Intune Scripts Deprecation + Consent Grant Warning
parent
dbb30ac5cf
commit
302d0a37f7
|
@ -4,6 +4,9 @@
|
||||||
|
|
||||||
> The attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to.
|
> The attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting consent to the application so that the attacker can gain access to the data that the target user has access to.
|
||||||
|
|
||||||
|
:warning: All Office 365 users will be protected from app-based attacks now that publisher verification is generally available as they "will no longer be able to consent to new multi-tenant apps registered after November 8th, 2020 coming from unverified publishers".
|
||||||
|
|
||||||
|
|
||||||
Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole`
|
Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMSAuthorizationPolicy).PermissionGrantPolicyIdsAssignedToDefaultUserRole`
|
||||||
|
|
||||||
* **Disable user consent** : Users cannot grant permissions to applications.
|
* **Disable user consent** : Users cannot grant permissions to applications.
|
||||||
|
@ -30,6 +33,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
|
||||||
6. Search and select the below mentioned permissions and click on Add permission
|
6. Search and select the below mentioned permissions and click on Add permission
|
||||||
* Contacts.Read
|
* Contacts.Read
|
||||||
* Mail.Read / Mail.ReadWrite
|
* Mail.Read / Mail.ReadWrite
|
||||||
|
* Mail.ReadBasic
|
||||||
* Mail.Send
|
* Mail.Send
|
||||||
* Notes.Read.All
|
* Notes.Read.All
|
||||||
* Mailboxsettings.ReadWrite
|
* Mailboxsettings.ReadWrite
|
||||||
|
@ -37,6 +41,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
|
||||||
* User.ReadBasic.All
|
* User.ReadBasic.All
|
||||||
* User.Read
|
* User.Read
|
||||||
|
|
||||||
|
|
||||||
### Setup 365-Stealer (Deprecated)
|
### Setup 365-Stealer (Deprecated)
|
||||||
|
|
||||||
:warning: Default port for 365-Stealer phishing is 443
|
:warning: Default port for 365-Stealer phishing is 443
|
||||||
|
@ -66,6 +71,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
|
||||||
- `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token
|
- `--refresh-token XXX --client-id YYY --client-secret ZZZ`: use a refresh token
|
||||||
- Find the Phishing URL: go to `https://<IP/Domain>:<Port>` and click on **Read More** button or in the console.
|
- Find the Phishing URL: go to `https://<IP/Domain>:<Port>` and click on **Read More** button or in the console.
|
||||||
|
|
||||||
|
|
||||||
### Vajra
|
### Vajra
|
||||||
|
|
||||||
> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra
|
> Vajra is a UI-based tool with multiple techniques for attacking and enumerating in the target's Azure environment. It features an intuitive web-based user interface built with the Python Flask module for a better user experience. The primary focus of this tool is to have different attacking techniques all at one place with web UI interfaces. - https://github.com/TROUBLE-1/Vajra
|
||||||
|
@ -74,7 +80,7 @@ Check if users are allowed to consent to apps: `PS AzureADPreview> (GetAzureADMS
|
||||||
|
|
||||||
### Roadtx
|
### Roadtx
|
||||||
|
|
||||||
* Use the authorization code flow in roadtx to get token
|
* Use the authorization code flow in `roadtx` to get token
|
||||||
```ps1
|
```ps1
|
||||||
roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<phish-app>/redir' -p <app-secret>
|
roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<phish-app>/redir' -p <app-secret>
|
||||||
```
|
```
|
||||||
|
|
|
@ -3,10 +3,12 @@
|
||||||
## Pentest Requirements
|
## Pentest Requirements
|
||||||
|
|
||||||
Users and roles:
|
Users and roles:
|
||||||
|
|
||||||
* **Global Reader** and **Security Reader** roles in Azure AD
|
* **Global Reader** and **Security Reader** roles in Azure AD
|
||||||
* **Reader** permission over the subscription
|
* **Reader** permission over the subscription
|
||||||
|
|
||||||
Subscriptions:
|
Subscriptions:
|
||||||
|
|
||||||
* [Azure Dev/Test](https://azure.microsoft.com/en-us/pricing/offers/dev-test) subscription.
|
* [Azure Dev/Test](https://azure.microsoft.com/en-us/pricing/offers/dev-test) subscription.
|
||||||
* Visual Studio subscription determines the monthly Azure credits you receive
|
* Visual Studio subscription determines the monthly Azure credits you receive
|
||||||
* Visual Studio Enterprise: $150/month
|
* Visual Studio Enterprise: $150/month
|
||||||
|
|
|
@ -28,9 +28,12 @@ Microsoft Intune is a cloud-based service that provides mobile device management
|
||||||
**Requirements**:
|
**Requirements**:
|
||||||
|
|
||||||
* App with permission: `DeviceManagementConfiguration.Read.All`
|
* App with permission: `DeviceManagementConfiguration.Read.All`
|
||||||
|
* `Microsoft.Graph.Intune` dependency installed: `Install-Module Microsoft.Graph.Intune`
|
||||||
|
|
||||||
**Extract Intune scripts**:
|
**Extract Intune scripts**:
|
||||||
|
|
||||||
|
The following scripts are deprecated, use `MgGraph` instead of `MsGraph`, and change the appropriate function `InvokeMgGraph` too.
|
||||||
|
|
||||||
* [okieselbach/Get-DeviceManagementScripts.ps1](https://raw.githubusercontent.com/okieselbach/Intune/master/Get-DeviceManagementScripts.ps1) - Get all or individual Intune PowerShell scripts and save them in specified folder.
|
* [okieselbach/Get-DeviceManagementScripts.ps1](https://raw.githubusercontent.com/okieselbach/Intune/master/Get-DeviceManagementScripts.ps1) - Get all or individual Intune PowerShell scripts and save them in specified folder.
|
||||||
```ps1
|
```ps1
|
||||||
Get-DeviceManagementScripts -FolderPath C:\temp -FileName myScript.ps1
|
Get-DeviceManagementScripts -FolderPath C:\temp -FileName myScript.ps1
|
||||||
|
|
Loading…
Reference in New Issue