AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .004 | Account Discovery: Cloud Account |
AADInternals can enumerate Azure AD users.[2] |
| Enterprise | T1098 | .005 | Account Manipulation: Device Registration |
AADInternals can register a device to Azure AD.[2] |
| Enterprise | T1651 | Cloud Administration Command |
AADInternals can execute commands on Azure virtual machines using the VM agent.[3] |
|
| Enterprise | T1526 | Cloud Service Discovery |
AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.[2] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
AADInternals is written and executed via PowerShell.[2] |
| Enterprise | T1136 | .003 | Create Account: Cloud Account |
AADInternals can create new Azure AD users.[2] |
| Enterprise | T1530 | Data from Cloud Storage |
AADInternals can collect files from a user’s OneDrive.[4] |
|
| Enterprise | T1484 | .002 | Domain or Tenant Policy Modification: Trust Modification |
AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.[2][5] |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol |
AADInternals can directly download cloud user data such as OneDrive files.[2] |
|
| Enterprise | T1606 | .002 | Forge Web Credentials: SAML Tokens |
AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.[2] |
| Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
AADInternals can check for the existence of user email addresses using public Microsoft APIs.[2][6] |
| Enterprise | T1590 | .001 | Gather Victim Network Information: Domain Properties |
AADInternals can gather information about a tenant’s domains using public Microsoft APIs.[2][6] |
| Enterprise | T1556 | .006 | Modify Authentication Process: Multi-Factor Authentication |
The AADInternals |
| .007 | Modify Authentication Process: Hybrid Identity |
AADInternals can inject a malicious DLL ( |
||
| Enterprise | T1112 | Modify Registry |
AADInternals can modify registry keys as part of setting a new pass-through authentication agent.[2] |
|
| Enterprise | T1003 | .004 | OS Credential Dumping: LSA Secrets |
AADInternals can dump secrets from the Local Security Authority.[2] |
| Enterprise | T1069 | .003 | Permission Groups Discovery: Cloud Groups |
AADInternals can enumerate Azure AD groups.[2] |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
AADInternals can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.[2] |
| Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.[2] |
| Enterprise | T1528 | Steal Application Access Token |
AADInternals can steal users’ access tokens via phishing emails containing malicious links.[2] |
|
| Enterprise | T1649 | Steal or Forge Authentication Certificates |
AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.[2] |
|
| Enterprise | T1558 | .002 | Steal or Forge Kerberos Tickets: Silver Ticket |
AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.[2] |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.[2] |
| .004 | Unsecured Credentials: Private Keys |
AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.[2] |
||
Groups That Use This Software
References
- Dr. Nestori Syynimaa. (2021, December 13). AADInternals. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Dr. Nestori Syynimaa. (2020, June 4). Getting root access to Azure VMs as a Azure AD Global Administrator. Retrieved March 13, 2023.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022.
- Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022.
- Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022.