o365blog.com Open in urlscan Pro
185.199.108.153  Public Scan

Form analysis
1 forms found in the DOM

GET //google.com/search

<form class="widget-search__form" role="search" method="get" action="//google.com/search">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input class="widget-search__field" type="search" placeholder="SEARCH..." value="" name="q">
  </label>
  <input class="widget-search__submit" type="submit" value="Search">
  <input type="hidden" name="sitesearch" value="http://o365blog.com">
</form>

Text Content

OFFICE 365 BLOG


EVERYTHING ABOUT MICROSOFT 365 SECURITY

Menu
 * AAD & M365 KILL CHAIN
 * AAD INTERNALS
 * LINKS
 * POWERSHELL
 * TALKS
 * TOOLS


STEALING AND FAKING AZURE AD DEVICE IDENTITIES

February 15, 2022 (Last Modified: February 17, 2022)

In my previous blog posts I’ve covered details on PRTs, BPRTs, device
compliance, and Azure AD device join.

In this blog, I’ll show how to steal identities of existing Azure AD joined
devices, and how to fake identies of non-AAD joined Windows devices with
AADInternals v0.6.6.




MICROSOFT PARTNERS: THE GOOD, THE BAD, OR THE UGLY?

December 11, 2021 (Last Modified: February 15, 2022)

In 2018, I blogged first time about risks related to Delegated Administrative
Privileges (DAP) given to Microsoft partners. Now, in 2021, Microsoft blogged
how NOBELIUM exploited DAP to compromise customers of some Microsoft partners.

In this blog, I’ll explain why DAP is so dangerous, how to exploit it, how to
detect exploitation, and how to view partner related information with
AADInternals v0.6.5.




AADINTERNALS ADMIN AND BLUE TEAM TOOLS

September 07, 2021 (Last Modified: December 22, 2021)

AADInternals toolkit is best known of its offensive or red teams tools. Its
origins, however, is in administration - especially for tasks not supported by
official tools.

In this blog, I’ll introduce recent additions to the admin & blue team tools and
also some old goodies!




SPOOFING AZURE AD SIGN-INS LOGS BY IMITATING AD FS HYBRID HEALTH AGENT

July 08, 2021 (Last Modified: September 08, 2021)

Azure AD Connect Health is a feature that allows viewing the health of on-prem
hybrid infrastructure components, including Azure AD Connect and AD FS servers.
Health information is gathered by agents installed on each on-prem hybrid
server. Since March 2021, also AD FS sign-in events are gathered and sent to
Azure AD.

In this write-up (based on a Threat Analysis report by Secureworks), I’ll
explain how anyone with a local administrator access to AD FS server (or proxy),
can create arbitrary sign-ins events to Azure AD sign-ins log. Moreover, I’ll
show how Global Administrators can register fake agents to Azure AD - even for
tenants not using AD FS at all.




EXPORTING AD FS CERTIFICATES REVISITED: TACTICS, TECHNIQUES AND PROCEDURES

April 27, 2021 (Last Modified: July 01, 2021)

I’ve talked about AD FS issues for a couple years now, and finally, after the
Solorigate/Sunburst, the world is finally listening 😉

In this blog, I’ll explain the currently known TTPs to exploit AD FS
certificates, and introduce a totally new technique to export the configuration
data remotely.




DEEP-DIVE TO AZURE AD DEVICE JOIN

March 03, 2021 (Last Modified: September 10, 2021)

Devices (endpoints) are a crucial part of Microsoft’s Zero Trust concept.
Devices can be Registered, Joined, or Hybrid Joined to Azure AD. Conditional
Access uses the device information as one of the decisions criteria to allow or
block access to services.

In this blog, I’ll explain what these different registration types are, what
happens under-the-hood during the registration, and how to register devices with
AADInternals v0.4.6.




BPRT UNLEASHED: JOINING MULTIPLE DEVICES TO AZURE AD AND INTUNE

January 31, 2021 (Last Modified: March 01, 2021)

In October 2020, someone contacted me and asked whether it would be possible to
create BPRTs using AADInternals. I hadn’t even heard of BPRTs, but was
eventually able to help him to create BPRTs. Now this functionality is included
in AADInternals v0.4.5.

In this blog, I’ll explain what BPRTs are and how they can be used to join
multiple devices to both Azure AD and Intune. I’ll also show the dark side of
BPRTs: how they can be used to conduct DOS attacks against Azure AD, and how to
detect and prevent this.




ABUSING TEAMS CLIENT PROTOCOL TO BYPASS TEAMS SECURITY POLICIES

October 27, 2020 (Last Modified: October 29, 2020)

Administrators can use teams policies for controlling what users can do in
Microsoft Teams.

In this blog, I’ll show that these policies are applied only in client and thus
can be easily bypassed.




AADINTERNALS CLOUD IDENTITY SUMMIT 2020 EDITION

October 19, 2020

The new AADInternals release v0.4.4 AADInternals Cloud Identity Summit 2020
edition is now released! Read on to see the list of updates and new features.




INTRODUCING A NEW PHISHING TECHNIQUE FOR COMPROMISING OFFICE 365 ACCOUNTS

October 13, 2020 (Last Modified: September 10, 2021)

The ongoing global phishing campaings againts Microsoft 365 have used various
phishing techniques. Currently attackers are utilising forged login sites and
OAuth app consents.

In this blog, I’ll introduce a new phishing technique based on Azure AD device
code authentication flow. I’ll also provide instructions on how to detect usage
of compromised credentials and what to do to prevent phishing using the new
technique.




USING AZURE CLOUD SHELL FROM POWERSHELL

September 30, 2020

Azure Cloud Shell is a browser-based shell for managing Azure resources using
your favourite shell, Bash or PowerShell. Cloud Shell is typically used from
Azure Portal. It provides an easy access to Azure CLI, Azure PowerShell and
Azure AD PowerShell.

In this blog, I’ll introduce a new way to access Cloud Shell from PowerShell
(requires AADInternals v0.4.3 or newer).




BYPASSING CONDITIONAL ACCESS BY FAKING DEVICE COMPLIANCE.

September 06, 2020 (Last Modified: September 29, 2020)

In my previous blog I demonstrated how to create a Persistent Refresh Token
(PRT) by joining imaginary device to Azure AD.

In this blog, with AADInternals v0.4.2, I’ll show how to make those devices
compliant, allowing bypassing compliance related conditional access (CA)
policies.




JOURNEY TO AZURE AD PRT: GETTING ACCESS WITH PASS-THE-TOKEN AND PASS-THE-CERT

September 01, 2020 (Last Modified: October 15, 2020)

Lately we have seen great articles by @_dirkjan, @tifkin_, @rubin_mor, and
@gentilkiwi about utilising Primary Refresh Token (PRT) to get access to Azure
AD and Azure AD joined computers.

In this blog, I’ll report my own findings regarding to PRT and introduce the new
functionality added to AADInternals v0.4.1.




DEEP-DIVE TO AZURE AD MFA: CREATING A CUSTOM AUTHENTICATOR APP

August 06, 2020 (Last Modified: August 13, 2020)

Multi-factor Authentication (MFA) is nowadays a recommended method for providing
extra protection for users. In most cases, it protects users from phishing
attacks as the attackers can’t log in even they have user’s credentials.

In this blog, I’ll report my findings on how the Azure AD MFA works
under-the-hood, and how I built a custom authenticator app for Android. I also
introduce some methods how the rogue administrator can bypass MFA when using
user’s compromised credentials.




UNNOTICED SIDEKICK: GETTING ACCESS TO CLOUD AS AN ON-PREM ADMIN

July 13, 2020 (Last Modified: December 03, 2021)

This post is part 5⁄5 of Azure AD and Microsoft 365 kill chain blog series.

Although on-prem administrators doesn’t usually have admin rights to Azure AD,
they can have access to crucial information, such as Azure AD Connect, ADFS, and
Active Directory. Administrators of these services can easily get admin rights
to Azure AD to manipulate and impersonate users.

In this blog, using AADInternals v0.4.0, I’ll show how to get Global Admin
access and how to impersonate users as an on-prem administrator.




KEYS OF THE KINGDOM: PLAYING GOD AS GLOBAL ADMIN

June 16, 2020 (Last Modified: August 13, 2020)

This post is part 4⁄5 of Azure AD and Microsoft 365 kill chain blog series.

Global Admin role is the most powerfull administrator role in Azure AD. It is
(almost) equivalent to the local system rigths in traditional Windows
environment: If you are a Global Admin, there is no security! As a Global Admin,
there are no limits what you are allowed to do. For instance, one can easily
access others’ data. But why bother, if you can as easily impersonate users?

In this blog, using AADInternals v0.4.0, I’ll show how (as an Global
Administrator) to gather information of Azure subscriptions, gather users’
credentials, get system level access to Azure VMs, and how to impersonate users.




WOLF IN SHEEP'S CLOTHING: AZURE ACTIVE DIRECTORY RECONNAISSANCE AS AN INSIDER

June 15, 2020 (Last Modified: December 11, 2021)

This post is part 3⁄5 of Azure AD and Microsoft 365 kill chain blog series.

Azure AD and Office 365 are cloud services and most information is hidden to the
members (or guests) of the tenant. However, there are plenty of information
publicly available to anyone.

In this blog, using AADInternals v0.4.5, I’ll show how to gather information of
any Azure AD tenant as an insider.




QUEST FOR GUEST ACCESS: AZURE ACTIVE DIRECTORY RECONNAISSANCE AS A GUEST

June 14, 2020 (Last Modified: September 06, 2020)

This post is part 2⁄5 of Azure AD and Microsoft 365 kill chain blog series.

When sharing SharePoint to people outside the organisations or inviting them to
Teams, a corresponding guest account is created to Azure AD. Although the
created guest account is not a pure insider, it has wide read-only access to
organisation’s Azure AD information.

In this blog, using AADInternals v0.4.0, I’ll show how to gather information
from Azure AD tenant as a guest user.




JUST LOOKING: AZURE ACTIVE DIRECTORY RECONNAISSANCE AS AN OUTSIDER

June 13, 2020 (Last Modified: September 01, 2021)

This post is part 1⁄5 of Azure AD and Microsoft 365 kill chain blog series.

Azure AD and Office 365 are cloud services and most information is available
only to the members (or guests) of the tenant. However, there are plenty of
information publicly available to anyone.

In this blog, using AADInternals v0.4.0, I’ll show how to gather information of
any Azure AD tenant as an outsider.




GETTING ROOT ACCESS TO AZURE VMS AS A AZURE AD GLOBAL ADMINISTRATOR

June 04, 2020

Sean Metcalf (@Pyrotek3) organised a great webcast at the end of the May 2020.
Among other things, Sean introduced a new (to me, at least) attack-vector where
an Azure AD administrator can easily get a system level access to any Azure
virtual machine of the organisation. Naturally, I had to implement this
functionality to AADInternals.

In this blog, using AADInternals v0.3.3, I’ll show how a Global Administator can
gain access to any Azure VM of the organisation.



1/3 »
Search for:

RECENT POSTS

 * Stealing and faking Azure AD device identities
 * Microsoft partners: The Good, The Bad, or The Ugly?
 * AADInternals admin and blue team tools
 * Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent
 * Exporting AD FS certificates revisited: Tactics, Techniques and Procedures

CATEGORIES

 * 
 * Article
 * Blog

SOCIAL

Twitter
LinkedIn
nestori.syynimaa@gerenios.com

TAGS

aadconnect (2) aadinternals (9) active-directory (1) adfs (5) admin (3)
administration (1) authentication (1) azure (19) azure-active-directory (26)
azuread (4) blackhat (1) blue-team (1) bprt (2) browser (1) compromise (1)
conferences (1) desktop-sso (1) device (2) dns (3) email (2) encryption (1)
exchange (1) federation (2) forensics (1) gdpr (1) global-administrator (1)
graph (1) groups (1) guest (2) hybrid-join (2) identity (2) inactive (1) insider
(1) intune (1) join (2) logs (1) mailbox (1) mdm (1) mfa (6) office-365 (9)
office365 (9) on-prem (2) onedrive (1) outsider (2) partner (2) password (1)
persistence (1) phishing (2) planner (1) powershell (13) prt (5) pta (1) recon
(2) reconnaissance (4) seamless-sso (1) security (30) sso (2) sync (1)
synchronisation (1) t2 (1) talks (1) teams (3) user (1) virtual-machine (1)