Azure Active Directory (Azure AD)는 Microsoft의 클라우드 기반 신원 및 액세스 관리 서비스로 작동합니다. 이는 직원들이 조직 내외의 리소스에 로그인하고 액세스할 수 있도록 하는 데 중요한 역할을 합니다. 이는 Microsoft 365, Azure 포털 및 다양한 기타 SaaS 애플리케이션을 포함합니다. Azure AD의 설계는 인증, 권한 부여 및 사용자 관리를 중점적으로 제공하는 핵심 신원 서비스를 제공하는 데 초점을 맞추고 있습니다.
Azure AD의 주요 기능은 다중 요소 인증 및 조건부 액세스를 포함하며, 다른 Microsoft 보안 서비스와의 원활한 통합도 가능합니다. 이러한 기능은 사용자 신원의 보안을 크게 향상시키고 조직이 액세스 정책을 효과적으로 구현하고 강제할 수 있도록 지원합니다. Microsoft의 클라우드 서비스 생태계의 기본 구성 요소로서, Azure AD는 사용자 신원의 클라우드 기반 관리에 중요한 역할을 합니다.
AzureAD는 Azure AD를 관리하기 위한 Microsoft의 PowerShell 모듈입니다. Azure AD 개체의 모든 속성을 표시하지 않으며 Azure 리소스 정보에 액세스하는 데 사용할 수 없습니다.
Az PowerShell는 PowerShell 명령줄에서 Azure 리소스를 관리하기 위한 모듈입니다.
연결
azlogin#This will open the browserazlogin-u<username>-p<password>#Specify user and passwordazlogin--identity#Use the current machine managed identity (metadata)az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principalaz login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com #With password
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com #With cert
# Request access token (ARM)azaccountget-access-token# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
azaccountget-access-token--resource-typeaad-graph# If you want to configure some defaultsazconfigure# Get user logged-in alreadyazadsigned-in-usershow# Helpazfind"vm"# Find vm commandsazvm-h# Get subdomainsazaduserlist--query-examples# Get examples
Connect-AzureAD#Open browser# Using credentials$passwd =ConvertTo-SecureString"Welcome2022!"-AsPlainText -Force$creds =New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)Connect-AzureAD-Credential $creds# Using tokens## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connectConnect-AzureAD-AccountId test@corp.onmicrosoft.com -AadAccessToken $token
Az PowerShell
Azure CLI
Python
Ruby
REST API
PowerShell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave
Powershell
Bash
C#
Java
JavaScript
Go
TypeScript
PHP
Objective-C
Swift
Kotlin
Rust
C
C++
Perl
Haskell
Lua
Scala
Groovy
R
Julia
MATLAB
Octave{%
Connect-AzAccount#Open browser# Using credentials$passwd =ConvertTo-SecureString"Welcome2022!"-AsPlainText -Force$creds =New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)Connect-AzAccount-Credential $creds# Get Access Token(Get-AzAccessToken).Token# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
Get-AzAccessToken-ResourceTypeName MSGraph(Get-AzAccessToken-Resource "https://graph.microsoft.com").Token# Conenct with access tokenConnect-AzAccount-AccountId test@corp.onmicrosoft.com -AccessToken $tokenConnect-AzAccount-AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>## The -AccessToken is from management.azure.com# Connect with Service principal/enterprise app secret$password =ConvertTo-SecureString'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF'-AsPlainText -Force$creds =New-ObjectSystem.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)Connect-AzAccount-ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d#All the Azure AD cmdlets have the format *-AzAD*Get-Command*azad*#Cmdlets for other Azure resources have the format *Az*Get-Command*az*
# Request tokens to access endpoints# ARMcurl"$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER# Vaultcurl"$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01"-Hsecret:$IDENTITY_HEADER
CLI를 통해 Azure에 로그인할 때, Microsoft에 속한 테넌트의 Azure 애플리케이션을 사용합니다. 계정에서 생성할 수 있는 애플리케이션과 마찬가지로, 이러한 애플리케이션에는 클라이언트 ID가 있습니다. 콘솔에서 볼 수 있는 허용된 애플리케이션 목록에서 모든 애플리케이션을 볼 수는 없지만, 기본적으로 허용됩니다.
예를 들어, PowerShell 스크립트는 클라이언트 ID 1950a258-227b-4e31-a9cf-717495945fc2를 사용하는 앱을 사용하여 인증합니다. 콘솔에 앱이 표시되지 않더라도 시스템 관리자는 해당 애플리케이션을 차단하여 사용자가 해당 앱을 통해 연결하는 도구를 사용하지 못하도록 할 수 있습니다.
그러나 Azure에 연결할 수 있는 다른 애플리케이션의 클라이언트 ID도 있습니다:
# The important part is the ClientId, which identifies the application to login inside Azure$token =Invoke-Authorize-Credential $credential `-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d'`-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email'`-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/"`-Verbose -Debug `-InformationAction Continue$token =Invoke-Authorize-Credential $credential `-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9'`-Scope 'openid profile Sites.Read.All User.Read email'`-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah"`-Verbose -Debug `-InformationAction Continue$token =Invoke-Authorize-Credential $credential `-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095'`-Scope 'openid'`-Redirect_Uri "https://graphexplorer.azurewebsites.net/"`-Verbose -Debug `-InformationAction Continue
사용자
# Enumerate usersazaduserlist--outputtableazaduserlist--query"[].userPrincipalName"# Get info of 1 userazadusershow--id"test@corp.onmicrosoft.com"# Search "admin" usersazaduserlist--query"[].displayName"|findstr/i"admin"azaduserlist--query"[?contains(displayName,'admin')].displayName"# Search attributes containing the word "password"azaduserlist|findstr/i"password"|findstr/v"null,"# All users from AzureADazaduserlist--query"[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"azaduserlist--query"[?onPremisesSecurityIdentifier==null].displayName"# All users synced from on-premazaduserlist--query"[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"azaduserlist--query"[?onPremisesSecurityIdentifier!=null].displayName"# Get groups where the user is a memberazaduserget-member-groups--id<email># Get roles assigned to the userazroleassignmentlist--include-groups--include-classic-administratorstrue--assignee<email>
Azure AD
# Enumerate UsersGet-AzureADUser-All $trueGet-AzureADUser-All $true| select UserPrincipalName# Get info of 1 userGet-AzureADUser-ObjectId test@corp.onmicrosoft.com | fl# Search "admin" usersGet-AzureADUser-SearchString "admin"#Search admin at the begining of DisplayName or userPrincipalNameGet-AzureADUser-All $true|?{$_.Displayname-match"admin"} #Search "admin" word in DisplayName# Get all attributes of a userGet-AzureADUser-ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}# Search attributes containing the word "password"Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureADGet-AzureADUser-All $true|?{$_.OnPremisesSecurityIdentifier-eq$null}# All users synced from on-premGet-AzureADUser-All $true|?{$_.OnPremisesSecurityIdentifier-ne$null}# Objects created by a/any userGet-AzureADUser [-ObjectId<email>] |Get-AzureADUserCreatedObject# Devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Objects owned by a specific userGet-AzureADUserOwnedObject-ObjectId test@corp.onmicrosoft.com# Get groups & roles where the user is a memberGet-AzureADUserMembership-ObjectId 'test@corp.onmicrosoft.com'# Get devices owned by a userGet-AzureADUserOwnedDevice-ObjectId test@corp.onmicrosoft.com# Get devices registered by a userGet-AzureADUserRegisteredDevice-ObjectId test@defcorphq.onmicrosoft.com# Apps where a user has a role (role not shown)Get-AzureADUser-ObjectId roygcain@defcorphq.onmicrosoft.com |Get-AzureADUserAppRoleAssignment| fl *# Get Administrative Units of a user$userObj =Get-AzureADUser-Filter "UserPrincipalName eq 'bill@example.com'"Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }
Azure AD는 Azure 클라우드 서비스의 중요한 구성 요소입니다. Azure AD는 사용자, 그룹 및 애플리케이션에 대한 인증 및 권한 부여를 관리합니다. Azure AD를 펜테스트하려면 다음 단계를 따르십시오.
Az PowerShell 모듈을 설치하십시오.
Install-Module -Name Az -AllowClobber -Scope CurrentUser
# Enumerate usersGet-AzADUser# Get details of a userGet-AzADUser-UserPrincipalName test@defcorphq.onmicrosoft.com# Search user by stringGet-AzADUser-SearchString "admin"#Search at the beginnig of DisplayNameGet-AzADUser|?{$_.Displayname-match"admin"}# Get roles assigned to a userGet-AzRoleAssignment-SignInName test@corp.onmicrosoft.com
# Enumerate groupsaz ad group listaz ad group list --query "[].[displayName]"-o table# Get info of 1 groupaz ad group show --group <group># Get "admin" groupsaz ad group list --query "[].displayName"| findstr /i "admin"az ad group list --query "[?contains(displayName,'admin')].displayName"# All groups from AzureADaz ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"# All groups synced from on-premaz ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"# Get members of groupaz ad group member list --group <group>--query "[].userPrincipalName"-o table# Check if member of groupaz ad group member check --group "VM Admins"--member-id <id># Get which groups a group is member ofaz ad group get-member-groups -g "VM Admins"# Get Apps where a group has a role (role not shown)Get-AzureADGroup-ObjectId <id>|Get-AzureADGroupAppRoleAssignment| fl *
Azure AD
# Enumerate GroupsGet-AzureADGroup-All $true# Get info of 1 groupGet-AzADGroup-DisplayName <resource_group_name>| fl# Get "admin" groupsGet-AzureADGroup-SearchString "admin"| fl #Groups starting by "admin"Get-AzureADGroup-All $true|?{$_.Displayname-match"admin"} #Groups with the word "admin"# Get groups allowing dynamic membershipGet-AzureADMSGroup|?{$_.GroupTypes-eq'DynamicMembership'}# All groups that are from Azure ADGet-AzureADGroup-All $true|?{$_.OnPremisesSecurityIdentifier-eq$null}# All groups that are synced from on-prem (note that security groups are not synced)Get-AzureADGroup-All $true|?{$_.OnPremisesSecurityIdentifier-ne$null}# Get members of a groupGet-AzureADGroupMember-ObjectId <group_id># Get roles of groupGet-AzureADMSGroup-SearchString "Contoso_Helpdesk_Administrators"#Get group idGet-AzureADMSRoleAssignment-Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'"# Get Administrative Units of a group$groupObj =Get-AzureADGroup-Filter "displayname eq 'TestGroup'"Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} }
Azure AD는 Azure 클라우드 서비스의 중요한 구성 요소입니다. Azure AD는 사용자, 그룹 및 애플리케이션에 대한 인증 및 권한 부여를 관리합니다. Azure AD를 펜테스트하려면 다음 단계를 따르십시오.
Az PowerShell 모듈을 설치하십시오.
Install-Module -Name Az -AllowClobber -Scope CurrentUser
# Get all groupsGet-AzADGroup# Get details of a groupGet-AzADGroup-ObjectId <id># Search group by stringGet-AzADGroup-SearchString "admin"| fl *#Search at the beginnig of DisplayNameGet-AzADGroup|?{$_.Displayname-match"admin"}# Get members of groupGet-AzADGroupMember-GroupDisplayName <resource_group_name># Get roles of groupGet-AzRoleAssignment-ResourceGroupName <resource_group_name>
그룹은 동적일 수 있습니다. 이는 사용자가 특정 조건을 충족하면 그룹에 추가된다는 것을 의미합니다. 물론, 조건이 속성에 기반한 경우 사용자가 제어할 수 있는 경우, 이 기능을 악용하여 다른 그룹에 들어갈 수 있습니다.
다음 페이지에서 동적 그룹을 악용하는 방법을 확인하세요:
# Get Service Principalsazadsplist--allazadsplist--all--query"[].[displayName]"-otable# Get details of one SPazadspshow--id00000000-0000-0000-0000-000000000000# Search SP by stringazadsplist--all--query"[?contains(displayName,'app')].displayName"# Get owner of service principalazadspownerlist--id<id>--query"[].[displayName]"-otable# Get service principals owned by the current userazadsplist--show-mine# List apps that have password credentialsazadsplist--all--query"[?passwordCredentials != null].displayName"# List apps that have key credentials (use of certificate authentication)azadsplist-all--query"[?keyCredentials != null].displayName"
Azure AD
# Get Service PrincipalsGet-AzureADServicePrincipal-All $true# Get details about a SPGet-AzureADServicePrincipal-ObjectId <id>| fl *# Get SP by string name or IdGet-AzureADServicePrincipal-All $true|?{$_.DisplayName-match"app"} | flGet-AzureADServicePrincipal-All $true|?{$_.AppId-match"103947652-1234-5834-103846517389"}# Get owner of SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalOwner|fl *# Get objects owned by a SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalOwnedObject# Get objects created by a SPGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalCreatedObject# Get groups where the SP is a memberGet-AzureADServicePrincipal|Get-AzureADServicePrincipalMembershipGet-AzureADServicePrincipal-ObjectId <id>|Get-AzureADServicePrincipalMembership|fl *
Az PowerShell
# Get SPsGet-AzADServicePrincipal# Get info of 1 SPGet-AzADServicePrincipal-ObjectId <id># Search SP by stringGet-AzADServicePrincipal|?{$_.DisplayName-match"app"}# Get roles of a SPGet-AzRoleAssignment-ServicePrincipalName <String>
Azure AD
Enumeration
User Enumeration
To enumerate users in Azure AD, you can use the following methods:
1. Azure AD Graph API
You can use the Azure AD Graph API to retrieve information about users in Azure AD. The API provides various endpoints to query user data, such as /users and /users/{user_id}.
2. Microsoft Graph API
The Microsoft Graph API is the recommended API for accessing Azure AD resources, including user information. You can use the /users endpoint to retrieve a list of users or the /users/{user_id} endpoint to retrieve information about a specific user.
Group Enumeration
To enumerate groups in Azure AD, you can use the following methods:
1. Azure AD Graph API
You can use the Azure AD Graph API to retrieve information about groups in Azure AD. The API provides various endpoints to query group data, such as /groups and /groups/{group_id}.
2. Microsoft Graph API
The Microsoft Graph API is the recommended API for accessing Azure AD resources, including group information. You can use the /groups endpoint to retrieve a list of groups or the /groups/{group_id} endpoint to retrieve information about a specific group.
Exploitation
Password Spraying
Password spraying is a technique used to bypass account lockout policies by attempting a small number of common passwords against multiple user accounts. This technique is effective against Azure AD when weak passwords are used.
To perform password spraying against Azure AD, you can use tools like Spray or AzureSpray. These tools automate the process of trying a list of common passwords against a large number of user accounts.
Password Hash Cracking
If you have obtained the password hashes of user accounts in Azure AD, you can attempt to crack them to obtain the plaintext passwords. This can be done using tools like John the Ripper or Hashcat.
Token Impersonation
Token impersonation is a technique used to impersonate a user by stealing their access token. In Azure AD, you can use the Get-AzureADUserOAuth2PermissionGrant PowerShell cmdlet to retrieve access tokens for users.
Once you have obtained an access token, you can use it to authenticate as the user and perform actions on their behalf. This can be useful for privilege escalation or accessing resources that the user has permissions for.
Privilege Escalation
To escalate privileges in Azure AD, you can try the following techniques:
1. Role Assignment
You can assign a user or group a higher privileged role in Azure AD, such as Global Administrator or Application Administrator. This can give the user or group additional permissions and access to sensitive resources.
2. Service Principal Abuse
Service principals are non-human accounts that can be used to authenticate and authorize access to Azure resources. By abusing service principals, you can gain elevated privileges and access to resources that the service principal has permissions for.
3. OAuth Consent Abuse
OAuth consent abuse involves tricking a user into granting permissions to a malicious application. By abusing OAuth consent, you can gain access to the user's data and perform actions on their behalf.
Account Takeover
Account takeover is the process of gaining unauthorized access to a user's account. In Azure AD, you can attempt account takeover by exploiting vulnerabilities like weak passwords, password reuse, or password reset vulnerabilities.
Once you have gained access to a user's account, you can perform various actions, such as accessing sensitive data, sending phishing emails, or performing lateral movement within the Azure AD environment.
</details>
### 역할
<div data-gb-custom-block data-tag="tabs">
<div data-gb-custom-block data-tag="tab" data-title='az cli'>
```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"
Azure AD
# Get all available role templatesGet-AzureADDirectoryroleTemplate# Get enabled roles (Assigned roles)Get-AzureADDirectoryRoleGet-AzureADDirectoryRole-ObjectId <roleID>#Get info about the role# Get custom roles - use AzureAdPreviewGet-AzureADMSRoleDefinition|?{$_.IsBuiltin-eq$False} | select DisplayName# Users assigned a role (Global Administrator)Get-AzureADDirectoryRole-Filter "DisplayName eq 'Global Administrator'"|Get-AzureADDirectoryRoleMemberGet-AzureADDirectoryRole-ObjectId <id>| fl# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)Get-AzureADMSScopedRoleMembership-Id <id>| fl *
Az PowerShell
# Get role assignments on the subscriptionGet-AzRoleDefinition# Get Role definitionGet-AzRoleDefinition-Name "Virtual Machine Command Executor"# Get roles of a user or resourceGet-AzRoleAssignment-SignInName test@corp.onmicrosoft.comGet-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>
Azure AD
Enumeration
User Enumeration
To enumerate users in Azure AD, you can use the following methods:
1. Azure AD Graph API
You can use the Azure AD Graph API to retrieve information about users in Azure AD. The API provides various endpoints to query user data.
To enumerate users using the Azure AD Graph API, you can send a GET request to the following endpoint:
Replace {tenant_id} with the ID of the Azure AD tenant you want to enumerate users from.
2. Microsoft Graph API
The Microsoft Graph API is the recommended API for accessing Azure AD resources, including user data. It provides a unified endpoint to access various Microsoft cloud services, including Azure AD.
To enumerate users using the Microsoft Graph API, you can send a GET request to the following endpoint:
https://graph.microsoft.com/v1.0/users
This will retrieve a list of users in the default Azure AD tenant.
Group Enumeration
To enumerate groups in Azure AD, you can use the following methods:
1. Azure AD Graph API
You can use the Azure AD Graph API to retrieve information about groups in Azure AD. The API provides various endpoints to query group data.
To enumerate groups using the Azure AD Graph API, you can send a GET request to the following endpoint:
Replace {tenant_id} with the ID of the Azure AD tenant you want to enumerate groups from.
2. Microsoft Graph API
To enumerate groups using the Microsoft Graph API, you can send a GET request to the following endpoint:
https://graph.microsoft.com/v1.0/groups
This will retrieve a list of groups in the default Azure AD tenant.
Exploitation
Password Spraying
Password spraying is a technique used to bypass account lockout policies by attempting a small number of passwords against a large number of accounts. This technique is effective against weak passwords and can be used to gain unauthorized access to user accounts.
To perform password spraying against Azure AD, you can use the following tools:
These tools automate the process of password spraying by allowing you to specify a list of usernames and a list of passwords to try against those usernames.
Password Hash Cracking
If you have obtained password hashes from Azure AD, you can attempt to crack them using password cracking tools such as:
These tools support various hash formats and can be used to crack password hashes obtained from Azure AD.
Token Impersonation
Token impersonation is a technique used to impersonate a user by stealing their access token. In Azure AD, access tokens are used to authenticate and authorize requests to various resources.
To perform token impersonation in Azure AD, you can use the following tools:
# Get permissions over a resource using ARM directly$Token = (Get-AzAccessToken).Token$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams =@{Method ='GET'Uri = $URIHeaders =@{'Authorization'="Bearer $Token"}}(Invoke-RestMethod @RequestParams).value
장치
# If you know how to do this send a PR!Azure AD# Enumerate DevicesGet-AzureADDevice -All $true | fl *# List all the active devices (and not the stale devices)Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}# Get owners of all devicesGet-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwnerGet-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}# Registred users of all the devicesGet-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUserGet-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}# Get dives managed using IntuneGet-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}# Get devices owned by a userGet-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com# Get Administrative Units of a deviceGet-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }
장치(VM)가 AzureAD에 가입되어 있으면 AzureAD 사용자가 로그인할 수 있습니다.
또한, 로그인한 사용자가 장치의 소유자인 경우 로컬 관리자가 됩니다.
애플리케이션
앱은 포털의 앱 등록입니다(Enterprise Applications이 아닙니다).
그러나 각 앱 등록은 동일한 이름의 Enterprise Application(서비스 주체)을 생성합니다.
또한, 앱이 멀티 테넌트 앱인 경우 다른 테넌트에 동일한 이름의 Enterprise App(서비스 주체)가 생성됩니다.
앱이 생성되면 2 종류의 권한이 부여됩니다:
서비스 주체에게 부여된 권한
사용자를 대신하여 앱이 가질 수 있는 권한
# List Appsaz ad app listaz ad app list --query "[].[displayName]" -o table# Get info of 1 Appaz ad app show --id 00000000-0000-0000-0000-000000000000# Search App by stringaz ad app list --query "[?contains(displayName,'app')].displayName"# Get the owner of an applicationaz ad app owner list --id <id> --query "[].[displayName]" -o table# List all the apps with an application passwordaz ad app list --query "[?passwordCredentials != null].displayName"# List apps that have key credentials (use of certificate authentication)az ad app list --query "[?keyCredentials != null].displayName"Azure AD# List all registered applicationsGet-AzureADApplication -All $true# Get details of an applicationGet-AzureADApplication -ObjectId <id> | fl *# List all the apps with an application passwordGet-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}# Get owner of an applicationGet-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *Az PowerShell# Get AppsGet-AzADApplication# Get details of one AppGet-AzADApplication -ObjectId <id># Get App searching by stringGet-AzADApplication | ?{$_.DisplayName -match "app"}# Get Apps with passwordGet-AzADAppCredential
AppRoleAssignment.ReadWrite 권한을 가진 앱은 역할을 부여함으로써 Global Admin으로 승격할 수 있습니다.
자세한 내용은 여기를 확인하세요.
애플리케이션이 토큰을 요청할 때 신원을 증명하는 데 사용하는 비밀 문자열은 애플리케이션 비밀번호입니다.
따라서, 이 비밀번호를 찾으면 테넌트 내의 서비스 주체로 액세스할 수 있습니다.
이 비밀번호는 생성될 때만 표시됩니다(변경할 수는 있지만 다시 얻을 수는 없습니다).
애플리케이션의 소유자는 이에 비밀번호를 추가할 수 있습니다(따라서 그를 위장할 수 있습니다).
이러한 서비스 주체로의 로그인은 위험으로 표시되지 않으며 MFA가 없습니다.
애플리케이션은 제3자 테넌트에서 실행될 수 있으며, 사용을 시작하고 액세스 권한을 부여하면 엔터프라이즈 애플리케이션/서비스 주체가 테넌트에 생성되어 필요한 정보에 액세스할 수 있습니다.
관리 단위
사용자 관리를 위해 사용됩니다.
관리 단위는 역할의 권한을 조직의 일부에 제한합니다. 예를 들어, 관리 단위를 사용하여 Helpdesk Administrator 역할을 지역 지원 전문가에게 위임하여 해당 지역의 사용자만 관리할 수 있습니다.
따라서, 관리 단위에 역할을 할당할 수 있으며, 해당 멤버는 이러한 역할을 가집니다.
AzureAD
```powershell # Get Administrative Units Get-AzureADMSAdministrativeUnit Get-AzureADMSAdministrativeUnit -Id # Get ID of admin unit by string $adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'" # List the users, groups, and devices affected by the administrative unit Get-AzureADMSAdministrativeUnitMember -Id # Get the roles users have over the members of the AU Get-AzureADMSScopedRoleMembership -Id | fl #Get role ID and role members ``` ## Azure AD Identity Protection (AIP)
Azure AD Identity Protection (AIP)은 Azure Active Directory의 사용자 ID가 침해되는 것을 방지하기 위해 자동 탐지 및 복구를 사용하는 보안 서비스입니다. AIP는 사용자 로그인 및 ID 구성의 위험을 지속적으로 모니터링하고 평가하여 적절한 보안 조치를 자동으로 적용합니다. 이는 조직이 ID 기반 보안 위반을 방지하는 데 도움이 됩니다.
흐름:
Azure AD Identity Protection은 사용자 활동을 모니터링하고 사용자 로그인, 인증 이벤트 및 기타 관련 활동에 대한 데이터를 수집합니다.
이 서비스는 머신 러닝 알고리즘을 사용하여 이 데이터를 분석하고 잠재적인 보안 위협을 감지합니다.
Azure AD Identity Protection은 위협에 대한 위험 수준을 할당하고 필요한 경우 자동 조치를 수행하기 위해 경고를 생성합니다.
Azure AD Password Protection (APP)
Azure AD Password Protection (APP)은 Azure Active Directory에서 강력한 암호 정책을 강제로 적용하여 약한 암호를 방지하는 보안 기능입니다. APP은 일반적으로 사용되는 약한 암호 및 그 변형을 차단하여 암호 관련 위반의 위험을 줄입니다. 이는 클라우드 수준 및 온프레미스 Active Directory에서 모두 적용될 수 있으며 조직 전체의 암호 보안을 향상시킵니다.