Owlglass

Pentest - Azure AD

Basic Recon

Detect M365 usage: https://login.microsoftonline.com/getuserrealm.srf?login=test@acmecorp.com&xml=1 Tenant ID: https://login.microsoftonline.com/<target domain>/v2.0/.well-known/openid-configuration User enumeration: https://login.Microsoft.com/common/oauth2/token Detect invalid users while password spraying with: MSOLSpray Enumerate users via OneDrive: onedrive_user_enum Data in public Azure blobs:

  • storage-acct-name.blob.core.windows.net
  • storage-acct-name.file.core.windows.net
  • storage-acct-name.table.core.windows.net
  • storage-acct-name.queue.core.windows.net

Cloud_enum - Chris Moberly clound_enum Azure Smart Lockout - protection from pw spray; bypass with FireProx + MSOLSpray fireprox

Authentication

  • Forms of auth: Password hash synchronization; pass through authentication; Active Directory Federation Services (ADFS); certificate-based auth; conditional access policies; long-term access tokens; legacy authentication portals
  • If CAP applies to Device Platforms, it only reads user-agent string - easily spoofed
  • Find gaps in CAP - dafthack/MFASweep

User Account Enumeration

chronlund

Password Spray Attacks with PowerShell

chronlund

Conditional Access as Code

chronlund

Breach Response

chronlund

PIM Roles - PowerShell

chronlund

CAP - Priv Workstation for GA

chronlund

Tenant Enum with B2B guest accounts

chronlund

Mapping Tenant

chronlund

Attack CAP

chronlund

365 Data Exfil

chronlund

Incident Response

hunters

Protect Identities

cloudcoffee

Risky User Report

office365itpros

Create Backdoor in AAD

aadinternals

AADInternals PowerShell module:

module

Tokens

Microsoft - Protecting Tokens

Token Theft - Red Team (TrustedSec)

pwnauth

AlteredSecurity-365Stealer

github

trustedsec

Token Tactics: github

Skeleton Key

varonis

AD Connect

sygnia

Azure MFA Bypass

oasis

DC Toolbox

Chronlund

Graphrunner: https://github.com/dafthack/GraphRunner