Synchronization Credentials Extraction
Table of contents
Vulnerability
Being local administrator of AD Connect server, you can dump MSOL
and SYNC
accounts’ credentials, responsible to synchronize Active Directory and Azure Entra ID.
Prerequisites
- Local administrator rights on AD Connect server.
Exploit
To extract credentials, execute DumpAADSyncCreds on AD Connect server.
.\DumpAADSyncCreds.exe get_token
Recommendations
- Enforce EDR on servers to detect and block malware usage.