AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]

ID: S0677
Type: TOOL
Platforms: Windows, Azure AD, Office 365
Version: 1.2
Created: 01 February 2022
Last Modified: 15 April 2023

Techniques Used

Domain ID Name Use
Enterprise T1087 .004 Account Discovery: Cloud Account

AADInternals can enumerate Azure AD users.[2]

Enterprise T1098 .005 Account Manipulation: Device Registration

AADInternals can register a device to Azure AD.[2]

Enterprise T1651 Cloud Administration Command

AADInternals can execute commands on Azure virtual machines using the VM agent.[3]

Enterprise T1526 Cloud Service Discovery

AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.[2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

AADInternals is written and executed via PowerShell.[2]

Enterprise T1136 .003 Create Account: Cloud Account

AADInternals can create new Azure AD users.[2]

Enterprise T1530 Data from Cloud Storage

AADInternals can collect files from a user’s OneDrive.[4]

Enterprise T1484 .002 Domain Policy Modification: Domain Trust Modification

AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.[2][5]

Enterprise T1048 Exfiltration Over Alternative Protocol

AADInternals can directly download cloud user data such as OneDrive files.[2]

Enterprise T1606 .002 Forge Web Credentials: SAML Tokens

AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.[2]

Enterprise T1589 .002 Gather Victim Identity Information: Email Addresses

AADInternals can check for the existence of user email addresses using public Microsoft APIs.[2][6]

Enterprise T1590 .001 Gather Victim Network Information: Domain Properties

AADInternals can gather information about a tenant’s domains using public Microsoft APIs.[2][6]

Enterprise T1556 .006 Modify Authentication Process: Multi-Factor Authentication

The AADInternals Set-AADIntUserMFA command can be used to disable MFA for a specified user.

.007 Modify Authentication Process: Hybrid Identity

AADInternals can inject a malicious DLL (PTASpy) into the AzureADConnectAuthenticationAgentService to backdoor Azure AD Pass-Through Authentication.[7]

Enterprise T1112 Modify Registry

AADInternals can modify registry keys as part of setting a new pass-through authentication agent.[2]

Enterprise T1003 .004 OS Credential Dumping: LSA Secrets

AADInternals can dump secrets from the Local Security Authority.[2]

Enterprise T1069 .003 Permission Groups Discovery: Cloud Groups

AADInternals can enumerate Azure AD groups.[2]

Enterprise T1566 .002 Phishing: Spearphishing Link

AADInternals can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.[2]

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.[2]

Enterprise T1528 Steal Application Access Token

AADInternals can steal users’ access tokens via phishing emails containing malicious links.[2]

Enterprise T1649 Steal or Forge Authentication Certificates

AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.[2]

Enterprise T1558 .002 Steal or Forge Kerberos Tickets: Silver Ticket

AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.[2]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.[2]

.004 Unsecured Credentials: Private Keys

AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.[2]

Groups That Use This Software

ID Name References
G0016 APT29

[8]

References