Last year I gave a presentation titled Dumping NTHashes from Azure AD at TROOPERS conference. The talk was about how the Microsoft Entra Domain Services (formerly Azure AD Domain Services) works and how it enabled dumping NTHashes from Entra ID (formerly Azure AD). In this blog, I’ll show how Microsoft Entra Domain Services (MEDS) can be (ab)used to exfiltrate NTHashes from on-prem Active Directory ..read more

My recent talk at the great T2 conference on DoSing Azure AD gained a lot of attention. Unfortunately, the talk was not recorded, so I decided to write a blog for those who couldn’t attend. So here we go ..read more

A couple of weeks ago a friend of mine asked would it be possible to pre-register MFA for users in Azure AD. For short, yes it is! In this blog, I’ll show how to pre-register OTP and SMS MFA methods using AADInternals’ Register‑AADIntMFAApp and Set‑AADIntUserMFA ..read more

In my previous blog post I explained how Group Managed Service Accounts (gMSA) passwords are stored locally on the servers. In this blog, I’ll share how you can easily elevate yourself from the local administrator to gMSA without a need to know the account password. I’m already using this technique in AADInternals to execute code as AD FS service account ..read more

Multi-factor Authentication (MFA) and Conditional Access (CA) policies are powerful tools to protect Azure AD users’ identities. For instance, one may allow access only from compliant devices and require MFA from all users. However, because of Azure AD authentication platform architecture, users can bypass home tenant MFA and CA policies when logging in directly to resource tenants. This blog post tries to shed some light on how Azure AD authentication works under-the-hood. We’ll introduce the issue, describe how to exploit it, show how to detect exploitation, and finally, how to prevent the ..read more

Tenant information This Open-source Intelligence (OSINT) tool will extract openly available information for the given tenant. The tool is using APIs mentioned in my previous blog post and in MS Graph API documentation. Domain details is returned only for the 20 first domains. For complete recon information, please use AADInternals PowerShell module. Note: CBA status is valid ONLY if email of an existing user is given. Using tenant id, domain name, or email of non-existing user may show false negatives ..read more

In 13 September 2022, Secureworks published a Threat Analysis: Azure Active Directory Pass-Through Authentication Flaws. The vulnerabilities discovered by our team allows threat actors to gain persistent and undetected access to the target Azure AD tenant. In this blog post, I’ll show how the attack can be conducted using AADInternals and standalone Windows server ..read more

Group Managed Service Accounts (gMSA’s) can be used to run Windows services over multiple servers within the Windows domain. Since the launch of Windows Server 2012 R2, gMSA has been the recommended service account option for AD FS. As abusing AD FS is one of my favourite hobbies, I wanted to learn how gMSAs work ..read more

In August 2022, I’ll have several presentations regarding Azure AD security, open-source tools, and bug bounties. I’ll be presenting at TECHMENTOR, Black Hat Arsenal, DEF CON demo labs, and Cloud Village. If you like to have a chat on anything Azure AD related, want to say hi or get AADInternals sticker, check my schedule ..read more

In my previous blog posts I’ve covered details on PRTs, BPRTs, device compliance, and Azure AD device join. In this blog, I’ll show how to steal identities of existing Azure AD joined devices, and how to fake identies of non-AAD joined Windows devices with AADInternals v0.6.6 ..read more