Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент AADInternals
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
AADInternals
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
ID: S0677
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 01 Feb 2022
Last Modified: 03 Aug 2022

Techniques Used
Domain ID Name Use
Enterprise T1087 .004 Account Discovery: Cloud Account

AADInternals can enumerate Azure AD users.(Citation: AADInternals Documentation)
Enterprise T1098 .005 Account Manipulation: Device Registration

AADInternals can register a device to Azure AD.(Citation: AADInternals Documentation)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

AADInternals is written and executed via PowerShell.(Citation: AADInternals Documentation)
Enterprise T1136 .003 Create Account: Cloud Account

AADInternals can create new Azure AD users.(Citation: AADInternals Documentation)
Enterprise T1484 .002 Domain Policy Modification: Domain Trust Modification

AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.(Citation: AADInternals Documentation)(Citation: Azure AD Federation Vulnerability)
Enterprise T1606 .002 Forge Web Credentials: SAML Tokens

AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.(Citation: AADInternals Documentation)
Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

AADInternals can check for the existence of user email addresses using public Microsoft APIs.(Citation: AADInternals Documentation)(Citation: Azure AD Recon)
Enterprise T1590 .001 Gather Victim Network Information: Domain Properties

AADInternals can gather information about a tenant’s domains using public Microsoft APIs.(Citation: AADInternals Documentation)(Citation: Azure AD Recon)
Enterprise T1556 .006 Modify Authentication Process: Multi-Factor Authentication

The AADInternals `Set-AADIntUserMFA` command can be used to disable MFA for a specified user.
.007 Modify Authentication Process: Hybrid Identity

AADInternals can inject a malicious DLL (`PTASpy`) into the `AzureADConnectAuthenticationAgentService` to backdoor Azure AD Pass-Through Authentication.(Citation: AADInternals Azure AD On-Prem to Cloud)

Enterprise T1003 .004 OS Credential Dumping: LSA Secrets

AADInternals can dump secrets from the Local Security Authority.(Citation: AADInternals Documentation)
Enterprise T1069 .003 Permission Groups Discovery: Cloud Groups

AADInternals can enumerate Azure AD groups.(Citation: AADInternals Documentation)
Enterprise T1566 .002 Phishing: Spearphishing Link

AADInternals can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.(Citation: AADInternals Documentation)
Enterprise T1598 .003 Phishing for Information: Spearphishing Link

AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.(Citation: AADInternals Documentation)
Enterprise T1558 .002 Steal or Forge Kerberos Tickets: Silver Ticket

AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.(Citation: AADInternals Documentation)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.(Citation: AADInternals Documentation)
.004 Unsecured Credentials: Private Keys

AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.(Citation: AADInternals Documentation)

Groups That Use This Software
ID Name References
G0016 APT29

(Citation: MSTIC Nobelium Oct 2021)

References

  1. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022.
  2. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  3. Dr. Nestori Syynimaa. (2021, December 13). AADInternals. Retrieved February 1, 2022.
  4. Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.
  5. Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.
  6. Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.
  7. Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.