# Authenticated Recon ## Automation ### o365Recon Automate all of the below commands with o365Recon. {% embed url="" %} ```powershell #Recon Import-Module MSOnline Import-Module AzureAD .\o365recon.ps1 -azure ```

### AzureBloodHound Visualize recon. {% embed url="" %}

Custom queries for Azure are helpful. {% embed url="" %} ## AADInternals {% embed url="" %} ```powershell #Login to azure Install-Module AADInternals Import-Module AADInternals Get-AADIntAccessTokenForAzureCoreManagement -SaveToCache asd@vk1zm.onmicrosoft.com ``` ### Subscriptions ```powershell # Get all subscriptions of the current tenant Get-AADIntAzureSubscriptions ```

### SharePoint ```powershell #Sharepoint Enumeration Get-AADIntSPOServiceInformation ```

### Service Principals

#Drilldown into Service Principals
Get-ADIntServicePrincipals > doc.txt
Get-ADIntServicePrincipals -ClientIDs <AppPrincipalID>

### Conditional Access Policies

Conditional Access Policies are stored and displayed as JSON.

#Display info for Conditional Access Policies
Get-ADIntConditionalAccessPolicies

Policy named geolocation that enables MFA for all users.

### MFASweep/Conditional Access Policies {% embed url="" %} Uses APIs to see if a user can authenticate or is blocked by Access Policies.

#Check to see if user can login to any resource or is blocked
Import-Module .\MFASweep.ps1
Invoke-MFASweep -Username USERNAME@DOMAIN.onmicrosoft.com -Password 'PASSWORD'

##Each individual module can be run separately if needed as well.##

#Microsoft Graph API
Invoke-GraphAPIAuth -Username targetuser@targetdomain.com -Password Winter2020 

#Azure Service Management API
Invoke-AzureManagementAPIAuth -Username targetuser@targetdomain.com -Password Winter2020 

#Microsoft 365 Exchange Web Services
Invoke-EWSAuth -Username targetuser@targetdomain.com -Password Winter2020 

#Microsoft 365 Web Portal
Invoke-O365WebPortalAuth -Username targetuser@targetdomain.com -Password Winter2020 

#Microsoft 365 Web Portal w/ Mobile User Agent
Invoke-O365WebPortalAuthMobile -Username targetuser@targetdomain.com -Password Winter2020 

#Microsoft 365 Active Sync
Invoke-O365ActiveSyncAuth -Username targetuser@targetdomain.com -Password Winter2020 

#ADFS
Invoke-ADFSAuth -Username targetuser@targetdomain.com -Password Winter2020

### Unified Audit Log Settings Important to know what traces your leaving behind for defense evasion.

#Saves Access Token
Get-ADIntAccessTokenForEXO -SaveToCache

#Shows UAL Settings
Get-ADIntUnifiedAuditLogSettings | Select Unified

### Enumerate Users Obtaining detailed information on a user can help identify their location for Conditional Access Policy bypasses. ```powershell #Enumerate all users Get-ADDIntUsers | Select UserPrincipalName, ObjectID, ImmuatableID #Drilldown into user Get-ADDIntUsers -UserPrincipalName USERNAME ```

Get-ADDIntUsers | Select UserPrincipalName, ObjectID, ImmuatableID

### Enumerating Administrators ```powershell #List Global Admins Get-AADIntGlocalAdmins #Recon $results = Invoke-AADIntReconAsInsider #Select specific groups from recon output $results.roleInformation | Where Memebers -ne $null | select Name.Members ```

### Enumerating Sync Account ```powershell #Get Sync account Get-AADIntSyncConfiguration ```

## Detect * API calls are not logged within Azure, so AADInternals will not detected. * Azure Sign-Ins are logged but difficult to baseline.

* Application header can be forged, so it is unreliable to baseline. Below is a list of Application IDs and their name used for sign-ins. {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nk0.gitbook.io/dfir/enterprise-architecture/the-cloud/azure/attacking-azure/initial-access/authenticated-recon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.