Skip to main content

Azure AD (AAD)

Useful links

dirkjanm.io Blog AADInternals Blog List of Managed Identities Web applications Portal.az...

Overview of Azure & M365

AAD (Azure Active Directory) is an identity and access management service: it allows users and ap...

Enumerate Users and Domains

MS has a series of public APIs and DNS public suffixes that we can check during the enumeration p...

Post-exploitation Reconnaissance

Enumerate AD tenant information admin roles and identify high-value targets in the network ADFS ...

Password Spraying M365

This attack is not complex as it only consists in "guessing" a user's password but there are stil...

OAuth 2.0 Abuse

OAUth is a protocol that allows third-party applications to access services with access tokens, a...

Abusing Device Code Authentication

Device Code Authentication allows to compromise a AAD / M365 account just like OAuth Abuse but it...

Abusing Cloud Administrator Role

In this section we'll tackle an attack scenario that sees us compromising a Cloud Administrator a...

Abusing User Administrator Role

Just like for the Cloud Administrator section, we'll walk though a small attack scenario which st...

AAD Federated Backdoor

The gist of this persistence technique is creating a malicious domain inside a target tenant and ...

Malicious MFA Takeover

This technique is pretty simple as it only consists in "backdooring" user accounts that don't hav...

Service Principal Abuse

This persistence method consists in backdooring Azure applications leveraging the permissions of ...

Compromising Azure Blobs and Storage Accounts

Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensi...

Malicious Device Join

This technique allows to bypass Conditional Access Policies based on device ownership. Since devi...

Disabling Auditing (Unified Audit Logs)

Azure's audit logs provide the vast majority of logging in the tenant and can be easily used to f...

Spoofing Azure Sign-In Logs

In hybrid environments, every attacker with local administrator access can spoof AAD Sign-In even...

Registering Fake Agents for Log Spoofing

We talked about Spoofing AAD Logon logs as a ADFS administrator in [[15 - Spoofing Azure Sign-In ...

Pass the PRT

This attack exploits devices with SSO enabled in hybrid Azure environments. PRTs can authenticate...

Pass the Cookie

If a user has an active logon session on Azure or M365, the browser stores a cookie called ESTSAU...

Abusing Managed Identities

Managed Identities are a type of Service Principal and they are used by applications to obtain to...

Virtual Machine Abuse

This section is highly dependent on the Abusing Managed Identities module so i recommend checking...

Attacking Key Vaults

While owning users and devices in AAD environments, it's good practice to look out for permission...
Back to top