entra-id-phs-integration

kali# Entra ID PHS Integration

Methodology

  1. Enumerate the accounts with the MSOL_ attribute.

  2. Get administrative privileges on the computer where it's setup.

  3. Read the password.

  4. Run commands as MSOL_ user.

  5. DCSync (Optional).

Powershell

[!INFO] Remember to follow the Powershell methodology

PowerView

Get the MSOL user and the computer where it's setup:

Get-DomainUser -Identity "MSOL_*" -Domain contoso.local

Retrieve the password:

With administrative privileges, if we run adconnect.ps1, we can extract the credentials of the MSOL_ account used by Entra Connect in clear-text

https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545#file-azuread_decrypt_msol-ps1

.\azuread_decrypt_msol.ps1

Run commands:

And can then execute the DCSync attack

Previouschild-to-forest-trust-keyNextshadow-credentials

Last updated