Authenticated Recon

Automation

o365Recon

Automate all of the below commands with o365Recon.

LogoGitHub - nyxgeek/o365recon: retrieve information via O365 and AzureAD with a valid credGitHub
#Recon
Import-Module MSOnline
Import-Module AzureAD
.\o365recon.ps1 -azure

AzureBloodHound

Visualize recon.

LogoGitHub - BloodHoundAD/AzureHoundGitHub

Custom queries for Azure are helpful.

LogoGitHub - hausec/Bloodhound-Custom-Queries: Custom Query list for the Bloodhound GUI based off my cheatsheetGitHub

AADInternals

LogoDocumentation
#Login to azure
Install-Module AADInternals
Import-Module AADInternals
Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache
asd@vk1zm.onmicrosoft.com

Subscriptions

# Get all subscriptions of the current tenant
Get-AADIntAzureSubscriptions

SharePoint

#Sharepoint Enumeration
Get-AADIntSPOServiceInformation

Service Principals

#Drilldown into Service Principals
Get-ADIntServicePrincipals > doc.txt
Get-ADIntServicePrincipals -ClientIDs <AppPrincipalID>

Conditional Access Policies

What is it?

Conditional Access Policies are stored and displayed as JSON.

#Display info for Conditional Access Policies
Get-ADIntConditionalAccessPolicies
Policy named geolocation that enables MFA for all users.

MFASweep/Conditional Access Policies

LogoGitHub - dafthack/MFASweep: A tool for checking if MFA is enabled on multiple Microsoft ServicesGitHub

Uses APIs to see if a user can authenticate or is blocked by Access Policies.

#Check to see if user can login to any resource or is blocked
Import-Module .\MFASweep.ps1
Invoke-MFASweep -Username USERNAME@DOMAIN.onmicrosoft.com -Password 'PASSWORD'

##Each individual module can be run separately if needed as well.##

#Microsoft Graph API
Invoke-GraphAPIAuth -Username targetuser@targetdomain.com -Password Winter2020 

#Azure Service Management API
Invoke-AzureManagementAPIAuth -Username targetuser@targetdomain.com -Password Winter2020 

#Microsoft 365 Exchange Web Services
Invoke-EWSAuth -Username targetuser@targetdomain.com -Password Winter2020 

#Microsoft 365 Web Portal
Invoke-O365WebPortalAuth -Username targetuser@targetdomain.com -Password Winter2020 

#Microsoft 365 Web Portal w/ Mobile User Agent
Invoke-O365WebPortalAuthMobile -Username targetuser@targetdomain.com -Password Winter2020 

#Microsoft 365 Active Sync
Invoke-O365ActiveSyncAuth -Username targetuser@targetdomain.com -Password Winter2020 

#ADFS
Invoke-ADFSAuth -Username targetuser@targetdomain.com -Password Winter2020
MFASweep output

Unified Audit Log Settings

Important to know what traces your leaving behind for defense evasion.

#Saves Access Token
Get-ADIntAccessTokenForEXO -SaveToCache

#Shows UAL Settings
Get-ADIntUnifiedAuditLogSettings | Select Unified

Enumerate Users

Obtaining detailed information on a user can help identify their location for Conditional Access Policy bypasses.

#Enumerate all users
Get-ADDIntUsers | Select UserPrincipalName, ObjectID, ImmuatableID

#Drilldown into user
Get-ADDIntUsers -UserPrincipalName USERNAME
Get-ADDIntUsers | Select UserPrincipalName, ObjectID, ImmuatableID

Enumerating Administrators

#List Global Admins
Get-AADIntGlocalAdmins

#Recon
$results = Invoke-AADIntReconAsInsider

#Select specific groups from recon output
$results.roleInformation | Where Memebers -ne $null | select Name.Members
Get-AADIntGlocalAdmins

Enumerating Sync Account

#Get Sync account
Get-AADIntSyncConfiguration

Detect

  • API calls are not logged within Azure, so AADInternals will not detected.

  • Azure Sign-Ins are logged but difficult to baseline.

Interactive
Non-Interactive

  • Application header can be forged, so it is unreliable to baseline.

Below is a list of Application IDs and their name used for sign-ins.

LogoVerify first-party Microsoft applications in sign-in reports - Active DirectoryMicrosoftLearn
PreviousSubdomain TakeoverNextUnauthenticated Recon

Last updated