Azure Active Directory (Azure AD) sert de service basé sur le cloud de Microsoft pour la gestion des identités et des accès. Il est essentiel pour permettre aux employés de se connecter et d'accéder à des ressources, à la fois au sein et au-delà de l'organisation, englobant Microsoft 365, le portail Azure et une multitude d'autres applications SaaS. La conception d'Azure AD se concentre sur la fourniture de services d'identité essentiels, comprenant notamment l'authentification, l'autorisation et la gestion des utilisateurs.
Les fonctionnalités clés d'Azure AD incluent l'authentification multi-facteurs et l'accès conditionnel, ainsi qu'une intégration transparente avec d'autres services de sécurité Microsoft. Ces fonctionnalités élèvent considérablement la sécurité des identités des utilisateurs et permettent aux organisations de mettre en œuvre et d'appliquer efficacement leurs politiques d'accès. En tant que composant fondamental de l'écosystème de services cloud de Microsoft, Azure AD est essentiel pour la gestion basée sur le cloud des identités des utilisateurs.
AzureAD est un module PowerShell de Microsoft pour gérer Azure AD. Il ne montre pas toutes les propriétés des objets Azure AD et ne peut pas être utilisé pour accéder aux informations des ressources Azure.
Az PowerShell est un module pour gérer les ressources Azure à partir de la ligne de commande PowerShell.
Connexion
azlogin#This will open the browserazlogin-u<username>-p<password>#Specify user and passwordazlogin--identity#Use the current machine managed identity (metadata)az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principalaz login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com #With password
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com #With cert
# Request access token (ARM)azaccountget-access-token# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
azaccountget-access-token--resource-typeaad-graph# If you want to configure some defaultsazconfigure# Get user logged-in alreadyazadsigned-in-usershow# Helpazfind"vm"# Find vm commandsazvm-h# Get subdomainsazaduserlist--query-examples# Get examples
Connect-AzureAD#Open browser# Using credentials$passwd =ConvertTo-SecureString"Welcome2022!"-AsPlainText -Force$creds =New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)Connect-AzureAD-Credential $creds# Using tokens## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connectConnect-AzureAD-AccountId test@corp.onmicrosoft.com -AadAccessToken $token
Connect-AzAccount#Open browser# Using credentials$passwd =ConvertTo-SecureString"Welcome2022!"-AsPlainText -Force$creds =New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)Connect-AzAccount-Credential $creds# Get Access Token(Get-AzAccessToken).Token# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
Get-AzAccessToken-ResourceTypeName MSGraph(Get-AzAccessToken-Resource "https://graph.microsoft.com").Token# Conenct with access tokenConnect-AzAccount-AccountId test@corp.onmicrosoft.com -AccessToken $tokenConnect-AzAccount-AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>## The -AccessToken is from management.azure.com# Connect with Service principal/enterprise app secret$password =ConvertTo-SecureString'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF'-AsPlainText -Force$creds =New-ObjectSystem.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)Connect-AzAccount-ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d#All the Azure AD cmdlets have the format *-AzAD*Get-Command*azad*#Cmdlets for other Azure resources have the format *Az*Get-Command*az*
# Request tokens to access endpoints# ARMcurl"$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER# Vaultcurl"$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER
Lorsque vous vous connectez via CLI dans Azure avec n'importe quel programme, vous utilisez une Application Azure d'un locataire qui appartient à Microsoft. Ces Applications, comme celles que vous pouvez créer dans votre compte, ont un ID client. Vous ne pourrez pas tous les voir dans les listes d'applications autorisées que vous pouvez voir dans la console, mais ils sont autorisés par défaut.
Par exemple, un script powershell qui s'authentifie utilise une application avec l'ID client 1950a258-227b-4e31-a9cf-717495945fc2. Même si l'application n'apparaît pas dans la console, un administrateur système pourrait bloquer cette application afin que les utilisateurs ne puissent pas y accéder en utilisant des outils qui se connectent via cette application.
Cependant, il existe d'autres ID clients d'applications qui vous permettront de vous connecter à Azure:
# The important part is the ClientId, which identifies the application to login inside Azure$token =Invoke-Authorize-Credential $credential `-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d'`-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email'`-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/"`-Verbose -Debug `-InformationAction Continue$token =Invoke-Authorize-Credential $credential `-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9'`-Scope 'openid profile Sites.Read.All User.Read email'`-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah"`-Verbose -Debug `-InformationAction Continue$token =Invoke-Authorize-Credential $credential `-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095'`-Scope 'openid'`-Redirect_Uri "https://graphexplorer.azurewebsites.net/"`-Verbose -Debug `-InformationAction Continue
Utilisateurs
# Enumerate usersazaduserlist--outputtableazaduserlist--query"[].userPrincipalName"# Get info of 1 userazadusershow--id"test@corp.onmicrosoft.com"# Search "admin" usersazaduserlist--query"[].displayName"|findstr/i"admin"azaduserlist--query"[?contains(displayName,'admin')].displayName"# Search attributes containing the word "password"azaduserlist|findstr/i"password"|findstr/v"null,"# All users from AzureADazaduserlist--query"[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"azaduserlist--query"[?onPremisesSecurityIdentifier==null].displayName"# All users synced from on-premazaduserlist--query"[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"azaduserlist--query"[?onPremisesSecurityIdentifier!=null].displayName"# Get groups where the user is a memberazaduserget-member-groups--id<email># Get roles assigned to the userazroleassignmentlist--include-groups--include-classic-administratorstrue--assignee<email>
Azure AD
Enumeration
User Enumeration
To enumerate users in Azure AD, you can use the Graph API or tools like Azure AD Recon. The Graph API can be accessed using tools like Microsoft Graph Explorer.
Use the endpoint https://graph.microsoft.com/v1.0/groups to enumerate groups.
Exploitation
Password Spraying
To perform password spraying attacks in Azure AD, tools like Spray can be used. These attacks involve trying a few common passwords against many accounts to avoid account lockouts.
Phishing
Phishing attacks can be used to trick users into revealing their credentials. Tools like King Phisher can help in conducting phishing campaigns against Azure AD users.
Password Cracking
If password policies are weak, password cracking tools like John the Ripper can be used to crack passwords obtained through leaks or other means.
Brute Force
Br
# Enumerate UsersGet-AzureADUser-All $trueGet-AzureADUser-All $true| select UserPrincipalName# Get info of 1 userGet-AzureADUser-ObjectId test@corp.onmicrosoft.com | fl# Search "admin" usersGet-AzureADUser-SearchString "admin"#Search admin at the begining of DisplayName or userPrincipalNameGet-AzureADUser-All $true|?{$_.Displayname-match"admin"} #Search "admin" word in DisplayName# Get all attributes of a userGet-AzureADUser-ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}# Search attributes containing the word "password"Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureADGet-AzureADUser-All $true|?{$_.OnPremisesSecurityIdentifier-eq$null}# All users synced from on-premGet-AzureADUser-All $true|?{$_.OnPremisesSecurityIdentifier-ne$null}# Objects created by a/any userGet-AzureADUser [-ObjectId<email>] |Get-AzureADUserCreatedObject# Devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Objects owned by a specific userGet-AzureADUserOwnedObject-ObjectId test@corp.onmicrosoft.com# Get groups & roles where the user is a memberGet-AzureADUserMembership-ObjectId 'test@corp.onmicrosoft.com'# Get devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Get devices registered by a userGet-AzureADUserRegisteredDevice-ObjectId test@defcorphq.onmicrosoft.com# Apps where a user has a role (role not shown)Get-AzureADUser-ObjectId roygcain@defcorphq.onmicrosoft.com |Get-AzureADUserAppRoleAssignment| fl *# Get Administrative Units of a user$userObj =Get-AzureADUser-Filter "UserPrincipalName eq 'bill@example.com'"Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in Azure AD, you can use the following PowerShell command:
Get-AzureADUser
This command will return a list of all users in the Azure AD tenant.
Enumerate Azure AD Groups
To list all groups in Azure AD, you can use the following PowerShell command:
Get-AzureADGroup
This command will return a list of all groups in the Azure AD tenant.
Enumerate Azure AD Applications
To list all applications in Azure AD, you can use the following PowerShell command:
Get-AzureADApplication
This command will return a list of all applications in the Azure AD tenant.
Enumerate Azure AD Service Principals
To list all service principals in Azure AD, you can use the following PowerShell command:
Get-AzureADServicePrincipal
This command will return a list of all service principals in the Azure AD tenant.
Enumerate Azure AD Devices
To list all devices in Azure AD, you can use the following PowerShell command:
Get-AzureADDevice
This command will return a list of all devices in the Azure AD tenant.
# Enumerate usersGet-AzADUser# Get details of a userGet-AzADUser-UserPrincipalName test@defcorphq.onmicrosoft.com# Search user by stringGet-AzADUser-SearchString "admin"#Search at the beginnig of DisplayNameGet-AzADUser|?{$_.Displayname-match"admin"}# Get roles assigned to a userGet-AzRoleAssignment-SignInName test@corp.onmicrosoft.com
Authentification multifacteur (MFA) et politiques d'accès conditionnel
Il est fortement recommandé d'ajouter MFA à chaque utilisateur, cependant, certaines entreprises ne le mettront pas en place ou pourraient le configurer avec un Accès conditionnel : L'utilisateur sera obligé de passer par MFA s'il se connecte depuis un emplacement spécifique, un navigateur ou une certaine condition. Ces politiques, si elles ne sont pas configurées correctement, pourraient être sujettes à des contournements. Vérifiez :
# Enumerate groupsaz ad group listaz ad group list --query "[].[displayName]"-o table# Get info of 1 groupaz ad group show --group <group># Get "admin" groupsaz ad group list --query "[].displayName"| findstr /i "admin"az ad group list --query "[?contains(displayName,'admin')].displayName"# All groups from AzureADaz ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"# All groups synced from on-premaz ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"# Get members of groupaz ad group member list --group <group>--query "[].userPrincipalName"-o table# Check if member of groupaz ad group member check --group "VM Admins"--member-id <id># Get which groups a group is member ofaz ad group get-member-groups -g "VM Admins"# Get Apps where a group has a role (role not shown)Get-AzureADGroup-ObjectId <id>|Get-AzureADGroupAppRoleAssignment| fl *
Azure AD
Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect to gather information about users, groups, and contacts.
Group Enumeration
You can enumerate groups in Azure AD using tools like Azure AD Recon or Azure AD Connect to identify different groups and their members.
Password Spraying
Password spraying attacks can be performed against Azure AD using tools like Spray or AzureSpray to attempt a few common passwords against many accounts to avoid account lockouts.
Brute Force Attacks
Brute force attacks can be carried out against Azure AD using tools like CrackMapExec or Mimikatz to crack passwords by trying all possible combinations until the correct one is found.
Token Impersonation
Token impersonation attacks can be conducted against Azure AD by intercepting tokens and using tools like Rubeus or Mimikatz to impersonate users and gain unauthorized access.
Password Cracking
Password cracking can be performed against Azure AD using tools like Hashcat or John the Ripper to crack hashed passwords obtained from the directory.
Password Spraying Protection
To protect against password spraying attacks in Azure AD, enable multi-factor authentication (MFA) for all users, enforce strong password policies, and monitor for multiple failed login attempts.
Token Impersonation Protection
To protect against token impersonation attacks in Azure AD, ensure secure token handling, regularly rotate keys and secrets, and monitor for unusual token activity.
Conclusion
Azure AD enumeration and password attacks are common techniques used by attackers to gain unauthorized access to Azure AD resources. It is essential to regularly audit Azure AD security settings, monitor for suspicious activities, and implement strong security measures to protect against these threats.
# Enumerate GroupsGet-AzureADGroup-All $true# Get info of 1 groupGet-AzADGroup-DisplayName <resource_group_name>| fl# Get "admin" groupsGet-AzureADGroup-SearchString "admin"| fl #Groups starting by "admin"Get-AzureADGroup-All $true|?{$_.Displayname-match"admin"} #Groups with the word "admin"# Get groups allowing dynamic membershipGet-AzureADMSGroup|?{$_.GroupTypes-eq'DynamicMembership'}# All groups that are from Azure ADGet-AzureADGroup-All $true|?{$_.OnPremisesSecurityIdentifier-eq$null}# All groups that are synced from on-prem (note that security groups are not synced)Get-AzureADGroup-All $true|?{$_.OnPremisesSecurityIdentifier-ne$null}# Get members of a groupGet-AzureADGroupMember-ObjectId <group_id># Get roles of groupGet-AzureADMSGroup-SearchString "Contoso_Helpdesk_Administrators"#Get group idGet-AzureADMSRoleAssignment-Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"# Get Administrative Units of a group$groupObj =Get-AzureADGroup-Filter "displayname eq 'TestGroup'"Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in Azure AD, you can use the following PowerShell command:
Get-AzureADUser
This command will return a list of all users in the Azure AD tenant.
Enumerate Azure AD Groups
To list all groups in Azure AD, you can use the following PowerShell command:
Get-AzureADGroup
This command will return a list of all groups in the Azure AD tenant.
Enumerate Azure AD Applications
To list all applications in Azure AD, you can use the following PowerShell command:
Get-AzureADApplication
This command will return a list of all applications in the Azure AD tenant.
Enumerate Azure AD Service Principals
To list all service principals in Azure AD, you can use the following PowerShell command:
Get-AzureADServicePrincipal
This command will return a list of all service principals in the Azure AD tenant.
Enumerate Azure AD Devices
To list all devices in Azure AD, you can use the following PowerShell command:
Get-AzureADDevice
This command will return a list of all devices in the Azure AD tenant.
# Get all groupsGet-AzADGroup# Get details of a groupGet-AzADGroup-ObjectId <id># Search group by stringGet-AzADGroup-SearchString "admin"| fl *#Search at the beginnig of DisplayNameGet-AzADGroup|?{$_.Displayname-match"admin"}# Get members of groupGet-AzADGroupMember-GroupDisplayName <resource_group_name># Get roles of groupGet-AzRoleAssignment-ResourceGroupName <resource_group_name>
Ajouter un utilisateur à un groupe
Les propriétaires du groupe peuvent ajouter de nouveaux utilisateurs au groupe
Les groupes peuvent être dynamiques, ce qui signifie essentiellement que si un utilisateur remplit certaines conditions, il sera ajouté à un groupe. Bien sûr, si les conditions sont basées sur des attributs qu'un utilisateur peut contrôler, il pourrait abuser de cette fonctionnalité pour accéder à d'autres groupes.
Consultez comment abuser des groupes dynamiques sur la page suivante :
Notez que le Principal de service dans la terminologie PowerShell est appeléApplications d'entreprise dans le portail Azure (web).
# Get Service Principalsazadsplist--allazadsplist--all--query"[].[displayName]"-otable# Get details of one SPazadspshow--id00000000-0000-0000-0000-000000000000# Search SP by stringazadsplist--all--query"[?contains(displayName,'app')].displayName"# Get owner of service principalazadspownerlist--id<id>--query"[].[displayName]"-otable# Get service principals owned by the current userazadsplist--show-mine# List apps that have password credentialsazadsplist--all--query"[?passwordCredentials != null].displayName"# List apps that have key credentials (use of certificate authentication)azadsplist-all--query"[?keyCredentials != null].displayName"
Azure AD
Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect to gather information about users, groups, and contacts.
Group Enumeration
You can enumerate groups in Azure AD using tools like Azure AD Recon or Azure AD Connect to identify different groups and their members.
Password Spraying
Password spraying attacks can be performed against Azure AD using tools like Spray or AzureSpray to attempt a few common passwords against many accounts to avoid account lockouts.
Brute Force Attacks
Brute force attacks can be carried out against Azure AD using tools like CrackMapExec or Mimikatz to crack passwords by trying all possible combinations until the correct one is found.
Token Impersonation
Token impersonation attacks can be conducted against Azure AD by intercepting tokens and using tools like Rubeus or Mimikatz to impersonate users and gain unauthorized access.
Password Cracking
Password cracking can be performed against Azure AD using tools like Hashcat or John the Ripper to crack hashed passwords obtained from the directory.
Password Spraying Protection
To protect against password spraying attacks in Azure AD, enable multi-factor authentication (MFA) for all users, enforce strong password policies, and monitor for multiple failed login attempts.
Token Impersonation Protection
To protect against token impersonation attacks in Azure AD, ensure secure token handling, regularly rotate keys and secrets, and monitor for unusual token activity.
Conclusion
Azure AD enumeration and password attacks are common techniques used by attackers to gain unauthorized access to Azure AD resources. It is essential to regularly audit Azure AD security settings, monitor for suspicious activities, and implement strong security measures to protect against these threats.
# Get Service PrincipalsGet-AzureADServicePrincipal-All $true# Get details about a SPGet-AzureADServicePrincipal-ObjectId <id>| fl *# Get SP by string name or IdGet-AzureADServicePrincipal-All $true|?{$_.DisplayName-match"app"} | flGet-AzureADServicePrincipal-All $true|?{$_.AppId-match"103947652-1234-5834-103846517389"}# Get owner of SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalOwner|fl *# Get objects owned by a SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalOwnedObject# Get objects created by a SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalCreatedObject# Get groups where the SP is a memberGet-AzureADServicePrincipal|Get-AzureADServicePrincipalMembershipGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalMembership|fl *
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in Azure AD, you can use the following PowerShell command:
Get-AzureADUser
Enumerate Azure AD Groups
To list all groups in Azure AD, you can use the following PowerShell command:
Get-AzureADGroup
Enumerate Azure AD Applications
To list all applications in Azure AD, you can use the following PowerShell command:
Get-AzureADApplication
Enumerate Azure AD Service Principals
To list all service principals in Azure AD, you can use the following PowerShell command:
Get-AzureADServicePrincipal
Enumerate Azure AD Devices
To list all devices in Azure AD, you can use the following PowerShell command:
Get-AzureADDevice
Enumerate Azure AD Domains
To list all domains in Azure AD, you can use the following PowerShell command:
Get-AzureADDomain
Enumerate Azure AD Directory Roles
To list all directory roles in Azure AD, you can use the following PowerShell command:
Get-AzureADDirectoryRole
Enumerate Azure AD Directory Role Members
To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:
Replace <DirectoryRoleObjectId> with the actual object ID of the directory role you want to enumerate members for.
# Get SPsGet-AzADServicePrincipal# Get info of 1 SPGet-AzADServicePrincipal-ObjectId <id># Search SP by stringGet-AzADServicePrincipal|?{$_.DisplayName-match"app"}# Get roles of a SPGet-AzRoleAssignment-ServicePrincipalName <String>
Azure AD Enumeration
Description
Azure AD enumeration is the process of gathering information about Azure AD users, groups, roles, and permissions. This information can be used by attackers to identify potential targets and plan further attacks.
Techniques
User Enumeration: Enumerating Azure AD users to gather information such as usernames, email addresses, and assigned roles.
Group Enumeration: Enumerating Azure AD groups to identify group members and their permissions.
Role Enumeration: Enumerating Azure AD roles to understand the permissions assigned to different roles.
Permission Enumeration: Enumerating Azure AD permissions to identify what actions can be performed by users or groups.
Tools
Azure AD PowerShell Module: Used to interact with Azure AD using PowerShell commands.
Azure AD Graph API: Allows developers to access Azure AD resources programmatically.
Azure Portal: Web-based interface for managing Azure AD resources.
Prevention
Implement strong password policies and multi-factor authentication.
Regularly review and update user permissions and roles.
</details>
### Rôles
<div data-gb-custom-block data-tag="tabs"></div>
<div data-gb-custom-block data-tag="tab" data-title='az cli'>
```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"
Azure AD
Enumeration
User Enumeration
To enumerate users in Azure AD, you can use the Graph API or tools like Azure AD Recon or Azure AD User Enumeration.
Graph API
You can use the Graph API to list users in Azure AD. Make a GET request to https://graph.microsoft.com/v1.0/users.
Azure AD Recon
Azure AD Recon is a tool that can be used to gather information about users, groups, and applications in Azure AD.
Azure AD User Enumeration
This tool allows you to enumerate users in Azure AD by trying to authenticate with a list of usernames.
Group Enumeration
To enumerate groups in Azure AD, you can use the Graph API or tools like Azure AD Recon or Azure AD User Enumeration.
Graph API
You can use the Graph API to list groups in Azure AD. Make a GET request to https://graph.microsoft.com/v1.0/groups.
Azure AD Recon
Azure AD Recon can also be used to enumerate groups in Azure AD.
Azure AD User Enumeration
This tool can also be used to enumerate groups in Azure AD by trying to authenticate with a list of group names.
Exploitation
Password Spraying
Password spraying attacks can be performed against Azure AD to try a small number of passwords across a large number of accounts.
Password Brute-Force
Brute-forcing passwords can be attempted against Azure AD accounts with weak passwords.
Phishing
Phishing attacks can be used to trick users into revealing their credentials, which can then be used to compromise Azure AD accounts.
Token Impersonation
If an attacker gains access to a user's token, they can impersonate that user and access resources in Azure AD on their behalf.
Password Policies Bypass
Attempting to bypass password policies in Azure AD can allow attackers to set weak passwords for accounts.
OAuth Token Abuse
Abusing OAuth tokens can allow attackers to gain unauthorized access to resources in Azure AD.
Privilege Escalation
Finding and exploiting privilege escalation vulnerabilities in Azure AD can allow attackers to gain higher levels of access.
Federation Trust Exploitation
Exploiting federation trust misconfigurations can allow attackers to gain unauthorized access to Azure AD resources.
Application Registration Abuse
Abusing application registrations in Azure AD can lead to unauthorized access to resources or data leakage.
Multi-Factor Authentication Bypass
Bypassing multi-factor authentication controls in Azure AD can allow attackers to access accounts with only a password.
Account Lockout Policy Bypass
Bypassing account lockout policies in Azure AD can allow attackers to perform password spraying attacks without being locked out.
Pass-the-Hash
Pass-the-Hash attacks can be used to authenticate to Azure AD using NTLM hashes without knowing the actual password.
Pass-the-Ticket
Pass-the-Ticket attacks involve using Kerberos tickets to authenticate to Azure AD without knowing the user's password.
Golden Ticket
Creating a Golden Ticket can allow attackers to gain persistent access to Azure AD resources by forging Kerberos tickets.
Silver Ticket
Silver Tickets can be used to impersonate users and access resources in Azure AD without knowing the user's password.
DCSync
DCSync attacks can be used to retrieve password data from Azure AD using the Directory Replication Service Remote Protocol.
DCShadow
DCShadow attacks can be used to create and manipulate Active Directory objects in Azure AD without being detected.
Overprivileged Applications
Identifying and exploiting overprivileged applications in Azure AD can lead to unauthorized access to resources.
Data Exfiltration
Exfiltrating data from Azure AD can result in the leakage of sensitive information stored in the directory.
Domain Trust Exploitation
Exploiting domain trusts in Azure AD can allow attackers to move laterally between different domains in a forest.
Kerberoasting
Kerberoasting attacks can be used to extract service account credentials from Azure AD by requesting Kerberos tickets.
AS-REP Roasting
AS-REP Roasting attacks can be used to extract password hashes of user accounts that don't require pre-authentication.
Certificate Abuse
Abusing certificates in Azure AD can allow attackers to gain unauthorized access to resources or services.
Azure AD Connect Exploitation
Exploiting misconfigurations in Azure AD Connect can lead to unauthorized access to Azure AD resources.
Azure AD Seamless SSO Abuse
Abusing Azure AD Seamless SSO can allow attackers to gain access to Azure AD resources without authentication.
Azure AD Conditional Access Bypass
Bypassing Azure AD Conditional Access policies can allow attackers to access resources without meeting the required conditions.
Azure AD Privileged Identity Management (PIM) Abuse
Abusing Azure AD PIM can lead to unauthorized elevation of privileges in Azure AD.
Azure AD Application Permissions Abuse
Abusing application permissions in Azure AD can lead to unauthorized access to resources or data leakage.
Azure AD Role Permissions Abuse
Abjsong role permissions in Azure AD can allow attackers to gain unauthorized access to resources.
Azure AD Security Defaults Bypass
Bypassing Azure AD Security Defaults can allow attackers to circumvent basic security measures in Azure AD.
Azure AD Sign-Ins Manipulation
Manipulating Azure AD sign-ins can allow attackers to hide their malicious activities from detection.
Azure AD Risky Sign-Ins Abuse
Abusing risky sign-ins policies in Azure AD can lead to unauthorized access to resources.
Azure AD Identity Protection Abuse
Abusing Azure AD Identity Protection features can lead to unauthorized access to resources or data leakage.
Azure AD Smart Lockout Bypass
Bypassing Azure AD Smart Lockout can allow attackers to perform password spraying attacks without being locked out.
Azure AD Password Protection Bypass
Bypassing Azure AD Password Protection can allow attackers to set weak passwords for accounts.
Azure AD Password Hash Sync Abuse
Abusing Azure AD Password Hash Sync can lead to unauthorized access to Azure AD resources.
Azure AD Password Writeback Abuse
Abusing Azure AD Password Writeback can lead to unauthorized access to on-premises AD resources.
Azure AD Password Reset Poisoning
Poisoning Azure AD password reset processes can allow attackers to take over user accounts.
Azure AD Token Authentication Abuse
Abusing Azure AD token authentication mechanisms can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Ab abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can lead to unauthorized access to resources.
Azure AD Token Encryption Key Abuse
Abusing Azure AD token encryption keys can lead to unauthorized access to encrypted data.
Azure AD Token Revocation Abuse
Abusing Azure AD token revocation mechanisms can lead to unauthorized access to resources.
Azure AD Token Expiration Abuse
Abusing Azure AD token expiration settings can lead to prolonged unauthorized access to resources.
Azure AD Token Leak
Leaking Azure AD tokens can lead to unauthorized access to resources.
Azure AD Token Replay
Replaying Azure AD tokens can allow attackers to reuse valid tokens to access resources.
Azure AD Token Theft
Stealing Azure AD tokens can allow attackers to impersonate users and access resources.
Azure AD Token Manipulation
Manipulating Azure AD tokens can allow attackers to modify token properties for malicious purposes.
Azure AD Token Signing Key Abuse
Abusing Azure AD token signing keys can
# Get all available role templatesGet-AzureADDirectoryroleTemplate# Get enabled roles (Assigned roles)Get-AzureADDirectoryRoleGet-AzureADDirectoryRole-ObjectId <roleID>#Get info about the role# Get custom roles - use AzureAdPreviewGet-AzureADMSRoleDefinition|?{$_.IsBuiltin-eq$False} | select DisplayName# Users assigned a role (Global Administrator)Get-AzureADDirectoryRole-Filter "DisplayName eq 'Global Administrator'"|Get-AzureADDirectoryRoleMemberGet-AzureADDirectoryRole-ObjectId <id>| fl# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)Get-AzureADMSScopedRoleMembership-Id <id>| fl *
Azure AD Connect
Export Azure AD Connect Configuration
To export the Azure AD Connect configuration, you can use the following PowerShell command:
Get-ADSyncServerConfiguration
This command will display the current configuration of Azure AD Connect, including parameters like AADConnectSyncCycleInterval, AADConnectSyncCycleEnabled, AADConnectSyncCycleEnabled, and more.
Export Azure AD Connect Sync Rules
To export the Azure AD Connect synchronization rules, you can use the following PowerShell command:
Get-ADSyncRule
This command will show you the synchronization rules configured in Azure AD Connect, including details like Description, Direction, Enabled, Precedence, and more.
Export Azure AD Connect Metaverse Rules
To export the Azure AD Connect metaverse rules, you can use the following PowerShell command:
Get-ADSyncMetaverseRule
This command will list the metaverse rules defined in Azure AD Connect, providing information like Description, Direction, Enabled, PrePrecedence, and more.
Export Azure AD Connect Password Settings
To export the Azure AD Connect password settings, you can use the following PowerShell command:
Get-ADSyncPasswordPolicy
This command will show you the current password policy settings in Azure AD Connect, including parameters like PasswordSyncEnabled, PasswordWriteBackEnabled, PasswordHashSyncEnabled, and more.
Export Azure AD Connect Health Data
To export the Azure AD Connect health data, you can use the following PowerShell command:
Get-ADSyncConnector
This command will provide you with information about the connectors in Azure AD Connect, including details like DisplayName, ConnectorType, Enabled, ConnectionState, and more.
# Get role assignments on the subscriptionGet-AzRoleDefinition# Get Role definitionGet-AzRoleDefinition-Name "Virtual Machine Command Executor"# Get roles of a user or resourceGet-AzRoleAssignment-SignInName test@corp.onmicrosoft.comGet-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>
# Get permissions over a resource using ARM directly$Token = (Get-AzAccessToken).Token$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams =@{Method ='GET'Uri = $URIHeaders =@{'Authorization'="Bearer $Token"}}(Invoke-RestMethod @RequestParams).value
Appareils
# If you know how to do this send a PR!
Azure AD
Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect to gather information about users, groups, and contacts.
Group Enumeration
You can enumerate groups in Azure AD using tools like Azure AD Recon or Azure AD Connect to identify different groups and their members.
Password Spraying
Password spraying attacks can be performed against Azure AD using tools like Spray or AzureSpray to attempt a few common passwords against many accounts to avoid account lockouts.
Brute Force Attacks
Brute force attacks can be carried out against Azure AD using tools like CrackMapExec or Mimikatz to crack passwords by trying all possible combinations until the correct one is found.
Token Impersonation
Token impersonation attacks can be conducted against Azure AD by intercepting tokens and using tools like Rubeus or Mimikatz to impersonate users and gain unauthorized access.
Password Cracking
Password cracking can be performed against Azure AD using tools like Hashcat or John the Ripper to crack hashed passwords obtained from the directory.
Password Spraying Protection
To protect against password spraying attacks in Azure AD, enable multi-factor authentication (MFA) for all users, enforce strong password policies, and monitor for multiple failed login attempts.
Token Impersonation Protection
To protect against token impersonation attacks in Azure AD, ensure secure token handling, regularly rotate keys and secrets, and monitor for unusual token activity.
Conclusion
Azure AD enumeration and password attacks are common techniques used by attackers to gain unauthorized access to Azure AD resources. It is essential to regularly audit Azure AD security settings, monitor for suspicious activities, and implement strong security measures to protect against these threats.
# Enumerate DevicesGet-AzureADDevice-All $true| fl *# List all the active devices (and not the stale devices)Get-AzureADDevice-All $true|?{$_.ApproximateLastLogonTimeStamp-ne$null}# Get owners of all devicesGet-AzureADDevice-All $true|Get-AzureADDeviceRegisteredOwnerGet-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devicesGet-AzureADDevice-All $true|Get-AzureADDeviceRegisteredUserGet-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using IntuneGet-AzureADDevice-All $true|?{$_.IsCompliant-eq"True"}# Get devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Get Administrative Units of a deviceGet-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }
Si un appareil (VM) est joint à AzureAD, les utilisateurs d'AzureAD pourront se connecter.
De plus, si l'utilisateur connecté est Propriétaire de l'appareil, il sera administrateur local.
Applications
Les Applications sont des Enregistrements d'application dans le portail (pas des Applications d'entreprise).
Mais chaque Enregistrement d'application va créer une Application d'entreprise (Principal de service) avec le même nom.
De plus, si l'Application est une Application multi-locataire, une autre Application d'entreprise (Principal de service) sera créée dans ce locataire avec le même nom.
Lorsqu'une Application est générée, 2 types d'autorisations sont données :
Autorisations données au Principal de service
Autorisations que l'application peut avoir et utiliser au nom de l'utilisateur.
# List Appsazadapplistazadapplist--query"[].[displayName]"-otable# Get info of 1 Appazadappshow--id00000000-0000-0000-0000-000000000000# Search App by stringazadapplist--query"[?contains(displayName,'app')].displayName"# Get the owner of an applicationazadappownerlist--id<id>--query"[].[displayName]"-otable# List all the apps with an application passwordazadapplist--query"[?passwordCredentials != null].displayName"# List apps that have key credentials (use of certificate authentication)azadapplist--query"[?keyCredentials != null].displayName"
Azure AD
Enumeration
User Enumeration
To enumerate users in Azure AD, you can use tools like Azure AD Recon or Azure AD Connect to gather information about users, groups, and contacts.
Group Enumeration
You can enumerate groups in Azure AD using tools like Azure AD Recon or Azure AD Connect to identify different groups and their members.
Password Spraying
Password spraying attacks can be performed against Azure AD using tools like Spray or AzureSpray to attempt a few common passwords against multiple accounts to avoid account lockouts.
Brute Force Attacks
Brute force attacks can be conducted against Azure AD using tools like CrackMapExec or Mimikatz to crack passwords by trying all possible combinations until the correct one is found.
Password Attacks
Password attacks can be carried out against Azure AD using tools like Mimikatz or CrackMapExec to extract password hashes and perform offline password cracking.
Token Impersonation
Token impersonation attacks can be executed against Azure AD using tools like Rubeus or Mimikatz to steal and impersonate user tokens to gain unauthorized access.
Password Spraying Protection
To protect against password spraying attacks in Azure AD, you can enforce strong password policies, enable multi-factor authentication, and monitor for unusual login activities.
Brute Force Protection
To defend against brute force attacks in Azure AD, you can implement account lockout policies, use strong and complex passwords, and regularly audit and monitor login attempts.
Token Impersonation Protection
To mitigate token impersonation attacks in Azure AD, you can limit user privileges, regularly rotate tokens, and monitor for suspicious token usage.
Conclusion
Azure AD is a critical component of Microsoft Azure, and securing it is essential to maintaining a secure cloud environment. By understanding common attack techniques and implementing appropriate security measures, you can better protect your Azure AD instance from unauthorized access and data breaches.
# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id> | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in Azure AD, you can use the following PowerShell command:
Get-AzureADUser
This command will return a list of all users in the Azure AD tenant.
Enumerate Azure AD Groups
To list all groups in Azure AD, you can use the following PowerShell command:
Get-AzureADGroup
This command will return a list of all groups in the Azure AD tenant.
Enumerate Azure AD Applications
To list all applications in Azure AD, you can use the following PowerShell command:
Get-AzureADApplication
This command will return a list of all applications in the Azure AD tenant.
Enumerate Azure AD Service Principals
To list all service principals in Azure AD, you can use the following PowerShell command:
Get-AzureADServicePrincipal
This command will return a list of all service principals in the Azure AD tenant.
Enumerate Azure AD Devices
To list all devices in Azure AD, you can use the following PowerShell command:
Get-AzureADDevice
This command will return a list of all devices in the Azure AD tenant.
# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential
Une application avec la permission AppRoleAssignment.ReadWrite peut escalader en tant qu'administrateur global en se donnant le rôle.
Pour plus d'informations, consultez ceci.
Une chaîne secrète que l'application utilise pour prouver son identité lors de la demande d'un jeton est le mot de passe de l'application.
Ainsi, si vous trouvez ce mot de passe, vous pouvez accéder en tant que principal de serviceà l'intérieur du locataire.
Notez que ce mot de passe n'est visible que lorsqu'il est généré (vous pourriez le changer mais vous ne pouvez pas le récupérer).
Le propriétaire de l'application peut ajouter un mot de passe (pour pouvoir l'usurper).
Les connexions en tant que ces principaux de service ne sont pas marquées comme risquées et elles n'auront pas de MFA.
Différence entre Applications & (Applications d'entreprise ou Principaux de service)
Différence entre une application et un Principal de service dans Azure :
Applications/Inscriptions d'application : Ce sont des applications qui existent dans votre Azure AD
Principal de service/Applications d'entreprise : Objets de sécurité dans votre Azure AD qui peuvent avoir des privilèges dans le répertoire Azure et sont liés soit à votre application, soit à une application tierce
Un administrateur peut avoir besoin d'approuver les autorisations données si elles sont très sensibles.
Une application peut être exécutée dans un locataire tiers et une fois que vous commencez à l'utiliser et à lui donner accès, une Application d'entreprise/Principal de service est créé dans votre locataire pour lui donner accès aux informations dont elle a besoin :
Unités administratives
Elles sont utilisées pour une meilleure gestion des utilisateurs.
Les unités administratives restreignent les autorisations dans un rôle à une partie de votre organisation que vous définissez. Vous pourriez, par exemple, utiliser des unités administratives pour déléguer le rôle Administrateur du service d'assistance à des spécialistes du support régional, afin qu'ils puissent gérer les utilisateurs uniquement dans la région qu'ils supportent.
Par conséquent, vous pouvez attribuer des rôles à l'unité administrative et ses membres auront ces rôles.
AzureAD
Enumeration
User Enumeration
User enumeration can be performed by making requests to the Azure AD Graph API or Microsoft Graph API. This can reveal valid usernames within the Azure AD tenant.
Group Enumeration
Group enumeration can also be done using the Azure AD Graph API or Microsoft Graph API. This can provide information about existing groups within the Azure AD tenant.
Brute Force Attacks
Brute force attacks can be attempted against Azure AD accounts to guess passwords and gain unauthorized access. Tools like Hydra or custom scripts can be used for this purpose.
Password Spraying
Password spraying involves attempting a single password against multiple accounts to avoid account lockouts. This technique can be used to bypass account lockout policies in Azure AD.
Phishing Attacks
Phishing attacks can be used to trick users into revealing their credentials, which can then be used to gain unauthorized access to Azure AD accounts.
Token Manipulation
Token manipulation techniques can be used to manipulate authentication tokens and gain unauthorized access to resources in Azure AD.
Password Policies
Understanding the password policies in Azure AD can help in crafting effective password guessing attacks and improving the success rate of brute force attacks.
Multi-Factor Authentication Bypass
Exploiting vulnerabilities or misconfigurations in multi-factor authentication implementations can lead to bypassing MFA and gaining unauthorized access to Azure AD accounts.
Account Lockout Policies
Understanding and testing the account lockout policies in Azure AD can help in determining the effectiveness of brute force attacks and password spraying techniques.
Privilege Escalation
Identifying and exploiting privilege escalation vulnerabilities in Azure AD can lead to gaining higher levels of access within the tenant.
Data Exfiltration
Once access has been gained, sensitive data within Azure AD can be exfiltrated using various techniques such as downloading user data or extracting information from Azure AD applications.
Monitoring and Logging
Monitoring and logging activities within Azure AD can help in detecting and responding to unauthorized access attempts and potential security incidents.
Security Best Practices
Following security best practices such as enforcing strong passwords, enabling multi-factor authentication, and regularly reviewing and updating security configurations can help in securing Azure AD against various attacks.
# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members
Protection de l'identité Azure AD (AIP)
La Protection de l'identité Azure AD (AIP) est un service de sécurité qui utilise la détection automatisée et la remédiation pour aider à protéger les identités des utilisateurs dans Azure Active Directory contre les compromissions. AIP surveille en continu et évalue les risques liés aux connexions des utilisateurs et aux configurations d'identité, appliquant automatiquement des mesures de sécurité appropriées, telles que l'exigence d'une authentification multi-facteurs ou le blocage d'activités potentiellement dangereuses. Cela aide les organisations à prévenir les violations de sécurité basées sur l'identité.
Flux :
La Protection de l'identité Azure AD surveille les activités des utilisateurs et collecte des données sur les connexions, les événements d'authentification et d'autres activités pertinentes.
Le service utilise des algorithmes d'apprentissage automatique pour analyser ces données et détecter les menaces potentielles à la sécurité.
La Protection de l'identité Azure AD attribue un niveau de risque à la menace (par exemple, une connexion) et génère une alerte si nécessaire pour effectuer une action automatique.
Protection des mots de passe Azure AD (APP)
La Protection des mots de passe Azure AD (APP) est une fonctionnalité de sécurité qui aide à prévenir les mots de passe faibles dans Azure Active Directory en imposant des politiques de mots de passe solides. APP bloque les mots de passe faibles couramment utilisés et leurs variantes, réduisant ainsi le risque de violations liées aux mots de passe. Elle peut être appliquée à la fois au niveau cloud et sur l'Active Directory sur site, améliorant ainsi la sécurité globale des mots de passe dans l'organisation.