Post-exploitation Reconnaissance
Enumerate
- AD tenant information
- admin roles and identify high-value targets in the network
- ADFS
- Resources
- Conditional access policies
- UAL (Unified Access Log) settings
- Service principal accounts (for single-factor logon)
- Storage accounts / key vaults
To perform these steps we can mainly use AADInternals and the Azure CLI.
Enumerating subscriptions
Get-AADIntAzureSubscriptions
Enumerating service principals
Get-AADIntAccessTokenForAADGraph -SaveToCache
Get-AADIntServicePrincipals
These commands will return a list of service principals with the following attributes
Account enabled
Addresses
AppPrincipalId
DisplayName
ObjectId
ServicePrincipalNames
TrustedForDelegation
With the AppPrincipalId
we can gather even more information about a service principal
Get-AADIntServicePrincipals -ClientIDs <id>
Enumerating Conditional Access Policies
Conditional Access Policies are defined as a series of signals and determine how access is controlled when a user tries to access a resource; the "signals" are the following:
- User: policies can be applied to users or groups of users
- IP location: the login method can be modified based on the IP the user logs in from
- Device: devices of specific platforms can be treated differently upon login
- Applications: users attempting to access specific applications can trigger further conditional policies
MFASweep is a tool that allows to identify login mechanisms that allow to bypass MFA or conditional access policies.
Enumerating Users
To list all users we can use
Get-AADIntUsers | Select UserPrincipalName,ObjecdId,ImmutableId
If we want to know more information about a specific user we can use a more precise query
Get-AADIntUser -UserPrincipalName "someone"
A good thing to note about user enumeration and conditional access policies is that, if there is a policy that restricts access to IP addresses coming from a specific geographical area, it's not hard to get more information about a user and find out where they are based.
Enumerating Administrators
There are several administrators we should take note of in AAD but the most important ones are
- Global Administrator
- Cloud Administrator
- Application Administrator
To easily get a list of admin roles and names for their members we can use
$result = Invoke-AADIntReconAsInsider
$result.roleInformation | Where Members -ne $null | select Name,Members
or for a full list of Global Administrators
Get-AADIntGlobalAdmins
Enumerating Synchronization Server
The Synchronization Server is a high-value target for hybrid environments, especially for credential dumping and lateral movement. To get more information about the servers and the service account related to it (identified by the DirSyncServiceAccount
field) we use
Get-AADIntSyncConfiguration
The majority of the described enumeration process can be automated with o365recon. Another extremely useful tool is Azurehound, from the BloodHound family, which produces JSON files that can be imported and queried in the BloodHound client.
.\azurehound.exe -u "someone@domain.onmicrosoft.com" -p "securepassword" list --tenant "domain.onmicrosoft.com" -o "output.json"
A good addition to the stock BloodHound client are the Azure-related queries we can add to the ~/.config/bloodhound/customqueries.json
file.