Azure Dynamic Groups + Intune + Android Bootloader

docs/cloud/azure/azure-devices-users-sp.md

@@ -2,7 +2,7 @@
 
 > Root Management Group (Tenant) > Management Group > Subscription > Resource Group > Resource
 
-* Users
+* Users (User, Groups, Dynamic Groups)
 * Devices
 * Service Principals (Application and Managed Identities)
 
@@ -35,7 +35,10 @@
 
 ### Dynamic Group Membership
 
-Get groups that allow Dynamic membership: `Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}`
+Get groups that allow Dynamic membership: 
+
+* Powershell Azure AD: `Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}`
+* RoadRecon database: `select objectId, displayName, description, membershipRule, membershipRuleProcessingState, isMembershipRuleLocked from groups where membershipRule is not null;`
 
 Rule example : `(user.otherMails -any (_ -contains "vendor")) -and (user.userType -eq "guest")`     
 Rule description: Any Guest user whose secondary email contains the string 'vendor' will be added to the group

docs/cloud/azure/azure-enumeration.md

@@ -38,11 +38,19 @@
     ```
 * [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security
     ```powershell
-    PS C:> Import-Module .\Powerzure.psd1
+    Import-Module .\Powerzure.psd1
-    PS C:> Set-Subscription -Id [idgoeshere]
+    Set-Subscription -Id [idgoeshere]
-    PS C:> Get-AzureTarget
+    Get-AzureTarget
-    PS C:> Get-AzureInTuneScript
+    Get-AzureInTuneScript
-    PS C:> Show-AzureKeyVaultContent -All
+    Show-AzureKeyVaultContent -All
+    ```
+* [**silverhack/monkey365**](https://github.com/silverhack/monkey365) - Microsoft 365, Azure subscriptions and Microsoft Entra ID security configuration reviews.
+    ```powershell
+    Get-ChildItem -Recurse c:\monkey365 | Unblock-File
+    Import-Module C:\temp\monkey365
+    Get-Help Invoke-Monkey365
+    Get-Help Invoke-Monkey365 -Examples
+    Get-Help Invoke-Monkey365 -Detailed
     ```
 * [**Flangvik/TeamFiltration**](https://github.com/Flangvik/TeamFiltration) - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
     ```ps1

docs/cloud/azure/azure-services-microsoft-intune.md

@@ -1,7 +1,50 @@
 # Azure Services - Microsoft Intune
 
+Microsoft Intune is a cloud-based service that provides mobile device management (MDM) and mobile application management (MAM). It allows organizations to control and secure access to corporate data on mobile devices, including smartphones, tablets, and PCs. With Intune, businesses can enforce security policies, manage apps, and ensure that devices comply with organizational requirements, whether they are company-owned or personal (BYOD).
+
+
+## Intunes Administration
+
+**Requirements**:
+
+* **Global Administrator** or **Intune Administrator** Privilege 
+    ```powershell
+    Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"
+    ```
+
+**Walkthrough**
+
+1. Login into https://endpoint.microsoft.com/#home or use Pass-The-PRT
+2. Go to **Devices** -> **All Devices** to check devices enrolled to Intune
+3. Go to **Scripts** and click on **Add** for Windows 10. 
+4. Add a **Powershell script**
+5. Specify **Add all users** and **Add all devices** in the **Assignments** page.
+
+:warning: It will take up to one hour before you script is executed !
+
+
+## Intune Scripts
+
+**Requirements**:
+
+* App with permission: `DeviceManagementConfiguration.Read.All`
+
+**Extract Intune scripts**:
+
+* [okieselbach/Get-DeviceManagementScripts.ps1](https://raw.githubusercontent.com/okieselbach/Intune/master/Get-DeviceManagementScripts.ps1) - Get all or individual Intune PowerShell scripts and save them in specified folder.
+    ```ps1
+    Get-DeviceManagementScripts -FolderPath C:\temp -FileName myScript.ps1
+    ```
+* [okieselbach/Get-DeviceHealthScripts.ps1](https://raw.githubusercontent.com/okieselbach/Intune/master/Get-DeviceHealthScripts.ps1) - Get all or individual Intune PowerShell Health scripts (aka Proactive Remediation scripts) and save them in specified folder.
+    ```ps1
+    Get-DeviceHealthScripts -FolderPath C:\temp\HealthScripts
+    ```
+
+
 ## LAPS
 
+Some organization have recreated LAPS for Azure devices using Intune scripts.
+
 ```ps1
 #requires -modules Microsoft.Graph.Authentication
 #requires -modules Microsoft.Graph.Intune
@@ -17,21 +60,9 @@ Get-IntuneManagedDevice -Filter "Platform eq 'Windows'" |
 ```
 
 
-## Intunes Administration
-
-Requirements:
-* **Global Administrator** or **Intune Administrator** Privilege : `Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"`
-
-1. Login into https://endpoint.microsoft.com/#home or use Pass-The-PRT
-2. Go to **Devices** -> **All Devices** to check devices enrolled to Intune
-3. Go to **Scripts** and click on **Add** for Windows 10. 
-4. Add a **Powershell script**
-5. Specify **Add all users** and **Add all devices** in the **Assignments** page.
-
-:warning: It will take up to one hour before you script is executed !
-
-
 ## References
 
 * [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview)
-* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
+* [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
+* [Get back your Intune Proactive Remediation Scripts - Oliver Kieselbach - September 7, 2022](https://oliverkieselbach.com/2022/09/07/get-back-your-intune-proactive-remediation-scripts/)
+* [Get back your Intune PowerShell Scripts - Oliver Kieselbach - February 6, 2020](https://oliverkieselbach.com/2020/02/06/get-back-your-intune-powershell-scripts/)

docs/methodology/android-applications.md

@@ -419,6 +419,31 @@ emulator -avd Pixel_8_API_34 -writable-system
 | `-port 5556`                 | Set the ADB TCP port number |
 
 
+## Unlock Bootloader
+
+**Requirements**:
+
+* Enable `Settings` > `Developer Options` > `OEM unlocking`
+* Enable `Settings` > `Developer Options` > `USB Debugging`
+
+Unlock the bootloader will wipe the userdata partition. On some device these methods will require a key to successfully unlock the bootloader.
+
+* Method 1
+    ```ps1
+    adb reboot bootloader
+    fastboot oem unlock
+    ```
+* Method 2
+    ```ps1
+    adb reboot bootloader
+    fastboot flashing unlock
+    ```
+* Methods based on the chip
+    * For Qualcomm devices, you can use EDL (Emergency Download Mode)
+    * For MediaTek devices, BROM (Boot ROM) mode
+    * For Unisoc devices, Research Download Mode.
+
+
 ## References
 
 * [Android App Reverse Engineering 101 - @maddiestone](https://www.ragingrock.com/AndroidAppRE/)
@@ -429,4 +454,5 @@ emulator -avd Pixel_8_API_34 -writable-system
 * [Configuring Burp Suite with Android Emulators - Aashish Tamang - Jun 6, 2022](https://blog.yarsalabs.com/setting-up-burp-for-android-application-testing/)
 * [Introduction to Android Pentesting - Jarrod - July 8, 2024](https://owlhacku.com/introduction-to-android-pentesting/)
 * [A beginners guide to using Frida to bypass root detection. - DianaOpanga - Nov 27, 2023](https://medium.com/@dianaopanga/a-beginners-guide-to-using-frida-to-bypass-root-detection-16af76b989ac)
-* [Appium documentation](https://appium.io/docs/en/latest/)
+* [Appium documentation](https://appium.io/docs/en/latest/)
+* [How to root an Android device for analysis and vulnerability assessment - Joe Lovett - 23 Aug 2024](https://www.pentestpartners.com/security-blog/how-to-root-an-android-device-for-analysis-and-vulnerability-assessment/)