Track Common Adversary Tasks Performed Using AADInternals

 







To know more about it, you can go through my detailed document by clicking here







Overview

Although Azure AD, which is heavily utilized by Microsoft Office 365 and around 2900 other third-party programs, is usually thought to be secure, there are some significant identification, authentication, and other security issues that shouldn't be ignored. AADInternals is one such program, a PowerShell-based framework used for managing, listing, and manipulating Azure AD that is freely accessible on GitHub.

As the name implies, it has to do with on-premises and cloud services, and the features could lead to security problems such the creation of backdoor users, password theft, encryption key theft, etc.

Misuses of AADInternals

If not handled appropriately, AADInternals can be quickly exploited by bad actors. For example, if identity data is synchronised between on-premises AD and Azure AD, the applications utilized may enable an attacker to target and steal sensitive data from the victim Azure AD tenancy, which then allows them to carry out the following actions:
  1. Dumping encryption keys.
  2. Exfilteration of Azure AD connector account password.
  3. Creating backdoor to Azure AD.
  4. Update Azure AD connect credentials for Azure AD. 
  5. Create users only in Azure AD.

Detections

  • Log Inspection- This one can help in monitoring all the PowerShell activity events of the host.

  • Activity Monitoring- This module can detect processes, files, AMSI, and network activities on endpoints running Workload Security.

  • Utilizing Trend Micro Vision One- As the name suggests, this one collects all the detections from workload security and correlates them to offer a comprehensive visibility across all data in one console. 








To know more about it, you can go through my detailed document by clicking here









Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)