Post-exploitation Reconnaissance

Enumerate

1. AD tenant information

2. admin roles and identify high-value targets in the network

3. ADFS

4. Resources

5. Conditional access policies

6. UAL (Unified Access Log) settings

7. Service principal accounts (for single-factor logon)

8. Storage accounts / key vaults

To perform these steps we can mainly use AADInternals and the Azure CLI.

Enumerating subscriptions

Get-AADIntAzureSubscriptions

Enumerating service principals

Get-AADIntAccessTokenForAADGraph -SaveToCache
Get-AADIntServicePrincipals

These commands will return a list of service principals with the following attributes

Account enabled
Addresses
AppPrincipalId
DisplayName
ObjectId
ServicePrincipalNames
TrustedForDelegation

With the AppPrincipalId we can gather even more information about a service principal

Get-AADIntServicePrincipals -ClientIDs <id>

Enumerating Conditional Access Policies

Conditional Access Policies are defined as a series of signals and determine how access is controlled when a user tries to access a resource; the "signals" are the following:

• User: policies can be applied to users or groups of users

• IP location: the login method can be modified based on the IP the user logs in from

• Device: devices of specific platforms can be treated differently upon login

• Applications: users attempting to access specific applications can trigger further conditional policies

MFASweep is a tool that allows to identify login mechanisms that allow to bypass MFA or conditional access policies.

Enumerating Users

To list all users we can use

Get-AADIntUsers | Select UserPrincipalName,ObjecdId,ImmutableId

If we want to know more information about a specific user we can use a more precise query

Get-AADIntUser -UserPrincipalName "someone"

A good thing to note about user enumeration and conditional access policies is that, if there is a policy that restricts access to IP addresses coming from a specific geographical area, it's not hard to get more information about a user and find out where they are based.

Enumerating Administrators

There are several administrators we should take note of in AAD but the most important ones are

• Global Administrator

• Cloud Administrator

• Application Administrator

To easily get a list of admin roles and names for their members we can use

$result = Invoke-AADIntReconAsInsider
$result.roleInformation | Where Members -ne $null | select Name,Members

or for a full list of Global Administrators

Get-AADIntGlobalAdmins

Enumerating Synchronization Server

The Synchronization Server is a high-value target for hybrid environments, especially for credential dumping and lateral movement. To get more information about the servers and the service account related to it (identified by the DirSyncServiceAccount field) we use

Get-AADIntSyncConfiguration

The majority of the described enumeration process can be automated with o365recon. Another extremely useful tool is Azurehound, from the BloodHound family, which produces JSON files that can be imported and queried in the BloodHound client.

.\azurehound.exe -u "someone@domain.onmicrosoft.com" -p "securepassword" list --tenant "domain.onmicrosoft.com" -o "output.json"

A good addition to the stock BloodHound client are the Azure-related queries we can add to the ~/.config/bloodhound/customqueries.json file.