Synchronization Credentials Extraction

Vulnerability
Prerequisites
Exploit
Recommendations

Vulnerability

Being local administrator of AD Connect server, you can dump MSOL and SYNC accounts’ credentials, responsible to synchronize Active Directory and Azure Entra ID.

Prerequisites

Local administrator rights on AD Connect server.

Exploit

To extract credentials, execute DumpAADSyncCreds on AD Connect server.

.\DumpAADSyncCreds.exe get_token

Recommendations

Enforce EDR on servers to detect and block malware usage.

Synchronization Credentials Extraction

Table of contents

Vulnerability

Prerequisites

Exploit

Recommendations