AADInternals
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .004 | Account Discovery: Cloud Account |
AADInternals can enumerate Azure AD users.(Citation: AADInternals Documentation) |
Enterprise | T1098 | .005 | Account Manipulation: Device Registration |
AADInternals can register a device to Azure AD.(Citation: AADInternals Documentation) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
AADInternals is written and executed via PowerShell.(Citation: AADInternals Documentation) |
Enterprise | T1136 | .003 | Create Account: Cloud Account |
AADInternals can create new Azure AD users.(Citation: AADInternals Documentation) |
Enterprise | T1484 | .002 | Domain or Tenant Policy Modification: Trust Modification |
AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.(Citation: AADInternals Documentation)(Citation: Azure AD Federation Vulnerability) |
Enterprise | T1606 | .002 | Forge Web Credentials: SAML Tokens |
AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.(Citation: AADInternals Documentation) |
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
AADInternals can check for the existence of user email addresses using public Microsoft APIs.(Citation: AADInternals Documentation)(Citation: Azure AD Recon) |
Enterprise | T1590 | .001 | Gather Victim Network Information: Domain Properties |
AADInternals can gather information about a tenant’s domains using public Microsoft APIs.(Citation: AADInternals Documentation)(Citation: Azure AD Recon) |
Enterprise | T1556 | .006 | Modify Authentication Process: Multi-Factor Authentication |
The AADInternals `Set-AADIntUserMFA` command can be used to disable MFA for a specified user. |
.007 | Modify Authentication Process: Hybrid Identity |
AADInternals can inject a malicious DLL (`PTASpy`) into the `AzureADConnectAuthenticationAgentService` to backdoor Azure AD Pass-Through Authentication.(Citation: AADInternals Azure AD On-Prem to Cloud) |
||
Enterprise | T1003 | .004 | OS Credential Dumping: LSA Secrets |
AADInternals can dump secrets from the Local Security Authority.(Citation: AADInternals Documentation) |
Enterprise | T1069 | .003 | Permission Groups Discovery: Cloud Groups |
AADInternals can enumerate Azure AD groups.(Citation: AADInternals Documentation) |
Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
AADInternals can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.(Citation: AADInternals Documentation) |
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.(Citation: AADInternals Documentation) |
Enterprise | T1558 | .002 | Steal or Forge Kerberos Tickets: Silver Ticket |
AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.(Citation: AADInternals Documentation) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.(Citation: AADInternals Documentation) |
.004 | Unsecured Credentials: Private Keys |
AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.(Citation: AADInternals Documentation) |
References
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Dr. Nestori Syynimaa. (2021, December 13). AADInternals. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.
- Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.
- Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
- Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2020, June 4). Getting root access to Azure VMs as a Azure AD Global Administrator. Retrieved March 13, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.