AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1526 | 云服务发现 |
AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.[2] |
|
| Enterprise | T1651 | 云管理命令 |
AADInternals can execute commands on Azure virtual machines using the VM agent.[3] |
|
| Enterprise | T1530 | 从云存储获取数据 |
AADInternals can collect files from a user’s OneDrive.[4] |
|
| Enterprise | T1606 | .002 | 伪造Web凭证: SAML Tokens |
AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.[2] |
| Enterprise | T1598 | .003 | 信息钓鱼: Spearphishing Link |
AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.[2] |
| Enterprise | T1112 | 修改注册表 |
AADInternals can modify registry keys as part of setting a new pass-through authentication agent.[2] |
|
| Enterprise | T1556 | .006 | 修改身份验证过程: Multi-Factor Authentication |
The AADInternals |
| .007 | 修改身份验证过程: Hybrid Identity |
AADInternals can inject a malicious DLL ( |
||
| Enterprise | T1136 | .003 | 创建账户: Cloud Account |
AADInternals can create new Azure AD users.[2] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
AADInternals is written and executed via PowerShell.[2] |
| Enterprise | T1484 | .002 | 域或租户策略修改: Trust Modification |
AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.[2][6] |
| Enterprise | T1003 | .004 | 操作系统凭证转储: LSA Secrets |
AADInternals can dump secrets from the Local Security Authority.[2] |
| Enterprise | T1590 | .001 | 收集受害者网络信息: Domain Properties |
AADInternals can gather information about a tenant’s domains using public Microsoft APIs.[2][7] |
| Enterprise | T1589 | .002 | 收集受害者身份信息: Email Addresses |
AADInternals can check for the existence of user email addresses using public Microsoft APIs.[2][7] |
| Enterprise | T1048 | 替代协议渗出 |
AADInternals can directly download cloud user data such as OneDrive files.[2] |
|
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.[2] |
| .004 | 未加密凭证: Private Keys |
AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.[2] |
||
| Enterprise | T1069 | .003 | 权限组发现: Cloud Groups |
AADInternals can enumerate Azure AD groups.[2] |
| Enterprise | T1528 | 窃取应用访问令牌 |
AADInternals can steal users’ access tokens via phishing emails containing malicious links.[2] |
|
| Enterprise | T1558 | .002 | 窃取或伪造Kerberos票据: Silver Ticket |
AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.[2] |
| Enterprise | T1649 | 窃取或伪造身份认证证书 |
AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.[2] |
|
| Enterprise | T1087 | .004 | 账号发现: Cloud Account |
AADInternals can enumerate Azure AD users.[2] |
| Enterprise | T1098 | .005 | 账号操控: Device Registration |
AADInternals can register a device to Azure AD.[2] |
| Enterprise | T1566 | .002 | 钓鱼: Spearphishing Link |
AADInternals can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.[2] |
Groups That Use This Software
References
- Dr. Nestori Syynimaa. (2021, December 13). AADInternals. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Dr. Nestori Syynimaa. (2020, June 4). Getting root access to Azure VMs as a Azure AD Global Administrator. Retrieved March 13, 2023.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.
- Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.
- Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.