# Post-exploitation Reconnaissance Enumerate 1. AD tenant information 2. admin roles and identify high-value targets in the network 3. ADFS 4. Resources 5. Conditional access policies 6. UAL (Unified Access Log) settings 7. Service principal accounts (for single-factor logon) 8. Storage accounts / key vaults To perform these steps we can mainly use AADInternals and the Azure CLI. ### Enumerating subscriptions ```powershell Get-AADIntAzureSubscriptions ``` ### Enumerating service principals ```powershell Get-AADIntAccessTokenForAADGraph -SaveToCache Get-AADIntServicePrincipals ``` These commands will return a list of service principals with the following attributes ``` Account enabled Addresses AppPrincipalId DisplayName ObjectId ServicePrincipalNames TrustedForDelegation ``` With the `AppPrincipalId` we can gather even more information about a service principal ```powershell Get-AADIntServicePrincipals -ClientIDs ``` ### Enumerating Conditional Access Policies **Conditional Access Policies** are defined as a series of signals and determine how access is controlled when a user tries to access a resource; the "signals" are the following: * User: policies can be applied to users or groups of users * IP location: the login method can be modified based on the IP the user logs in from * Device: devices of specific platforms can be treated differently upon login * Applications: users attempting to access specific applications can trigger further conditional policies [MFASweep](https://github.com/dafthack/MFASweep) is a tool that allows to identify login mechanisms that allow to bypass MFA or conditional access policies. ### Enumerating Users To list all users we can use ```powershell Get-AADIntUsers | Select UserPrincipalName,ObjecdId,ImmutableId ``` If we want to know more information about a specific user we can use a more precise query ```powershell Get-AADIntUser -UserPrincipalName "someone" ``` A good thing to note about user enumeration and conditional access policies is that, if there is a policy that restricts access to IP addresses coming from a specific geographical area, it's not hard to get more information about a user and find out where they are based. ### Enumerating Administrators There are several administrators we should take note of in AAD but the most important ones are * Global Administrator * Cloud Administrator * Application Administrator To easily get a list of admin roles and names for their members we can use ```powershell $result = Invoke-AADIntReconAsInsider $result.roleInformation | Where Members -ne $null | select Name,Members ``` or for a full list of Global Administrators ```powershell Get-AADIntGlobalAdmins ``` ### Enumerating Synchronization Server The Synchronization Server is a high-value target for hybrid environments, especially for credential dumping and lateral movement. To get more information about the servers and the service account related to it (identified by the `DirSyncServiceAccount` field) we use ```powershell Get-AADIntSyncConfiguration ``` The majority of the described enumeration process can be automated with [o365recon](https://github.com/nyxgeek/o365recon). Another extremely useful tool is [Azurehound](https://github.com/BloodHoundAD/AzureHound), from the BloodHound family, which produces JSON files that can be imported and queried in the BloodHound client. ```powershell .\azurehound.exe -u "someone@domain.onmicrosoft.com" -p "securepassword" list --tenant "domain.onmicrosoft.com" -o "output.json" ``` A good addition to the stock BloodHound client are the [Azure-related queries](https://github.com/ZephrFish/Bloodhound-CustomQueries) we can add to the `~/.config/bloodhound/customqueries.json` file. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/aad/post-exploitation-reconnaissance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.