Az - AzureAD (AAD)
Taarifa Msingi
Azure Active Directory (Azure AD) ni huduma ya msingi ya wingu ya Microsoft kwa usimamizi wa kitambulisho na ufikiaji. Ni muhimu katika kuwezesha wafanyakazi kuingia na kupata rasilimali, ndani na nje ya shirika, ikiwemo Microsoft 365, lango la Azure, na programu nyingi za SaaS. Ubunifu wa Azure AD unazingatia kutoa huduma muhimu za kitambulisho, ikiwa ni pamoja na uthibitishaji, idhini, na usimamizi wa mtumiaji.
Sifa muhimu za Azure AD ni pamoja na uthibitishaji wa hatua nyingi na upatikanaji wa masharti, pamoja na ushirikiano wa moja kwa moja na huduma zingine za usalama za Microsoft. Sifa hizi zinaongeza sana usalama wa vitambulisho vya watumiaji na kuwawezesha mashirika kutekeleza na kusimamia sera zao za ufikiaji kwa ufanisi. Kama sehemu muhimu ya mfumo wa huduma za wingu za Microsoft, Azure AD ni muhimu kwa usimamizi wa watumiaji wa msingi wa wingu.
Entititi
Urambazaji
Kwa urambazaji huu unaweza kutumia zana ya az cli, moduli ya PowerShell AzureAD (au AzureAD Preview) na moduli ya Az PowerShell.
Kwenye linux utahitaji kusakinisha PowerShell Core:
Tofauti za Moduli
AzureAD ni moduli ya PowerShell kutoka Microsoft kwa kusimamia Azure AD. Haioneshi mali zote za vitu vya Azure AD na haiwezi kutumika kupata habari za rasilimali za Azure.
Az PowerShell ni moduli kwa kusimamia rasilimali za Azure kutoka kwenye mstari wa amri wa PowerShell.
Unganisho
Kwa kawaida, unaweza kutumia Az PowerShell kufanya kazi na Azure AD. Unaweza kufanya mambo kama vile kuongeza, kusasisha, au kufuta watumiaji, vikundi, na vitu vingine vya Azure AD. Unaweza pia kusimamia ruhusa za watumiaji na mengi zaidi.
Wakati unapo ingia kupitia CLI kwenye Azure na programu yoyote, unatumia Azure Application kutoka kwa mpangaji ambao ni wa Microsoft. Programu hizi, kama zile unazoweza kuunda kwenye akaunti yako, ina client id. Hautaweza kuziona zote kwenye orodha za programu zilizoruhusiwa unazoweza kuona kwenye konsoli, lakini zinaruhusiwa kwa chaguo-msingi.
Kwa mfano, script ya powershell inayotumia programu yenye client id 1950a258-227b-4e31-a9cf-717495945fc2
. Hata kama programu haionekani kwenye konsoli, msimamizi wa mfumo anaweza kuzuia programu hiyo ili watumiaji wasiweze kupata upatikanaji kwa kutumia zana zinazounganisha kupitia programu hiyo.
Hata hivyo, kuna client-ids nyingine za programu ambazo zitaruhusu uhusiano wako na Azure:
Watumiaji
Azure AD
Enumeration
User Enumeration: Use the Graph API to enumerate users in the Azure AD tenant.
Group Enumeration: Use the Graph API to enumerate groups in the Azure AD tenant.
Application Enumeration: Use the Graph API to enumerate applications registered in the Azure AD tenant.
Service Principal Enumeration: Use the Graph API to enumerate service principals in the Azure AD tenant.
Device Enumeration: Use the Graph API to enumerate devices registered in the Azure AD tenant.
Exploitation
Password Spraying: Perform password spraying attacks against Azure AD accounts.
Phishing: Conduct phishing attacks to steal credentials of Azure AD users.
Brute Force: Perform brute force attacks against Azure AD accounts.
Token Impersonation: Exploit token impersonation vulnerabilities to escalate privileges in Azure AD.
Password Policies: Check for weak password policies in Azure AD.
Persistence
Backdoor Accounts: Create backdoor accounts in Azure AD for persistent access.
Application Consent: Abuse application consent to maintain access to Azure AD resources.
OAuth Token: Steal OAuth tokens to maintain persistent access to Azure AD.
Lateral Movement
Pass-the-Hash: Use pass-the-hash attacks to move laterally within Azure AD.
Pass-the-Ticket: Utilize pass-the-ticket attacks for lateral movement in Azure AD.
Golden Ticket: Forge golden tickets to move laterally within Azure AD.
Silver Ticket: Forge silver tickets to move laterally within Azurejson AD.
Exfiltration
Data Exfiltration: Exfiltrate sensitive data from Azure AD using various techniques.
Export Data: Export data from Azure AD using the Graph API for further analysis.
Covering Tracks
Audit Logs: Clear or modify audit logs to cover tracks in Azure AD.
Event Deletion: Delete events to hide malicious activities in Azure AD.
Other Techniques
Domain Fronting: Use domain fronting to bypass security controls in Azure AD.
Password Hashes: Steal and crack password hashes from Azure AD for further attacks.
Kerberoasting: Perform Kerberoasting attacks to compromise service accounts in Azure AD.
Az PowerShell
Connect to Azure AD
List all users
List all groups
List all applications
List all service principals
List all devices
List all roles
List all role assignments
List all role definitions
List all domain settings
List all sign-ins
List all sign-ins
List all sign-ins
List all sign-ins
List all sign-ins
List all sign-ins
List all sign-ins
List all sign-ins
List all sign-ins
List all sign-ins
Badilisha Nenosiri la Mtumiaji
MFA & Sera za Upatikanaji wa Masharti
Inashauriwa sana kuongeza MFA kwa kila mtumiaji, hata hivyo, baadhi ya makampuni hawataweka au wanaweza kuweka na Sera ya Upatikanaji wa Masharti: Mtumiaji atahitaji MFA ikiwa ataingia kutoka eneo maalum, kivinjari au hali fulani. Sera hizi, ikiwa hazijasakinishwa kwa usahihi, zinaweza kuwa rahisi kupitishwa. Angalia:
pageAz - Conditional Access Policies / MFA BypassVikundi
Azure AD
Enumeration
Get Tenant Info:
az account show
List Subscriptions:
az account list
Set Subscription:
az account set --subscription <SUBSCRIPTION_ID>
List Azure AD Users:
az ad user list
List Azure AD Groups:
az ad group list
List Azure AD Service Principals:
az ad sp list
List Azure AD Applications:
az ad app list
List Azure AD Devices:
az ad device list
-jsonGet Azure AD User:
az ad user show --id <USER_ID>
Get Azure AD Group:
az ad group show --group <GROUP_ID>
Get Azure AD Service Principal:
az ad sp show --id <SP_ID>
Get Azure AD Application:
az ad app show --id <APP_ID>
Get Azure AD Device:
az ad device show --id <DEVICE_ID>
Dumping
Dump Azure AD Users:
az ad user list --query "[].{userPrincipalName:userPrincipalName, objectId:objectId}"
Dump Azure AD Groups:
az ad group list --query "[].{displayName:displayName, objectId:objectid}"
Dump Azure AD Service Principals:
az ad sp list --query "[].{displayName:displayName, objectId:objectId}"
Dump Azure AD Applications:
az ad app list --query "[].{displayName:displayName, appId (appId)}"
Dump Azure AD Devices:
az ad device list --query "[].{displayName:json"
Brute Force
Brute Force Azure AD Account:
az ad user list --query "[].userPrincipalName" | xargs -I % az ad user get-member-groups --upn %
Privilege Escalation
Add User to Azure AD Group:
az ad group member add --group <GROUP_ID> --member-id <USER_ID>
Add User to Azure AD Role:
az role assignment create --assignee <USER_ID> --role <ROLE_NAME> --scope /
Add User to Azure AD Application:
az ad app owner add --id <APP_ID> --owner-object-id <USER_ID>json
Persistence
Create Azure AD Application:
az ad app create --display-name <APP_NAME> --homepage <URL> --identifier-uris <URI>
Create Azure AD Service Principal:
az ad sp create --id <APP_ID>
Create Azure AD Group:
az ad group create --display-name <GROUP_NAME>
Lateral Movement
List Azure AD Group Members:
az ad group member list --group <GROUP_ID>
List Azure AD Group Owners:
az ad group owner list --group <GROUP_ID>
List Azure AD Group Memberships:
az ad user get-member-groups --upn <USER_PRINCIPjson
Exfiltration
Export Azure AD Users:
az ad user list --query "[].{userPrincipalName:userPrincipalName, objectId:objectId}" --output table
Export Azure AD Groups:
az ad group list --query "[].{displayName:displayName, objectId:objectId}" --output table
Export Azure AD Service Principals:
az ad sp list --query "[].{displayName:displayName, objectId:objectId}" --output table
Export Azure AD Applications:
az ad app list --query "[].{displayName:displayName, appId (appId)}" --output table
Export Azure AD Devices:
az ad device list --query "[].{displayName:json" --output table
```powershell # Enumerate Groups Get-AzureADGroup -All $true # Get info of 1 group Get-AzADGroup -DisplayName | fl # Get "admin" groups Get-AzureADGroup -SearchString "admin" | fl #Groups starting by "admin" Get-AzureADGroup -All $true |?{$_.Displayname -match "admin"} #Groups with the word "admin" # Get groups allowing dynamic membership Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'} # All groups that are from Azure AD Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -eq $null} # All groups that are synced from on-prem (note that security groups are not synced) Get-AzureADGroup -All $true | ?{$_.OnPremisesSecurityIdentifier -ne $null} # Get members of a group Get-AzureADGroupMember -ObjectId # Get roles of group Get-AzureADMSGroup -SearchString "Contoso_Helpdesk_Administrators" #Get group id Get-AzureADMSRoleAssignment -Filter "principalId eq '69584002-b4d1-4055-9c94-320542efd653'" # Get Administrative Units of a group $groupObj = Get-AzureADGroup -Filter "displayname eq 'TestGroup'" Get-AzureADMSAdministrativeUnit | where { Get-AzureADMSAdministrativeUnitMember -Id $_.Id | where {$_.Id -eq $groupObj.ObjectId} } ```
Az PowerShell
Connect to Azure AD
List all users
List all groups
List all applications
List all service principals
List all devices
List all role assignments
List all role definitions
List all role assignments for a specific user
List all role assignments for a specific group
List all role assignments for a specific application
List all role assignments for a specific service principal
List all role assignments for a specific device
List all role assignments for a specific resource group
List all role assignments for a specific subscription
List all role assignments for a specific management group
List all role assignments for a specific resource
List all role assignments for a specific role definition
Ongeza mtumiaji kwa kikundi
Wamiliki wa kikundi wanaweza kuongeza watumiaji wapya kwenye kikundi
Vikundi vinaweza kuwa vya kudumu, ambavyo kimsingi inamaanisha kwamba ikiwa mtumiaji anatimiza masharti fulani atapewa kikundi. Bila shaka, ikiwa masharti yanategemea sifa ambazo mtumiaji anaweza kudhibiti, anaweza kutumia kipengele hiki kuingia katika vikundi vingine. Angalia jinsi ya kutumia vibaya vikundi vya kudumu kwenye ukurasa ufuatao:
Service Principals / Enterprise Applications
Tafadhali kumbuka kwamba Service Principal katika lugha ya PowerShell inaitwa Enterprise Applications kwenye Azure portal (wavuti).
Azure AD
Enumeration
Get Tenant Information
Description: Retrieve information about the Azure AD tenant.
Command:
az account show
Useful for: Understanding the Azure AD tenant configuration.
List Users
Description: List all users in the Azure AD tenant.
Command:
az ad user list
Useful for: Gathering information about users in the Azure AD tenant.
List Groups
Description: List all groups in the Azure AD tenant.
Command:
az ad group list
Useful for: Understanding the group structure in the Azure AD tenant.
List Service Principals
Description: List all service principals in the Azure AD tenant.
Command:
az ad sp list
Useful for: Identifying service principals in the Azure AD tenant.
List Applications
Description: List all applications in the Azure AD tenant.
Command:
az ad app list
Useful for: Understanding the applications registered in the Azure AD tenant.
List Domains
Description: List all domains in the Azure AD tenant.
Command:
az ad domain list
Useful for: Identifying domains associated with the Azure AD tenant.
List Role Assignments
Description: List all role assignments in the Azure AD tenant.
Command:
az role assignment list
Useful for: Understanding the role assignments within the Azure AD tenant.
Exploitation
Brute Force
Description: Attempt to guess user passwords through brute force attacks.
Tools: Hydra, CrackMapExec, etc.
Useful for: Gaining unauthorized access to user accounts.
Password Spraying
Description: Test a few common passwords against multiple accounts to avoid account lockouts.
Tools: SprayingToolkit, etc.
Useful for: Identifying weak passwords in the Azure AD tenant.
Phishing
Description: Trick users into revealing their credentials through fake login pages or emails.
Tools: GoPhish, Evilginx, etc.
Useful for: Stealing user credentials for unauthorized access.
Token Impersonation
Description: Obtain and use a user's token to impersonate that user.
Tools: Rubeus, Impacket, etc.
Useful for: Escalating privileges within the Azure AD tenant.
Password Hash Dumping
Description: Extract password hashes from the Azure AD tenant for offline cracking.
Tools: Mimikatz, secretsdump.py, etc.
Useful for: Cracking passwords and gaining unauthorized access.
Golden Ticket Attack
Description: Forge Kerberos tickets to gain unauthorized access to resources.
Tools: Mimikatz, Kekeo, etc.
Useful for: Persistently accessing resources in the Azure AD tenant.
Pass-the-Ticket Attack
Description: Pass forged Kerberos tickets to access resources without knowing the password.
Tools: Mimikatz, Impacket, etc.
Useful for: Moving laterally within the Azure AD tenant.
DCSync Attack
Description: Simulate a Domain Controller to request password data from the Azure AD.
Tools: Mimikatz, secretsdump.py, etc.
Useful for: Extracting password data for further attacks.
Az PowerShell
Enumerate Azure AD
Install Az PowerShell Module
Connect to Azure AD
List Azure AD Users
List Azure AD Groups
List Azure AD Applications
List Azure AD Service Principals
List Azure AD Devices
List Azure AD Domains
List Azure AD Directory Roles
List Azure AD Directory Role Members
List Azure AD Directory Role Templates
List Azure AD Directory Role Template Members
List Azure AD Directory Role Definitions
List Azure AD Directory Role Definition Members
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
List Azure AD Directory Role Scope Members
List Azure AD Directory Role Scopes
**List Azure AD Directory
Mmiliki wa Mwakilishi wa Huduma anaweza kubadilisha nenosiri lake.
Last updated