Search

CN-120880706-B - Identity security protection method, system and storage medium based on Azure AD control capability

CN120880706BCN 120880706 BCN120880706 BCN 120880706BCN-120880706-B

Abstract

The application belongs to the technical field of computer network security, and particularly relates to a Kerberos protocol weak encryption and cloud dynamic policy combined right raising method. The method comprises the steps of accessing a target user object in an AD by using a SYSTEM level authority, modifying preset conditions conforming to cloud privilege dynamic group membership rules to obtain tampered target user attributes, marking the tampered target user attributes as attribute updating events by using Azure AD Connect synchronous service, determining that abnormal data flows accord with normal service synchronous characteristics, constructing notes by using a Kerberos client library according to NTLM hash of a target user account to obtain counterfeit notes, dynamically adding the target user account to an associated global manager role group to obtain a target user account with a global manager session token, and logging in a PTA service channel by using the counterfeit notes to obtain Azure AD control capability.

Inventors

  • REN CHUANLUN
  • YANG TIANCHANG
  • ZHANG PENG
  • LI RUNZE
  • Zhai Yunjiao
  • WANG ZHAOYANG
  • YANG YINGJIE
  • Gu Yanhao

Assignees

  • 中国电子科技集团公司第十五研究所

Dates

Publication Date
20260512
Application Date
20250708

Claims (9)

  1. 1. An identity security protection method based on Azure AD control capability is characterized by comprising the following steps: Obtaining a target device, and tampering rights of the target device through malicious process injection or registry key value to obtain a SYSTEM level rights; Accessing a standard department attribute field of a target user object in the AD and an extended attribute field with an authority mapping function in a hybrid cloud synchronization scene by using the SYSTEM level authority, and modifying preset conditions conforming to cloud privilege dynamic group membership rules to obtain tampered target user attributes; Uploading the tampered target user attribute to the Azure AD in a compliant protocol format through an API channel by using Azure AD Connect synchronous service, marking the tampered target user attribute as an attribute updating event, and determining that the abnormal data stream accords with the normal service synchronous characteristic; constructing a Kerberos bill by utilizing a Kerberos client library according to the NTLM hash of a target user account of the target device to obtain a counterfeit bill; After the Azure AD completes attribute synchronization, the cloud dynamic group membership engine evaluates the attribute of the tampered target user, and the target user account is dynamically added to the associated global administrator role group to obtain a target user account with a global administrator session token; Under the target user account with the global manager session token, logging in a PTA service channel by utilizing the counterfeit bill to obtain Azure AD control capability; through Azure AD control capability, a verifiable attack behavior reproduction scheme is provided for cloud service providers and security manufacturers, and an identity security protection mechanism is constructed.
  2. 2. The identity security protection method based on Azure AD control capability according to claim 1, wherein the obtaining the rights of the target device and tampering the target device through malicious process injection or registry key value, obtaining the SYSTEM level rights comprises the following steps: Acquiring initial execution permission of target equipment by utilizing unrepaired target equipment authority-raising loopholes of a Windows system; and according to the initial execution permission of the target equipment, obtaining the SYSTEM level permission by injecting a high permission process or modifying a registry key value.
  3. 3. The identity security protection method based on Azure AD control capability according to claim 1, wherein the step of accessing the standard department attribute field of the target user object in the AD and the extended attribute field having the authority mapping function in the hybrid cloud synchronization scene by using the SYSTEM level authority, and modifying the preset condition conforming to the cloud privilege dynamic group membership rule, to obtain the tampered target user attribute includes: analyzing the rule of msDS-CloudExtension Attribute metadata in the AD architecture to obtain a matching rule; And according to the matching rule, modifying preset conditions conforming to cloud privilege dynamic group membership rules by utilizing the SYSTEM level authority to obtain tampered target user attributes for a standard department attribute field of a target user object in the AD and an extended attribute field with an authority mapping function in a hybrid cloud synchronization scene.
  4. 4. The identity security protection method based on Azure AD control capability according to claim 1, wherein the step of using Azure AD Connect synchronization service to upload the tampered target user attribute to Azure AD in a compliant protocol format through an API channel and mark the same as an attribute update event, and determining that an abnormal data stream meets a normal service synchronization feature includes: The SYSTEM level authority is utilized to hijack Azure AD Connect synchronous service or call Start-ADSYNCSYNC CYCLE PowerShell command to forcedly Start an increment synchronous period to obtain a synchronous instruction; And according to the synchronization instruction, the tampered target user attribute is uploaded to the Azure AD in a compliant DirSync protocol format through a Microsoft Graph API channel, and marked as a cloudAnchor attribute update event, so that the abnormal data stream is determined to accord with the normal service synchronization characteristic.
  5. 5. The identity security protection method based on Azure AD control capability according to claim 1, wherein the step of constructing a Kerberos ticket with a Kerberos client library according to NTLM hash of a target user account of the target device, and obtaining a counterfeit ticket, comprises: And constructing a Kerberos bill according to Kerberos protocol specifications by using a core function of a Kerberos client library according to NTLM hash of a target user account of the target device to obtain a Kerberos SILVER TICKET forged bill with a service subject name binding, wherein the Kerberos SILVER TICKET forged bill comprises key field tampering that the user subject name is set as a high-authority manager account, the bill validity period is prolonged to a maximum allowable threshold, and the service class is designated as a mixed authentication core service.
  6. 6. The method for protecting identity security based on Azure AD control capability according to claim 1, wherein the step of the cloud dynamic group membership engine evaluating tampering with the target user attribute when Azure AD completes attribute synchronization, the target user account being dynamically added to the associated global administrator role group, obtaining the target user account with the global administrator session token, comprises: After the Azure AD completes attribute synchronization, evaluating the attribute of the tampered target user by utilizing a cloud dynamic group membership engine, wherein the target user account is dynamically added to an associated global administrator role group; and according to the global manager role group, the Azure AD identity provider issues a session token to obtain a target user account with the global manager session token.
  7. 7. The method for protecting identity security based on Azure AD control capability according to claim 1, wherein the step of logging in the PTA service channel with the counterfeit bill under the target user account with the global administrator session token, to obtain Azure AD control capability, comprises: establishing a login request through a PTA service channel by using a forged Kerberos SILVER TICKET to obtain a global administrator session token granted by the Azure AD error; and calling Microsoft Graph API by using the global manager session token, and executing high-risk privilege operation to obtain the control capability of the Azure AD.
  8. 8. An identity security protection system based on Azure AD control capability, characterized in that it is applied to an identity security protection method based on Azure AD control capability as claimed in any one of claims 1 to 7, the system comprising: The local authority-raising and attribute tampering module is used for acquiring the target equipment and tampering the authority of the target equipment through malicious process injection or registry key value to obtain a SYSTEM level authority; The local authority-raising and attribute tampering module is further used for accessing a standard department attribute field of a target user object in the AD and an extended attribute field with an authority mapping function in the hybrid cloud synchronization scene by utilizing the SYSTEM level authority to modify preset conditions conforming to cloud privilege dynamic group membership rules so as to obtain tampered target user attributes; The local authority-raising and attribute tampering module is also used for uploading the attribute of the tampering target user to the Azure AD in a compliant protocol format through an API channel by utilizing Azure AD Connect synchronous service, marking the attribute as an attribute updating event and determining that the abnormal data flow accords with the normal service synchronous characteristic; the Kerberos bill counterfeiting module is used for constructing a Kerberos bill by utilizing a Kerberos client library according to the NTLM hash of a target user account of the target device to obtain a counterfeit bill; The attribute synchronization and dynamic group triggering module is used for evaluating the attribute of the tampered target user by the cloud dynamic group membership engine after the Azure AD completes attribute synchronization, and the target user account is dynamically added to the associated global manager role group to obtain the target user account with the global manager session token; The PTA authentication and cloud control module is used for logging in a PTA service channel by utilizing the counterfeit bill under a target user account with a global administrator session token to obtain Azure AD control capability; through Azure AD control capability, a verifiable attack behavior reproduction scheme is provided for cloud service providers and security manufacturers, and an identity security protection mechanism is constructed.
  9. 9. A computer storage medium having stored thereon a computer program, which when executed by a processor realizes the steps of the Azure AD control capability based identity security method of any of claims 1 to 7.

Description

Identity security protection method, system and storage medium based on Azure AD control capability Technical Field The application belongs to the technical field of computer network security, and particularly relates to an identity security protection method, system and storage medium based on Azure AD control capability. Background With the wide application of cloud computing and hybrid architecture, government, military, financial institutions and other institutions gradually migrate core business systems to public cloud platforms, and rely on hybrid identity models to achieve seamless identity authentication and rights management. The method improves efficiency for the mechanism and simultaneously exposes new challenges that a design blind area exists between the target device and the cloud, and a malicious behavior user can convert the low authority of the target device into cloud privileges by using an identity synchronization mechanism. In view of this, there is a need for an identity security method based on Azure AD control capability. Disclosure of Invention Based on this, it is necessary to provide an identity security protection method based on Azure AD control capability in order to solve the above technical problems. In a first aspect, the application provides an identity security protection method based on Azure AD control capability, comprising the following steps: Obtaining a target device, and tampering rights of the target device through malicious process injection or registry key value to obtain a SYSTEM level rights; Accessing a standard department attribute field of a target user object in the AD and an extended attribute field with an authority mapping function in a hybrid cloud synchronization scene by using the SYSTEM level authority, and modifying preset conditions conforming to cloud privilege dynamic group membership rules to obtain tampered target user attributes; Uploading the tampered target user attribute to the Azure AD in a compliant protocol format through an API channel by using Azure AD Connect synchronous service, marking the tampered target user attribute as an attribute updating event, and determining that the abnormal data stream accords with the normal service synchronous characteristic; constructing a Kerberos bill by utilizing a Kerberos client library according to the NTLM hash of a target user account of the target device to obtain a counterfeit bill; After the Azure AD completes attribute synchronization, the cloud dynamic group membership engine evaluates the attribute of the tampered target user, and the target user account is dynamically added to the associated global administrator role group to obtain a target user account with a global administrator session token; Under a target user account with a global manager session token, logging in a PTA service channel by using the counterfeit bill to obtain Azure AD control capability; through Azure AD control capability, a verifiable attack behavior reproduction scheme is provided by cloud service providers and security manufacturers, and an identity security protection mechanism is constructed. In some implementations, the obtaining the permission of the target device and tampering the target device through malicious process injection or registry key value, and obtaining the SYSTEM level permission includes the following steps: Acquiring initial execution permission of target equipment by utilizing unrepaired target equipment authority-raising loopholes of a Windows system; and according to the initial execution permission of the target equipment, obtaining the SYSTEM level permission by injecting a high permission process or modifying a registry key value. In some embodiments, the step of modifying the preset condition according to the cloud privilege dynamic group membership rule to obtain the tampered target user attribute by using the SYSTEM level privilege to access a standard department attribute field of the target user object in the AD and an extended attribute field with a privilege mapping function in the hybrid cloud synchronization scene includes: analyzing the rule of msDS-CloudExtension Attribute metadata in the AD architecture to obtain a matching rule; And according to the matching rule, modifying preset conditions conforming to cloud privilege dynamic group membership rules by utilizing the SYSTEM level authority to obtain tampered target user attributes for a standard department attribute field of a target user object in the AD and an extended attribute field with an authority mapping function in a hybrid cloud synchronization scene. In some implementations, the step of uploading the tampered target user attribute to the Azure AD in a compliant protocol format through an API channel and marking the tampered target user attribute as an attribute update event by using the Azure AD Connect synchronization service, and determining that the abnormal data stream meets the normal service synchronizati