当前位置:首页 > 报告详情

高级 Active Directory 到 Entra ID 横向移动技术.pdf

上传人: 竿*** 编号:981951 2025-11-29 85页 4.96MB

1、#BHUSA BlackHatEventsAdvanced Active Directory to Entra ID Advanced Active Directory to Entra ID lateral movement techniqueslateral movement techniquesDirk-jan MollemaAbout me Dirk-jan Mollema From The Hague,Netherlands Hacker/Researcher/Founder/Trainer Outsider Security Talks at Black Hat/DEF CON/B

2、lueHat/Troopers/x33fcon Author of several Active Directory and Entra ID toolsmitm6ldapdomaindumpadidnsdumpBloodHound.pyntlmrelayx/krbrelayxROADtoolsSocials Blog/talks:dirkjanm.ioTwitter/X:_dirkjanBlueSky:dirkjanm.ioAgenda Domains in AD and in Entra ID Existing hybrid attacks Policies ExchangeDomains

3、Domains in AD vs Entra Domains in Active Directory Are logical containers with their own structure.Are part of a forest of one or multiple domains,which acts as the security boundary.In Entra ID Domains are custom domains that you can use for sending email or as a suffix for userPrincipalNames.Entra

4、 has a flat structure,which means there is no difference between users in one domain versus another domain.Domains in hybrid AD/Entra ID We can sync multiple AD domains/forests to the same tenant.All users from these domains will be“pooled”together in Entra ID.However,we can configure authentication

5、(managed/federated)on a per domain basis.This is what confuses people(including me).In Entra ID,there is no boundary between different custom domains.However,there is a difference between synced accounts and“cloud-only”accounts.Entra ID hybrid setupMicrosoft Entra Tenant identity layerDomain 1Domain

6、 2Managed(PHS)Federated(AD FS)AD DS 1AD DS 2Entra IDOn-premisesSyncSyncAuthDomain 3Domain NEntra ID hybrid attacks from ADEntra ID cloud only usersManaged(PHS)Federated(AD FS)AD DS 1AD DS 2Entra IDOn-premisesSyncSyncIssue auth tokensEntra ID hybrid usersDomain 1Domain 2Write passwordHybrid domain co

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
1. **作者背景**:Dirk-jan Mollema,网络安全专家,Active Directory和Entra ID工具开发者。 2. **AD与Entra ID域结构**:Active Directory中的域是逻辑容器,Entra ID中的域是自定义域,结构扁平,无域间边界。 3. **混合环境攻击**:攻击者可利用混合环境中的漏洞,如AD FS和Seamless SSO攻击,伪造令牌或票据。 4. **Entra ID Connect攻击**:通过Entra ID Connect,攻击者可修改云仅用户为混合用户,修改服务主体密码。 5. **Seamless SSO配置**:Seamless SSO配置允许使用预共享密钥,可能被用于创建后门。 6. **外部身份验证方法(EAM)**:攻击者可修改EAM策略以绕过MFA。 7. **Exchange混合配置**:Exchange混合环境中的证书可用于认证到Exchange Online,可能被用于未经授权的访问。 8. **服务到服务(S2S)令牌**:S2S令牌允许攻击者以任何用户身份访问Exchange Online和SharePoint Online。 9. **审计日志**:攻击可能不会在审计日志中记录。 10. **缓解措施**:Microsoft已采取措施缓解某些漏洞,但Exchange混合环境仍存在风险。
横向移动技巧揭秘" 攻击面有多大?" 安全漏洞知多少?"
客服
商务合作
小程序
服务号
折叠