SyncedToEntraUser

The on-prem user may be able to authenticate as the Entra user with its own password if password hash synchronization, pass-through authentication, or seamless single sign-on is enabled.

Abuse Info

An attacker may authenticate as the synchronized Entra user using the on-prem user’s credentials, for example by dumping the user’s plain-text credential from memory, key-logging the user’s password, or by changing the on-prem user’s password and authenticating with that new password.

Opsec Considerations

The attacker may create artifacts of abusing this relationship in both on-prem AD and in Entra. A password reset operation against the on-prem user may create a 4724 Windows event, along with a corresponding Entra activity log entry when the on-prem agent synchronizes the new password hash up to Entra.

Edge Schema

Source: User
Destination: AZUser
Traversable: Yes

References

What is Password Hybrid Sync How to connect Pass-Through Auth How to connect Single Sign-on

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

Abuse Info

Opsec Considerations

Edge Schema

References

Get Started with BloodHound

Install a Data Collector

Collect Data

OpenGraph

Analyze Attack Path Data

Manage BloodHound

API & Integrations

Resources

​Abuse Info

​Opsec Considerations

​Edge Schema

​References

Abuse Info

Opsec Considerations

Edge Schema

References