Unauthenticated Recon

Attacking

Goals an outsider wants to enumerate:

• User login information

• Resources that exist

• Desktop SSO Info

• Domain names

• Tenant names and information

Enumeration focuses on exposed APIs and public DNS suffixes assigned by Microsoft.

Just looking: Azure Active Directory reconnaissance as an outsideraadinternals.com

Public APIs to enumerate

List of publically exposed APIs

API	Information	AADInternals function
login.microsoftonline.com/<domain>/.well-known/openid-configuration	Login information, including tenant ID	Get-AADIntTenantID -Domain <domain>
autodiscover-s.outlook.com/autodiscover/autodiscover.svc	All domains of the tenant	Get-AADIntTenantDomains -Domain <domain>
login.microsoftonline.com/GetUserRealm.srf?login=<UserName>	Login information of the tenant, including tenant Name and domain authentication type	Get-AADIntLoginInformation -UserName <UserName>
login.microsoftonline.com/common/GetCredentialType	Login information, including Desktop SSO information	Get-AADIntLoginInformation -UserName <UserName>

DNS Suffixes

Reference list of Azure domainsMicrosoftLearn

Non-Comprehensive list of Azure domains

Determine if company is using AzureAD

Visit the following URL and replace DOMAIN with domain name.

https://login.microsoftonline.com/getuserrealm.srf?login=username@DOMAIN.onmicrosoft.com&xml=1

Using AzureAD

Not using AzureAD

Enumerate Commands

#Enumerate Usernames with list
Get-Content .\users.txt. | Invoke-AADIntUserEnumerationAsOutsider -Method Normal

Tenant ID is public information.

AzureAD Attack Tools

Awesome Azure Pentest

GitHub - Kyuu-Ji/Awesome-Azure-Pentest: A collection of resources, tools and more for penetration testing and securing Microsofts cloud platform Azure.GitHub

Cloud-Azure PayloadsAllTheThings

PayloadsAllTheThings/Methodology and Resources/Cloud - Azure Pentest.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

AADInternals by @DrAzureAD

https://o365blog.com/aadinternals/o365blog.com

MicroBurst (NetSPI)

GitHub - NetSPI/MicroBurst: A collection of scripts for assessing Microsoft Azure securityGitHub

BlobHunter (CyberArk)

GitHub - cyberark/BlobHunter: Find exposed data in Azure with this public blob scannerGitHub

Cloud Enum

GitHub - initstring/cloud_enum: Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.GitHub

MFASweep

GitHub - dafthack/MFASweep: A tool for checking if MFA is enabled on multiple Microsoft ServicesGitHub

O365Recon

GitHub - nyxgeek/o365recon: retrieve information via O365 and AzureAD with a valid credGitHub

AzureHound

GitHub - SpecterOps/AzureHound: Azure Data Exporter for BloodHoundGitHub

Custom Bloodhound Queries for Azure

GitHub - hausec/Bloodhound-Custom-Queries: Custom Query list for the Bloodhound GUI based off my cheatsheetGitHub

Detecting/Defending

Is and Isn't detected

• IS NOT LOGGED

  • DNS Queries are not logged in Azure.

  • API and Tenant ID queries won't be logged.

• IS LOGGED

  • Account sign-in attempts.

Logging Location

Sign-in activity is recorded in

Active Directory/Entra ID > Monitoring > Sign-in logs