From 7804be1a1bac3e6374b8f4d245e4a32974945f99 Mon Sep 17 00:00:00 2001 From: Translator Date: Mon, 9 Mar 2026 15:14:01 +0000 Subject: [PATCH] Fix unmatched refs --- .../az-lateral-movement-cloud-on-prem/az-cloud-sync.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md index 63bc99517..77cb0207d 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-cloud-sync.md @@ -85,8 +85,8 @@ https://book.hacktricks.wiki/en/windows-hardening/active-directory-methodology/i > 注意,目前无法根据属性(例如在 Cloud Sync 配置中)向已同步用户授予 Azure 或 EntraID 角色。但是,为了自动授予已同步用户权限,可能会将某些 **Entra ID groups from AD** 授予权限,这样这些组内的已同步用户也会获得这些权限,或者可能使用 **dynamic groups**,因此务必检查动态规则及潜在的滥用方式: > > {{#ref}} -> ../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md -> {{#endref}} +../az-privilege-escalation/az-entraid-privesc/dynamic-groups.md +{{#endref}} Regarding persistence [this blog post](https://tierzerosecurity.co.nz/2024/05/21/ms-entra-connect-sync-mothods.html) suggest that it's possible to use [**dnSpy**](https://github.com/dnSpy/dnSpy) to backdoor the dll **`Microsoft.Online.Passwordsynchronisation.dll`** located in **`C:\Program Files\Microsoft Azure AD Sync\Bin`** that is used by the Cloud Sync agent to perform the password synchronization making it exfiltrate the password hashes of the users being synchronized to a remote server. 这些哈希在类 **`PasswordHashGenerator`** 内生成,博客建议添加一些代码,使该类看起来像下面这样(注意 `use System.Net` 和 `WebClient` 用于外泄密码哈希): ```csharp