H3-2024-0010

Microsoft Entra (AzureAD) Connect Credential Dumping

Category	SECURITY_CONTROLS
Base Score	7.2

Description

The AzureAD/Entra Connect is a service that synchronizes credentials between Active Directory and the Microsoft Entra Identity and Access Management (IAM) cloud service. AzureAd/Entra Connect maintains a database of encrypted credentials with high privileges in both the Active Directory Domain and the Entra tenant/domain. Attackers with administrative privileges could extract and decrypt these credentials either locally or remotely.

Impact

Attackers who obtain cleartext credentials from AzureAD/Entra Connect can directly login to either the Active Directory domain or Entra tenant with those credentials. AzureAD/Entra Connect's Domain user credential have DCSync privileges, and the Entra credential has extensive permissions that may lead to full account compromise.

References

• MITRE ATT&CK Technique: OS Credential Dumping
• Dirk-jan Mollema: Updating adconnectdump - a journey into DPAPI