https://az0th.it/tags/msol/ Recent content in Msol on MrAzoth Hugo -- 0.154.5 en-us https://az0th.it/ad/kali/azure-hybrid/ Mon, 01 Jan 0001 00:00:00 +0000 https://az0th.it/ad/kali/azure-hybrid/ <h2 id="quick-reference">Quick Reference</h2> <table> <thead> <tr> <th>Attack</th> <th>Requirement</th> <th>Impact</th> </tr> </thead> <tbody> <tr> <td>MSOL Account DCSync</td> <td>Local admin on AAD Connect server</td> <td>Full domain + cloud compromise</td> </tr> <tr> <td>AZUREADSSOACC$ Abuse</td> <td>DCSync rights or DA</td> <td>Forge Azure AD tokens</td> </tr> <tr> <td>PHS Hash Extraction</td> <td>MSOL DCSync rights</td> <td>Cloud account takeover</td> </tr> <tr> <td>PTA Abuse</td> <td>On-prem DC compromise</td> <td>Transparent cloud auth bypass</td> </tr> <tr> <td>Golden SAML</td> <td>ADFS signing cert theft</td> <td>Persistent cloud access</td> </tr> </tbody> </table> <hr> <h2 id="azure-ad-connect-abuse-msol-account">Azure AD Connect Abuse (MSOL Account)</h2> <p>Azure AD Connect synchronizes on-premises Active Directory to Azure AD. During setup, it creates a service account named <code>MSOL_xxxxxxxx</code> in the on-premises domain. This account is granted <code>DS-Replication-Get-Changes</code> and <code>DS-Replication-Get-Changes-All</code> on the domain root — the exact permissions required for DCSync. Its password is stored encrypted in a SQL LocalDB instance on the AAD Connect server.</p>