🤔 We have answers to your questions on #BadSuccessor, the latest AD vulnerability www.tenable.com/blog/frequen...
🕵️ Tenable Identity Exposure customers can check their exposure with our recently released Indicator of Exposure (IoE): www.tenable.com/indicators/i...
Here's (finally!) what I've found about this 😉
bsky.app/profile/cnot...
To summarize, these hardenings are great (and the new app will likely allow to support some security features), but it doesn't prevent everything or even introduces new cracks to monitor.
There's no magic to keep this feature working anyway 😉
And what about the new "Microsoft Entra AD Synchronization Service" application? 🤔
It exposes a new permission: ADSynchronization.ReadWrite.All, which also allows to call the sync API when granted to a service principal ➡️ same impact
The Directory Synchronization Accounts role has lost most of its Entra permissions... but it retains implicit permissions to call the undocumented synchronization API 😯 ➡️ reset hybrid users' passwords
And so does the new "On Premises Directory Sync Account" Entra role 👀
Microsoft hardened the Entra ID synchronization feature last year:
- restricted permissions on Directory Synchronization Accounts role
- new dedicated sync app
Let’s find out how sync still works 🔍
Some old tricks persist—and new ones have emerged 💥
tenable.com/blog/despite... 🧵
🎥 Here's the recording of last week's webinar where I shared how to protect Entra ID from real-world attacks 🏴☠️, beginning with federation backdoors/privesc, using Tenable Identity Exposure
24.03.2025 14:08 — 👍 1 🔁 0 💬 0 📌 0Hey! Indeed!
23.12.2024 12:17 — 👍 0 🔁 0 💬 0 📌 0
⚠️ this is likely unsupported by Microsoft even though this method is advised to clean broken trust objects
support.microsoft.com/en-us/topic/...
And as described in the doc, this operation is not global: it's only effective in the same LDAP connection. It's why using ldp or LDIFDE helps
Log-in as Domain or Schema admin
- Use ldp.exe and set the "schemaUpgradeInProgress" operation to 1 using Browse -> Modify
- Now you can clear this protected attribute
- Or set any value
Then stop it by setting "schemaUpgradeInProgress" to 0
You know how some system AD attributes cannot be edited even when Domain Admin?
"Error 0x20B1 The attribute cannot be modified because it is owned by the system."
This can be bypassed using the schemaUpgradeInProgress modify operation learn.microsoft.com/en-us/opensp... 😉⬇️
Hello there 👋
23.12.2024 10:31 — 👍 1 🔁 0 💬 1 📌 0Thanks!
20.12.2024 17:36 — 👍 0 🔁 0 💬 0 📌 0Damn indeed of course! I’m tired 😅
20.12.2024 17:33 — 👍 0 🔁 0 💬 1 📌 0But you can login without the invite? Because it was already sent earlier to the typod domain that the attacker didn’t own yet
20.12.2024 17:29 — 👍 0 🔁 0 💬 0 📌 0
I think the issue was this one by @dirkjanm.io:
dirkjanm.io/assets/raw/U...
but it was fixed
You mean it cannot work because the attacker would have to have the invite link too? I think so too 🤔
20.12.2024 11:57 — 👍 0 🔁 0 💬 1 📌 0Hey! Do you remember the podcast please?
20.12.2024 11:54 — 👍 0 🔁 0 💬 0 📌 0