Az - AzureAD (AAD)

```powershell # Just call Add-AzADAppSecret Function Add-AzADAppSecret { <# .SYNOPSIS Add client secret to the applications.

.PARAMETER GraphToken Pass the Graph API Token

.EXAMPLE PS C:> Add-AzADAppSecret -GraphToken 'eyJ0eX..'

.LINK https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http #>

[CmdletBinding()] param( [Parameter(Mandatory=$True)] [String] $GraphToken = $null )

$AppList = $null $AppPassword = $null

List All the Applications

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications" "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

try { $AppList = Invoke-RestMethod @Params -UseBasicParsing } catch { }

Add Password in the Application

if($AppList -ne $null) { [System.Collections.ArrayList]$Details = @()

foreach($App in $AppList.value) { $ID = $App.ID $psobj = New-Object PSObject

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword" "Method" = "POST" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

$Body = @{ "passwordCredential"= @{ "displayName" = "Password" } }

try { $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json) Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText $Details.Add($psobj) | Out-Null } catch { Write-Output "Failed to add new client secret to '$($App.displayName)' Application." } } if($Details -ne $null) { Write-Output "" Write-Output "Client secret added to : " Write-Output $Details | fl * } } else { Write-Output "Failed to Enumerate the Applications." } }

</details>

### 角色

<div data-gb-custom-block data-tag="tabs"></div>

<div data-gb-custom-block data-tag="tab" data-title='az cli'>

```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"

Azure AD

Enumeration

Azure AD enumeration can be performed using various techniques such as:

• User Enumeration: Enumerating valid usernames through the login interface or other means.

• Group Enumeration: Identifying Azure AD groups and their members.

• Application Enumeration: Discovering registered applications in Azure AD.

• Device Enumeration: Identifying devices registered in Azure AD.

Exploitation

Common exploitation techniques in Azure AD include:

• Password Spraying: Attempting to authenticate using common passwords across multiple accounts.

• Phishing Attacks: Sending fraudulent emails to trick users into providing their credentials.

• Brute Force Attacks: Trying multiple password combinations to gain unauthorized access.

• Token Impersonation: Stealing or forging tokens to impersonate users or applications.

Post-Exploitation

After gaining access to Azure AD, an attacker may perform actions like:

• User Account Takeover: Taking control of user accounts to access resources.

• Data Exfiltration: Stealing sensitive data stored in Azure AD.

• Privilege Escalation: Elevating privileges to gain more control over Azure AD resources.

• Persistence: Maintaining access to Azure AD by creating backdoors or other means.

# Get all available role templates
Get-AzureADDirectoryroleTemplate
# Get enabled roles (Assigned roles)
Get-AzureADDirectoryRole
Get-AzureADDirectoryRole -ObjectId <roleID> #Get info about the role
# Get custom roles - use AzureAdPreview
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
# Users assigned a role (Global Administrator)
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -ObjectId <id> | fl
# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)
Get-AzureADMSScopedRoleMembership -Id <id> | fl *

在 Azure AD 中，可以使用 Az PowerShell 模块执行各种操作，包括管理用户、组、应用程序等。以下是一些常见的 Az PowerShell 命令示例：

连接到 Azure AD

Connect-AzAccount

获取所有用户

Get-AzureADUser

创建新用户

New-AzureADUser -DisplayName "John Doe" -UserPrincipalName "john.doe@contoso.com"

获取所有组

Get-AzureADGroup

创建新组

New-AzureADGroup -DisplayName "Engineering Team" -MailEnabled $false -SecurityEnabled $true

获取所有应用程序

Get-AzureADApplication

创建新应用程序

New-AzureADApplication -DisplayName "MyApp" -IdentifierUris "https://myapp"

# Get role assignments on the subscription
Get-AzRoleDefinition
# Get Role definition
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>

Translate the relevant English text to Chinese and return the translation keeping excatly the same markdown and html syntax. Do not translate things like code, hacking technique names, hacking word, cloud/SaaS platform names (like Workspace, aws, gcp...), the word 'leak', pentesting, and markdown tags. Also don't add any extra stuff apart from the translation and markdown syntax.

# Get permissions over a resource using ARM directly
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

设备

# If you know how to do this send a PR!

Azure AD

Enumeration

Azure AD enumeration can be performed using a variety of techniques, including:

• User Enumeration: Enumerating valid usernames through the login interface or other means.

• Group Enumeration: Identifying Azure AD groups and their members.

• Application Enumeration: Discovering registered applications within Azure AD.

Password Spraying

Password spraying attacks against Azure AD involve attempting a small number of commonly used passwords against many accounts to avoid account lockouts and detection.

Brute Force Attacks

Brute force attacks against Azure AD involve systematically checking all possible passwords until the correct one is found.

Phishing

Phishing attacks targeting Azure AD users can be used to steal credentials or deliver malware.

Token Manipulation

Manipulating tokens issued by Azure AD can allow an attacker to escalate privileges or maintain persistence within the environment.

Password Policies

Understanding and bypassing Azure AD password policies can help in conducting successful password-based attacks.

Multi-Factor Authentication (MFA) Bypass

Finding ways to bypass or circumvent MFA in Azure AD can provide unauthorized access to accounts.

Password Hashes

Obtaining and cracking password hashes from Azure AD can lead to the disclosure of plaintext passwords.

Account Lockout Policies

Understanding and potentially bypassing account lockout policies in Azure AD can help in conducting brute force attacks without getting locked out.

OAuth Abuse

Abusing OAuth functionality in Azure AD can lead to unauthorized access to resources and sensitive data.

Federation Trusts

Exploiting misconfigurations in federation trusts can allow an attacker to gain unauthorized access to Azure AD resources.

Privilege Escalation

Identifying and exploiting privilege escalation vulnerabilities in Azure AD can lead to increased access and control over the environment.

Data Exfiltration

Exfiltrating sensitive data from Azure AD can result in the exposure of confidential information to unauthorized individuals.

Logging and Monitoring

Monitoring Azure AD logs and activities can help in detecting and responding to security incidents in a timely manner.

Security Best Practices

Following security best practices for Azure AD can help in mitigating common security risks and protecting the environment from potential threats.

# Enumerate Devices
Get-AzureADDevice -All $true | fl *
# List all the active devices (and not the stale devices)
Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
# Get owners of all devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using Intune
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get Administrative Units of a device
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }

如果设备（VM）加入了AzureAD，则来自AzureAD的用户将能够登录。 此外，如果登录用户是设备的所有者，他将成为本地管理员。

应用程序

应用程序是门户中的应用注册（而不是企业应用程序）。 但是，每个应用注册将创建一个具有相同名称的企业应用程序（服务主体）。 此外，如果应用是多租户应用程序，将在该租户中创建另一个企业应用程序（服务主体）并具有相同的名称。

当生成一个应用程序时，会赋予两种类型的权限：

• 赋予服务主体的权限

• 应用程序可以拥有并代表用户使用的权限。

# List Apps
az ad app list
az ad app list --query "[].[displayName]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# List all the apps with an application password
az ad app list --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad app list --query "[?keyCredentials != null].displayName"

Azure AD Enumeration

User Enumeration

• Description: User enumeration can be performed through the Azure AD login interface by entering a valid username and observing the response.

• Impact: User enumeration can help an attacker identify valid usernames in the Azure AD environment, which can be used in further attacks such as password spraying.

• Recommendation: Implement account lockout policies to prevent brute force attacks and monitor failed login attempts for unusual patterns.

Group Enumeration

• Description: Group enumeration can be done by querying the Azure AD Graph API to retrieve information about existing groups.

• Impact: Knowledge of existing groups can help an attacker understand the organization's structure and potentially identify high-value targets.

• Recommendation: Regularly review and update group memberships to ensure least privilege access.

Application Enumeration

• Description: Application enumeration involves identifying applications registered in Azure AD.

• Impact: Attackers can target specific applications with known vulnerabilities or misconfigurations to gain access to sensitive data.

• Recommendation: Regularly review and audit registered applications, removing any unused or unnecessary ones.

Device Enumeration

• Description: Device enumeration allows an attacker to gather information about devices registered in Azure AD.

• Impact: Knowledge of registered devices can help attackers target specific devices for further exploitation.

• Recommendation: Enforce device registration controls and regularly review registered devices for any anomalies.

Service Principal Enumeration

• Description: Service principals represent applications or services in Azure AD, and enumeration involves identifying these principals.

• Impact: Attackers can abuse misconfigured service principals to gain unauthorized access to resources.

• Recommendation: Regularly review and update service principals, ensuring they have the least privileges necessary.

# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id>  | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *

在 Azure AD 中，我们可以使用 Az PowerShell 模块来执行各种操作。以下是一些常见的示例：

连接到 Azure AD

Connect-AzAccount

获取 Azure AD 用户

Get-AzADUser

创建新用户

New-AzADUser -DisplayName "John Doe" -UserPrincipalName "john.doe@contoso.com"

删除用户

Remove-AzADUser -UserPrincipalName "john.doe@contoso.com"

更新用户

Set-AzADUser -UserPrincipalName "john.doe@contoso.com" -DisplayName "Jane Smith"

获取 Azure AD 组

Get-AzADGroup

创建新组

New-AzADGroup -DisplayName "Developers" -MailEnabled $false -SecurityEnabled $true

删除组

Remove-AzADGroup -DisplayName "Developers"

更新组

Set-AzADGroup -DisplayName "Developers" -Description "Group for developers"

# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential

具有权限 AppRoleAssignment.ReadWrite 的应用程序可以通过授予自身角色来升级为全局管理员。 有关更多信息，请查看此处。

应用程序用于在请求令牌时证明其身份的秘密字符串是应用程序密码。 因此，如果找到此密码，您可以作为服务主体 在 租户 中访问。 请注意，此密码仅在生成时可见（您可以更改它，但无法再次获取它）。 应用程序的所有者可以为其添加密码（以便冒充它）。 以这些服务主体的身份登录不会被标记为风险，也不会有多重身份验证。

应用程序和（企业应用程序或服务主体）之间的区别

Azure 中应用程序和服务主体之间的区别：

• 应用程序/应用注册：存在于您的 Azure AD 中的应用程序

• (Get-AzureADApplication -filter "DisplayName eq 'testapp'")

• 服务主体/企业应用程序：Azure AD 中的安全对象，可以在 Azure 目录中拥有特权，并与您的应用程序或第三方应用程序关联

• Get-AzureADServicePrincipal -filter "DisplayName eq 'testapp'")

• 如果权限非常敏感，管理员可能需要批准给定的权限。

一个应用程序可以在第三方租户中运行，一旦开始使用它并授予访问权限，在您的租户中将创建一个企业应用程序/服务主体，以便为其提供所需的信息访问权限：

管理单元

用于更好地管理用户。

管理单元将角色的权限限制为您定义的组织的任何部分。例如，您可以使用管理单元将Helpdesk Administrator 角色委派给区域支持专员，以便他们仅能管理其支持的区域中的用户。

因此，您可以将角色分配给管理员单元，其成员将拥有这些角色。

AzureAD

Enumeration

1. User Enumeration: Attackers can use methods like user enumeration through the Forgot Password feature or the OAuth token endpoint to gather valid usernames.

2. Group Enumeration: Attackers can also enumerate groups within the Azure AD tenant to understand the organization's structure and potentially identify high-value targets.

Brute Force Attacks

1. Password Spraying: Attackers can perform password spraying attacks against Azure AD accounts to avoid account lockouts and detection.

2. Credential Stuffing: Attackers can use previously leaked credentials to perform credential stuffing attacks against Azure AD accounts.

Phishing

1. OAuth Token Phishing: Attackers can phish for OAuth tokens to gain unauthorized access to Azure AD resources.

2. Credential Phishing: Attackers can conduct credential phishing campaigns to trick users into revealing their Azure AD credentials.

Exploiting Misconfigurations

1. Application Misconfigurations: Attackers can exploit misconfigured Azure AD applications to gain unauthorized access or escalate privileges within the tenant.

2. Permissions Misconfigurations: Attackers can abuse misconfigured permissions to perform lateral movement or access sensitive information.

Account Takeover

1. Password Spraying for Account Takeover: Attackers can use password spraying techniques to take over Azure AD accounts with weak passwords.

2. Brute Force for Account Takeover: Attackers can launch brute force attacks to gain unauthorized access to Azure AD accounts.

Insider Threats

1. Insider Account Compromise: Insiders with legitimate access can abuse their privileges to exfiltrate data or perform unauthorized actions within Azure AD.

2. Data Exfiltration: Insiders can exfiltrate sensitive data from Azure AD using their legitimate access.

Monitoring and Detection

1. Anomaly Detection: Implement anomaly detection mechanisms to identify unusual activities that could indicate a security breach.

2. Logging and Alerting: Ensure proper logging and alerting mechanisms are in place to detect and respond to suspicious activities in Azure AD.

Recommendations

1. Multi-Factor Authentication (MFA): Enforce MFA for all Azure AD accounts to add an extra layer of security.

2. Regular Security Training: Provide regular security awareness training to educate users about common attack techniques and how to avoid falling victim to them.

3. Least Privilege Access: Follow the principle of least privilege to restrict users' access rights within Azure AD to only what is necessary for their roles.

# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members

Azure AD Identity Protection (AIP)

Azure AD Identity Protection (AIP)是一项安全服务，利用自动检测和纠正来帮助保护Azure Active Directory中用户身份免受 compromise。AIP持续监视和评估用户登录和身份配置的风险，自动应用适当的安全措施，例如要求多重身份验证或阻止潜在危险活动。这有助于组织预防基于身份的安全漏洞。

流程：

1. Azure AD Identity Protection 监视用户活动，收集用户登录、认证事件和其他相关活动的数据。

2. 该服务使用机器学习算法分析这些数据，检测潜在的安全威胁。

3. Azure AD Identity Protection 为威胁分配风险级别（例如登录），并在需要时生成警报以执行一些自动操作。

Azure AD Password Protection (APP)

Azure AD Password Protection (APP)是一项安全功能，通过强制执行强密码策略，帮助防止Azure Active Directory中的弱密码。APP阻止常用的弱密码及其变体，降低与密码相关的风险。它可以在云级别和本地Active Directory上都应用，增强组织整体的密码安全性。

参考资料

• https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units