#AADInternals
Azure AD & Microsoft 365 kill chain shows how different attacker roles can get access to
#AzureAD
and
#Microsoft365
.
Pro tips:
1. Use MFA!
2. Avoid inviting unnecessary guests
3. Minimize # of Global Admins
4. Protect your on-prem servers
Okay, I just read JDs "scientific" paper.
TL;DR "CitizenLab has not shared all evidence publicly, so their research is fake."
According to JD, one needs to be at least a PhD student to be able to "asses" his research. So here we go.
I've been studying
@MITREattack
Defender (MAD) skills for the last two weeks. I've learned so much about the ATT&CK and passed all three available exams.
I recommend this to all working on
#cybersecurity
/
#informationsecurity
.
Big news on the work front! Today is my last day at
@Secureworks
, and I’d like to thank you for the opportunity to work with such fantastic people to make the world safer!
My journey continues in January with
#Microsoft
as a Principal Identity Security Researcher. I’ll be working
To celebrate my new
#AADInternals
blog, I also published an online OSINT tool at
It allows to get tenant information using:
* Tenant ID
* Domain name
* Email/UPN
The domain list includes links to ease the gathering of further information. Enjoy!
Yet another reason to block
#AzureAD
directory sync soft match. And while you're doing that, block the takeover through hard match too. You DO NOT need those features for anything!
#AzureAD
admins, beware:
#Cyberattackers
can use SMTP matching to obtain privileged access via eligible role assignments. In this post by
@SemperisTech
Security Researchers Sapir Federovsky and Tomer Nahum, learn how- and how to stop them.
Time to switch off Twitter for Christmas and two-week vacation!
In Jan, if I have 5000 followers, I’ll publish a new version of
#AADInternals
:
* Export certs of
#AzureAD
joined PCs 😈
* Join PCs to AAD with fake certs generated with AADInternals 🔥
#blueteam
#redteam
#infosec
Note to that d*ckhead who have been using to monitor peoples Teams availability:
1️⃣ I'm paying for all the computing resources by myself - making over 200k requests in two months is not what the service is made for 🤦♂️
2️⃣ Username requests are now throttled
Just learned that Microsoft decided to add a new log source last month while I was suffering flu:
🔥
#MicrosoftGraphActivityLogs
🔥
This is easily the most important security feature for years!! Hoping to get this in Preview/Production soon so we can catch those baddies faster
Holy s**t. My
@NorthSec_io
workshop on
#AzureAD
tokens has been viewed almost nine HUNDRED times in a week 😳
Thank you so much for all the viewers 🙏For those who haven't seen that yet, the slide deck and link to the stream are available at
Yet another step closer to full vacation mode:
✅ Update
If you give an existing user name, it will now show user's AAD ObjectId and Teams status (if available) 🔥
Nice way to check whether your favourite MS employee is online 😁
Have fun!
A good reminder that if you allow users to access
#Microsoft365
/
#AzureAD
from un-managed devices, there is nothing under your control that can protect their identities. This includes MFA and FIDO2.
I've now completed my Master's studies at
@JAMK_fi
and will soon graduate as MEng in Cyber Security😎
My thesis "Defending Azure Active Directory: Pass-Through Authentication Attacks and Countermeasures" is published today and is available for download:
Slide deck of my
@WEareTROOPERS
talk "Dumping NTHashes from Azure AD" available at
TL;DR:
🔹Deploying Azure AD Domain Services (AADDS) makes Azure AD connect to sync legacy credentials (NTHashes) to Azure AD
🔹Credentials are stored in Azure AD in
Finally, a new version of
#AADInternals
is almost ready to be published! I demoed this already at
@WEareTROOPERS
/
#TROOPERS22
on June, but it took some time to solve a couple of wicked problems.
Stay tuned!
A gentle reminder of two free online tools I'm providing for the community:
🔹 - Openly available information about the given Azure AD (Entra ID) tenant or user
🔹 - One free custom domain for your Azure AD (Entra ID) tenant
Had some fun last weekend with dumping NTHashes from
#AzureAD
/
#EntraID
◾ I can now force AADConnect to use my certificate to encrypt Windows legacy credentials 😈
◾ Forcing full password hash sync on AzureAD Connect syncs all NTHashes encrypted with my certificate 😱
Not a
As requested by the
#infosec
community, all my talks from the 2021 are available at
I've included slide decks for all presentations and recordings when available. Enjoy!
#AADInternals
#redteam
#blueteam
In my recent blog, I'll show how to exploit PTA vulnerabilities
@Secureworks
reported last week:
I created scripts that will automatically configure attacker's PTA server to use certificate of compromised PTA agent.
Credits to
@_xpn_
&
@Cyb3rWard0g
Microsoft just announced a new Azure AD preview feature: "multi-tenant organization"
Looking forward to more content to my "Consequences of Trust in Azure AD" talk 😁
Then to the famous APA formatting. It is indeed hard to follow them, because APA formatting was not used properly. Also, you shouldn't mix APA and footnotes.
To learn how to use APA format, JD could start by reading this quick guide:
The next versions of
#AADInternals
will include functionality to exploit some of the latest issues I've reported to
@msftsecresponse
and ruled as "by-design".
Recording & slides of my today's talk "Deep-dive to Azure AD join" at
#GlobalAzure
2022 available at
* What happens under-the-hood during AAD Join 🤓
* How to steal device identity 😬
* How to fake device identity 😉
@Secureworks
just released a threat analysis regarding flaws our team found in
#AzureAD
Pass-through Authentication (PTA).
The flaws allow threat actors to:
* Gather credentials
* Login with invalid credentials
* Conduct DoS attacks
1/3
OMG, I received
@MVPAward
for Enterprise Mobility (Identity and Access)🤯🎉
A BIG thanks
@samilaiho
for the nomination! The BIGGEST thanks goes to the
#infosec
community for attending my conference sessions and downloading & using
#AADInternals
!
#MVPBuzz
Finally, the new
#AADInternals
version is available at
@ThePSGallery
and
#GitHub
🔥
Highlights:
* Decrypt ESTSAUTHPERSISTENT cookie (thanks
@SantasaloJoosua
!)
* New Teams functions
* Modify directory synchronisation features
* Get tenant information (resolve tenantid to name)
The analysis and conclusions of the "False Positives" experiment shows a lack of basic statistical skills.
For instance, what is a likelihood that a phone of a Catalan politician is similar to the one of a random person from Nigeria? According JD, 100%.
Thanks to all for the congratulations last week for my new position at Microsoft. I haven't got time to answer all the questions individually, so here are the top three!
1️⃣ No, I can't change the name back to
#AzureAD
2⃣ I don't know what happens to
#AADInternals
development
3⃣
A "good" example of gaining initial access to cloud by using
#AADInternals
to export Azure AD Connect credentials. To prevent:
▪️ Treat all hybrid components as Tier-0!
▪️ If you have used DirSync for synchronisation, make sure the sync account doesn't have "Global
Found out that
#Microsoft
#Teams
policies are ONLY applied on the client🤦♂️and can be bypassed:
1. Use
#AADInternals
Teams functions 🔥 (edit and delete messages)
2. Lie to the Teams client😂(bypass messaging, meetings, and cloud storage policies)
👉
🚨 Do NOT blindly copy-paste KQL from the internet: Malicious Kusto query allows attacker to collect access tokens and use them to query information as victims..
And yes, this is by-design 🤦♂️
Introducing new attack vector in Azure environments - Injecting malicious Kusto queries -💡Thanks to
@DrAzureAD
for brainstorming with me for ingenious attack paths this new vector enables. ✅ thx to
@msftsecresponse
for verifying my blog post
New version of
#AADInternals
out now!
* Export Teams and Azure CLI cookies
* Get tenant domain name with tenant id
* Get AD FS relaying trust parties during recon
* Add members to SPO site
Credits to
@HarriJaakkonen
,
@NoUselessTech
, and
@sapirxfed
Did you know that local admin can export AD FS Hybrid Health Agent secret and create fake Azure AD sign-in events? 😈
Read my blog "Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent" to learn more & how to do it with
#AADInternals
🔥
New
#AADInternals
version out now!
* Updated Teams token export to support the new SQLite db schema
* Added functionality to export Token Broker tokens (credits to
@_xpn_
)
* Made AADInternals token cache less restrictive to ease using exported tokens
Working on splitting
#AADInternals
into two modules:
1⃣ AADInternals for the cloud-only functionality
2⃣ AADInternals-Endpoints for all the shady on-prem stuff
Stay tuned!
During the past couple of months I've received a lot of comments that various
#AADInternals
files has been flagged malicious:
▪️ PTASpy.ps1 & PTASpy.dll (Trojan)
▪️ Win32Ntv.dll (Backdoor)
▪️ AADInternals.png (Trojan)
All of these files are used to do/access things on local
Good reminder to check whether Seamless SSO is enabled for your tenant (as you probably don't need it anymore)!
Easiest way is to type your domain name to tool
Woot woot, this week
#AADInternals
passed the 50k downloads mark at PowerShell Gallery🎉
🙏Thanks to the community for using the tool I've put so much effort into ❤
Wrote a blog with
@SravanAkkaram
on "Bypassing
#AzureAD
home tenant
#MFA
& CA".
TL;DR:
▪ Home tenant admins CAN'T enforce home tenant CA if users login directly to resource tenant
▪ User's tenant information can be viewed by logging in to resource tenant
Secureworks has discovered that stored Microsoft Entra ID NTHashes can be recovered and decrypted & then used in pass-the-hash attacks. Read our latest Threat Analysis to discover how this happens & how to detect it.
#azure
#cybersecurity
Confidentiality, availability, and integrity are the three principles of information security. Join my
@defcon
session today (at 12, Track 4) to learn how to break the integrity of
#Microsoft
#Teams
and
#SharePoint
using built-in migration feature.
I'll demonstrate how a
So proud I made it to
@msftsecresponse
MSRC 2022 top 100 Most Valuable Researchers list for the second year in a row! Congratz to all researchers for your great work during the last year!!
Gently reminder for all
#Office365
,
#Microsoft365
,
#AzureAD
trainers, students, admins, red&blue teamers, hackers, and alike:
You can have a free custom domain for your tenant at
Have fun!
While fixing issues some mother f***er caused by DoS:ing
#AADInternals
OSINT service, I added new features:
◾ Is tenant using Azure AD Connect cloud sync instead/alongside Azure AD Connect sync
◾ Added tenant brand (used to be tenant name)
◾ Tenant name is now
To celebrate my 12000 Twitter followers 🎉, I decided to published a blog about an EoP technique I use in
#AADInternals
😊
TL;DR: Local admin can run any service as gMSA just by adding gMSA account name to ObjectName property of the service in registry😈
My second
#bugbounty
ever, again from
@msftsecurity
. Don't agree with the severity and impact, but glad that this time it was taken seriously after the first submission.
Write-up will follow as soon as the fix is made.
I just pushed a new version of
#AADInternals
(0.9.4) to github &
#PowerShellGallery
Added support for:
▪️ Subregions (commercial, DOD, GCC High)
▪️ Federated sign-in (AD FS only)
▪️ Saving MSGraph tokens directly to "Microsoft Graph PowerShell SDK" cache
Removed:
▪️ PTASpy.ps1 &
#AADInternals
is best known of its offensive/red team tools 😈
However, there are also a lot of goodies for day-to-day administration tasks too 🛠️!
Read the blog to learn more 👇
Credits to
@12Knocksinna
for his self-service purchase article!