Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
ID: S0677
Type: TOOL
Platforms: Windows
Version: 1.2
Created: 01 Feb 2022
Last Modified: 14 Oct 2024

Techniques Used

Domain ID Name Use
Enterprise T1087 .004 Account Discovery: Cloud Account

AADInternals can enumerate Azure AD users.(Citation: AADInternals Documentation)

Enterprise T1098 .005 Account Manipulation: Device Registration

AADInternals can register a device to Azure AD.(Citation: AADInternals Documentation)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

AADInternals is written and executed via PowerShell.(Citation: AADInternals Documentation)

Enterprise T1136 .003 Create Account: Cloud Account

AADInternals can create new Azure AD users.(Citation: AADInternals Documentation)

Enterprise T1484 .002 Domain or Tenant Policy Modification: Trust Modification

AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.(Citation: AADInternals Documentation)(Citation: Azure AD Federation Vulnerability)

Enterprise T1606 .002 Forge Web Credentials: SAML Tokens

AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.(Citation: AADInternals Documentation)

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

AADInternals can check for the existence of user email addresses using public Microsoft APIs.(Citation: AADInternals Documentation)(Citation: Azure AD Recon)

Enterprise T1590 .001 Gather Victim Network Information: Domain Properties

AADInternals can gather information about a tenant’s domains using public Microsoft APIs.(Citation: AADInternals Documentation)(Citation: Azure AD Recon)

Enterprise T1556 .006 Modify Authentication Process: Multi-Factor Authentication

The AADInternals `Set-AADIntUserMFA` command can be used to disable MFA for a specified user.

.007 Modify Authentication Process: Hybrid Identity

AADInternals can inject a malicious DLL (`PTASpy`) into the `AzureADConnectAuthenticationAgentService` to backdoor Azure AD Pass-Through Authentication.(Citation: AADInternals Azure AD On-Prem to Cloud)

Enterprise T1003 .004 OS Credential Dumping: LSA Secrets

AADInternals can dump secrets from the Local Security Authority.(Citation: AADInternals Documentation)

Enterprise T1069 .003 Permission Groups Discovery: Cloud Groups

AADInternals can enumerate Azure AD groups.(Citation: AADInternals Documentation)

Enterprise T1566 .002 Phishing: Spearphishing Link

AADInternals can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.(Citation: AADInternals Documentation)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.(Citation: AADInternals Documentation)

Enterprise T1558 .002 Steal or Forge Kerberos Tickets: Silver Ticket

AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.(Citation: AADInternals Documentation)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.(Citation: AADInternals Documentation)

.004 Unsecured Credentials: Private Keys

AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.(Citation: AADInternals Documentation)

Groups That Use This Software

ID Name References
G0016 APT29

(Citation: MSTIC Nobelium Oct 2021)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.