpe

5、rmissions on DMSA$dMSA Migration-start#SECTORCA BlackHatEventsAuthentication flow during migrationSQL ServiceDCSQL_SRV$AS-REQ:svc_sqlAS-REP:svc_sqlAdditional info:Will be superseded by DMSA$LDAP UPDATE:Allow SQL_SRV$access DMSA$#SECTORCA BlackHatEventsMeme now we wait/Spongebob#SECTORCA BlackHatEven

6、tsConfigurationsDMSA$svc_sqldMSA Migration-complete#SECTORCA BlackHatEventsAuthentication flow after migrationSQL ServiceDCSQL_SRV$AS-REQ:svc_sqlKRB-ERR:Superseded by DMSA$AS-REQ:DMSA$AS-REP:DMSA$#SECTORCA BlackHatEventsdMSAdMSA migration migration-privilegesprivileges#SECTORCA BlackHatEventsPrivile

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
- **dMSA (Delegated Managed Service Account) 简介**:dMSA是微软推出的一种新的域管理员账户,旨在提高安全性。 - **dMSA迁移流程**:包括启动、等待和完成三个阶段,涉及账户链接、权限授予和身份验证流程。 - **BadSuccessor攻击**:攻击者通过控制dMSA进行权限提升,模拟迁移过程以获取域管理员权限。 - **微软响应**:微软认为该漏洞不满足立即修复的标准,但将在未来修复(2025年8月12日修复)。 - **后补丁攻击场景**:包括用户妥协和域范围凭证泄露。 - **检测和结论**:建议配置SACL以检测dMSA创建和链接,并记录dMSA凭证。dMSA是一个有潜力的新功能,但需要谨慎使用。
安全风险与应对" 揭秘域管理员权限漏洞" 揭秘服务账户的新挑战"
客服
商务合作
小程序
服务号
折叠