Skip to content

S0677 AADInternals

AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.32

Item Value
ID S0677
Associated Names
Version 1.2
Created 01 February 2022
Last Modified 15 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.004 Cloud Account AADInternals can enumerate Azure AD users.2
enterprise T1098 Account Manipulation -
enterprise T1098.005 Device Registration AADInternals can register a device to Azure AD.2
enterprise T1651 Cloud Administration Command AADInternals can execute commands on Azure virtual machines using the VM agent.6
enterprise T1526 Cloud Service Discovery AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell AADInternals is written and executed via PowerShell.2
enterprise T1136 Create Account -
enterprise T1136.003 Cloud Account AADInternals can create new Azure AD users.2
enterprise T1484 Domain Policy Modification -
enterprise T1484.002 Domain Trust Modification AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.25
enterprise T1048 Exfiltration Over Alternative Protocol AADInternals can directly download cloud user data such as OneDrive files.2
enterprise T1606 Forge Web Credentials -
enterprise T1606.002 SAML Tokens AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.2
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.002 Email Addresses AADInternals can check for the existence of user email addresses using public Microsoft APIs.27
enterprise T1590 Gather Victim Network Information -
enterprise T1590.001 Domain Properties AADInternals can gather information about a tenant’s domains using public Microsoft APIs.27
enterprise T1556 Modify Authentication Process -
enterprise T1556.006 Multi-Factor Authentication The AADInternals Set-AADIntUserMFA command can be used to disable MFA for a specified user.
enterprise T1556.007 Hybrid Identity AADInternals can inject a malicious DLL (PTASpy) into the AzureADConnectAuthenticationAgentService to backdoor Azure AD Pass-Through Authentication.4
enterprise T1112 Modify Registry AADInternals can modify registry keys as part of setting a new pass-through authentication agent.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.004 LSA Secrets AADInternals can dump secrets from the Local Security Authority.2
enterprise T1069 Permission Groups Discovery -
enterprise T1069.003 Cloud Groups AADInternals can enumerate Azure AD groups.2
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link AADInternals can send “consent phishing” emails containing malicious links designed to steal users’ access tokens.2
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.2
enterprise T1528 Steal Application Access Token AADInternals can steal users’ access tokens via phishing emails containing malicious links.2
enterprise T1649 Steal or Forge Authentication Certificates AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.2
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.002 Silver Ticket AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.2
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.2
enterprise T1552.004 Private Keys AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.2

Groups That Use This Software

ID Name References
G0016 APT29 8