Azure AD Internals Security and Techniques

Azure AD uses a technique called Just-In-Time (JIT) provisioning to grant access to applications only when a user needs it, reducing the attack surface.

This approach is more secure than traditional provisioning methods, which grant access to applications as soon as a user is added to the directory.

Azure AD also uses a feature called Conditional Access to control access to applications based on conditions such as user location, device type, and more.

Conditional Access policies can be configured to block access to sensitive applications from unmanaged devices, adding an extra layer of security.

Azure AD's authentication process involves using a token called a Security Token Service (STS) token, which is issued by the Azure AD token service.

The STS token contains the user's identity and permissions, and is used to authenticate the user with the application.

AADInternals can enumerate Azure AD users using the AADInternals tool, which is written and executed via PowerShell (T1059). This allows attackers to gather information about users in the organization.

AADInternals can also create new Azure AD users (T1136), which can be a significant security risk if not properly monitored.

The AADInternals tool can execute commands on Azure virtual machines using the VM agent (T1651), giving attackers a way to gain control over virtual machines.

AADInternals can collect files from a user's OneDrive (T1530) and directly download cloud user data such as OneDrive files (T1048).

The tool can also create SAML tokens using the AD Federated Services token signing certificate (T1606) and forge Kerberos tickets using the password hash of the AZUREADSSOACC account (T1558).

Here are some of the ways AADInternals can be used to compromise Azure AD security:

Azure AD Internals can be used to enumerate Azure AD users, register a device to Azure AD, and execute commands on Azure virtual machines using the VM agent. It can also gather information about a tenant's domains, enumerate Azure AD groups, and collect files from a user's OneDrive.

AADInternals can create new Azure AD users, modify registry keys, and steal users' access tokens via phishing emails containing malicious links. It can also dump secrets from the Local Security Authority and gather unsecured credentials for Azure AD services from a local machine.

Here are some specific techniques used by Azure AD Internals:

AADInternals can enumerate Azure AD users to discover account information.

In Azure AD, AADInternals can register a device to Azure AD, allowing for device registration manipulation.

AADInternals can execute commands on Azure virtual machines using the VM agent, demonstrating cloud administration command capabilities.

AADInternals can enumerate information about various cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations, making it a valuable tool for cloud service discovery.

AADInternals is written and executed via PowerShell, showcasing its scripting interpreter capabilities.

AADInternals can create new Azure AD users, highlighting its account creation abilities.

AADInternals can collect files from a user’s OneDrive, demonstrating exfiltration over alternative protocol capabilities.

AADInternals can dump secrets from the Local Security Authority, emphasizing its OS credential dumping abilities.

AADInternals can enumerate Azure AD groups, making it a useful tool for permission groups discovery.

AADInternals can send phishing emails containing malicious links designed to steal users’ access tokens, showcasing its spear phishing capabilities.

AADInternals can steal users’ access tokens via phishing emails containing malicious links, further emphasizing its token stealing abilities.

AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices, demonstrating its certificate stealing capabilities.

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine, highlighting its credentials in files abilities.

AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers, emphasizing its private keys abilities.

Here are some Azure AD collectors that can be used for various purposes:

Hybrid Join is a technique that uses the domain authority, not the AAD authority, to manage and provide SSO to both cloud and on-prem resources. This is a crucial distinction to make.

The hybrid joined machine can be managed by Intune/MDM or Group Policy, which allows for a flexible management approach. However, it still relies on the on-prem domain for certain tasks.

The registration process involves pushing a group policy configuration to each domain joined machine, which then connects to AAD and registers itself. This creates a device in AAD, which registers some keys.

The authentication process is similar to the standard AADJ process, but with a key difference: if Kerberos fails, it doesn't move on to AAD. This is because there's no cache involved for CloudAP.

Hybrid Join is designed to provide WAM for SSO, but it doesn't allow users to log in with AAD due to management complexity. This means that users will still need to rely on their on-prem domain for certain tasks.