Az - AzureAD (AAD)
Informações Básicas
O Azure Active Directory (Azure AD) serve como o serviço baseado em nuvem da Microsoft para gerenciamento de identidade e acesso. É fundamental para permitir que os funcionários façam login e acessem recursos, tanto dentro quanto fora da organização, abrangendo o Microsoft 365, o portal Azure e uma infinidade de outras aplicações SaaS. O design do Azure AD se concentra em fornecer serviços de identidade essenciais, incluindo autenticação, autorização e gerenciamento de usuários.
Recursos-chave do Azure AD envolvem autenticação multifator e acesso condicional, juntamente com integração perfeita com outros serviços de segurança da Microsoft. Esses recursos elevam significativamente a segurança das identidades dos usuários e capacitam as organizações a implementar e fazer cumprir efetivamente suas políticas de acesso. Como componente fundamental do ecossistema de serviços em nuvem da Microsoft, o Azure AD é essencial para o gerenciamento baseado em nuvem de identidades de usuários.
Entidades
Enumeração
Para esta enumeração, você pode usar a ferramenta az cli, o módulo PowerShell AzureAD (ou AzureAD Preview) e o módulo Az PowerShell.
No Linux, você precisará instalar o PowerShell Core:
Diferenças entre os módulos
AzureAD é um módulo do PowerShell da Microsoft para gerenciar o Azure AD. Não mostra todas as propriedades dos objetos do Azure AD e não pode ser usado para acessar informações dos recursos do Azure.
Az PowerShell é um módulo para gerenciar recursos do Azure a partir da linha de comando do PowerShell.
Conexão
Quando você faz login via CLI no Azure com qualquer programa, você está usando um Aplicativo Azure de um locatário que pertence à Microsoft. Esses Aplicativos, como os que você pode criar em sua conta, possuem um ID de cliente. Você não conseguirá ver todos eles nas listas de aplicativos permitidos que você pode ver no console, mas eles são permitidos por padrão.
Por exemplo, um script powershell que autentica usa um aplicativo com o ID de cliente 1950a258-227b-4e31-a9cf-717495945fc2
. Mesmo que o aplicativo não apareça no console, um sysadmin poderia bloquear esse aplicativo para que os usuários não possam acessar usando ferramentas que se conectam através desse Aplicativo.
No entanto, existem outros IDs de cliente de aplicativos que permitirão que você se conecte ao Azure:
Utilizadores
Azure AD
Enumeration
User Enumeration
Azure AD allows anonymous enumeration of users. This can be done using the Graph API or the Azure AD PowerShell module.
Graph API
Azure AD PowerShell Module
Group Enumeration
Similarly, groups can also be enumerated using the Graph API or the Azure AD PowerShell module.
Graph API
Azure AD PowerShell Module
Brute Force
Azure AD does not have any account lockout policy by default, making it susceptible to brute force attacks. Tools like MSOLSpray
can be used for brute forcing Azure AD accounts.
Password Spraying
Password spraying attacks can be performed against Azure AD using tools like MSOLSpray
or AzureSpray
.
Password Policies
Azure AD allows the enforcement of password policies such as complexity requirements and password expiration.
Multi-Factor Authentication Bypass
In some cases, multi-factor authentication (MFA) can be bypassed using techniques like phishing or using legacy authentication protocols that do not support MFA.
Privilege Escalation
Privilege escalation in Azure AD can be achieved by exploiting misconfigurations, weak permissions, or by abusing administrative roles.
Data Exfiltration
Sensitive data stored in Azure AD can be exfiltrated using techniques like OAuth token theft or abusing application permissions.
Persistence
Attackers can establish persistence in Azure AD by creating backdoor accounts, adding malicious service principals, or using compromised credentials.
Enumeration
User Enumeration
Azure AD allows anonymous enumeration of users. This can be done using the Graph API or the Azure AD PowerShell module.
Graph API
Azure AD PowerShell Module
Group Enumeration
Similarly, groups can also be enumerated using the Graph API or the Azure AD PowerShell module.
Graph API
Azure AD PowerShell Module
Brute Force
Azure AD does not have any account lockout policy by default, making it susceptible to brute force attacks. Tools like MSOLSpray
can be used for brute forcing Azure AD accounts.
Password Spraying
Password spraying attacks can be performed against Azure AD using tools like MSOLSpray
or AzureSpray
.
Password Policies
Azure AD allows the enforcement of password policies such as complexity requirements and password expiration.
Multi-Factor Authentication Bypass
In some cases, multi-factor authentication (MFA) can be bypassed using techniques like phishing or using legacy authentication protocols that do not support MFA.
Privilege Escalation
Privilege escalation in Azure AD can be achieved by exploiting misconfigurations, weak permissions, or by abusing administrative roles.
Data Exfiltration
Sensitive data stored in Azure AD can be exfiltrated using techniques like OAuth token theft or abusing application permissions.
Persistence
Attackers can establish persistence in Azure AD by creating backdoor accounts, adding malicious service principals, or using compromised credentials.
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Groups
To list all groups in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Applications
To list all applications in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Service Principals
To list all service principals in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Devices
To list all devices in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Domains
To list all domains in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Roles
To list all directory roles in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Role Members
To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:
Replace <DirectoryRoleObjectId>
with the actual object ID of the directory role you want to enumerate members for.
Alterar Senha do Usuário
MFA e Políticas de Acesso Condicional
É altamente recomendável adicionar MFA a cada usuário, no entanto, algumas empresas podem não configurá-lo ou podem configurá-lo com um Acesso Condicional: O usuário será obrigado a usar MFA se fizer login de uma localização específica, navegador ou alguma condição. Essas políticas, se não configuradas corretamente, podem estar sujeitas a burlas. Verifique:
pageAz - Conditional Access Policies / MFA BypassGrupos
Azure AD
Enumeration
User Enumeration
User enumeration can be performed by making requests to the /users
endpoint. This can reveal a list of users within the Azure AD tenant.
Group Enumeration
Group enumeration can be done by querying the /groups
endpoint. This can provide a list of groups within the Azure AD tenant.
Brute Force
Password Spraying
Password spraying attacks can be conducted against the Azure AD authentication endpoint to attempt to gain unauthorized access by trying a few common passwords across many accounts.
Credential Stuffing
Credential stuffing involves using lists of known usernames and passwords obtained from previous data breaches to gain unauthorized access to Azure AD accounts.
Phishing
Phishing attacks can be used to trick users into providing their Azure AD credentials, which can then be used to gain unauthorized access to the Azure AD tenant.
Token Manipulation
Token manipulation techniques can be employed to manipulate tokens obtained from Azure AD to gain unauthorized access or escalate privileges within the Azure AD environment.
Password Policies
Understanding and exploiting weak password policies within Azure AD can help in gaining unauthorized access to user accounts.
Multi-Factor Authentication Bypass
Identifying and exploiting vulnerabilities in the multi-factor authentication implementation in Azure AD can allow an attacker to bypass this additional security measure.
Account Lockout Policies
Understanding and potentially bypassing account lockout policies in Azure AD can help in conducting brute force attacks without getting locked out.
Privilege Escalation
Identifying and exploiting privilege escalation vulnerabilities within Azure AD can help an attacker gain higher levels of access within the environment.
Data Exfiltration
Once access has been gained, data exfiltration techniques can be used to steal sensitive information from the Azure AD environment.
Persistence
Establishing persistence within Azure AD can allow an attacker to maintain access to the environment even after initial access has been revoked.
Detection Evasion
Techniques can be employed to evade detection mechanisms within Azure AD, allowing an attacker to operate stealthily within the environment.
Reporting
Documenting and reporting findings from Azure AD security assessments is essential for providing recommendations to improve the overall security posture of the environment.
Azure AD Enumeration
Enumerate Azure AD Users
To list all users in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Groups
To list all groups in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Applications
To list all applications in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Service Principals
To list all service principals in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Devices
To list all devices in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Domains
To list all domains in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Roles
To list all directory roles in Azure AD, you can use the following PowerShell command:
Enumerate Azure AD Directory Role Members
To list all members of a specific directory role in Azure AD, you can use the following PowerShell command:
Replace <DirectoryRoleObjectId>
with the actual object ID of the directory role you want to enumerate members for.
Adicionar usuário ao grupo
Os proprietários do grupo podem adicionar novos usuários ao grupo
Os grupos podem ser dinâmicos, o que basicamente significa que se um usuário atender a certas condições, ele será adicionado a um grupo. Claro, se as condições forem baseadas em atributos que um usuário pode controlar, ele poderia abusar desse recurso para entrar em outros grupos. Verifique como abusar dos grupos dinâmicos na seguinte página:
Service Principals / Enterprise Applications
Observe que Service Principal na terminologia do PowerShell é chamado de Enterprise Applications no portal Azure (web).
Azure AD
Enumeration
Users
Enumerate users using the Azure AD Graph API:
Enumerate users using Microsoft Graph API:
Groups
Enumerate groups using the Azure AD Graph API:
Enumerate groups using Microsoft Graph API:
Applications
Enumerate applications using the Azure AD Graph API:
Enumerate applications using Microsoft Graph API:
Exploitation
Password Spraying
Perform password spraying attacks against Azure AD:
Phishing
Conduct phishing campaigns targeting Azure AD users.
Brute Force
Perform brute force attacks against Azure AD authentication endpoints.
Post-Exploitation
Token Extraction
Extract tokens from compromised Azure AD accounts.
Persistence
Establish persistence by creating backdoors in Azure AD configurations.
Data Exfiltration
Exfiltrate sensitive data from Azure AD using various techniques.
AzureAD
Enumerate AzureAD roles
Enumerate AzureAD users
Enumerate AzureAD groups
Enumreamte AzureAD group members
Enumerate AzureAD service principals
Enumerate AzureAD applications
Enumerate AzureAD devices
O proprietário de um Principal de Serviço pode alterar sua senha.
Última actualización