S0677 AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.32
| Item | Value |
|---|---|
| ID | S0677 |
| Associated Names | |
| Type | TOOL |
| Version | 1.2 |
| Created | 01 February 2022 |
| Last Modified | 15 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.004 | Cloud Account | AADInternals can enumerate Azure AD users.2 |
| enterprise | T1098 | Account Manipulation | - |
| enterprise | T1098.005 | Device Registration | AADInternals can register a device to Azure AD.2 |
| enterprise | T1651 | Cloud Administration Command | AADInternals can execute commands on Azure virtual machines using the VM agent.6 |
| enterprise | T1526 | Cloud Service Discovery | AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | AADInternals is written and executed via PowerShell.2 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.003 | Cloud Account | AADInternals can create new Azure AD users.2 |
| enterprise | T1484 | Domain Policy Modification | - |
| enterprise | T1484.002 | Domain Trust Modification | AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.25 |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | AADInternals can directly download cloud user data such as OneDrive files.2 |
| enterprise | T1606 | Forge Web Credentials | - |
| enterprise | T1606.002 | SAML Tokens | AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.2 |
| enterprise | T1589 | Gather Victim Identity Information | - |
| enterprise | T1589.002 | Email Addresses | AADInternals can check for the existence of user email addresses using public Microsoft APIs.27 |
| enterprise | T1590 | Gather Victim Network Information | - |
| enterprise | T1590.001 | Domain Properties | AADInternals can gather information about a tenant’s domains using public Microsoft APIs.27 |
| enterprise | T1556 | Modify Authentication Process | - |
| enterprise | T1556.006 | Multi-Factor Authentication | The AADInternals Set-AADIntUserMFA command can be used to disable MFA for a specified user. |
| enterprise | T1556.007 | Hybrid Identity | AADInternals can inject a malicious DLL (PTASpy) into the AzureADConnectAuthenticationAgentService to backdoor Azure AD Pass-Through Authentication.4 |
| enterprise | T1112 | Modify Registry | AADInternals can modify registry keys as part of setting a new pass-through authentication agent.2 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.004 | LSA Secrets | AADInternals can dump secrets from the Local Security Authority.2 |
| enterprise | T1069 | Permission Groups Discovery | - |
| enterprise | T1069.003 | Cloud Groups | AADInternals can enumerate Azure AD groups.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | AADInternals can send “consent phishing” emails containing malicious links designed to steal users’ access tokens.2 |
| enterprise | T1598 | Phishing for Information | - |
| enterprise | T1598.003 | Spearphishing Link | AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.2 |
| enterprise | T1528 | Steal Application Access Token | AADInternals can steal users’ access tokens via phishing emails containing malicious links.2 |
| enterprise | T1649 | Steal or Forge Authentication Certificates | AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.2 |
| enterprise | T1558 | Steal or Forge Kerberos Tickets | - |
| enterprise | T1558.002 | Silver Ticket | AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.2 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.2 |
| enterprise | T1552.004 | Private Keys | AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0016 | APT29 | 8 |
References
-
Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022. ↩
-
Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Dr. Nestori Syynimaa. (2021, December 13). AADInternals. Retrieved February 1, 2022. ↩
-
Dr. Nestori Syynimaa. (2020, July 13). Unnoticed sidekick: Getting access to cloud as an on-prem admin. Retrieved September 28, 2022. ↩
-
Dr. Nestori Syynimaa.. (2017, November 16). Security vulnerability in Azure AD & Office 365 identity federation. Retrieved February 1, 2022. ↩
-
Dr. Nestori Syynimaa. (2020, June 4). Getting root access to Azure VMs as a Azure AD Global Administrator. Retrieved March 13, 2023. ↩
-
Dr. Nestori Syynimaa. (2020, June 13). Just looking: Azure Active Directory reconnaissance as an outsider. Retrieved February 1, 2022. ↩↩
-
Microsoft Threat Intelligence Center. (2021, October 25). NOBELIUM targeting delegated administrative privileges to facilitate broader attacks. Retrieved March 25, 2022. ↩