Pentera Labs revealed a denial-of-service flaw in Microsoft Active Directory that lets attackers lock out users, including Domain Admins, without needing admin rights. The exploit abuses the Security Identifier (SID) limit in access tokens by overloading them with excessive group memberships. Even low-privileged accounts with group creation rights can execute this, locking entire domains through scripts that mass-create groups or nest them transitively. Recovery requires safe-mode reboots or admin intervention, but prevention is key: restrict group creation, monitor unusual group activity, and centralize group management.

Join for free to read