AADInternals: The Ultimate Azure AD Hacking Toolkit

Presented at DEF CON 30 (2022), Aug. 12, 2022, 2 p.m. (115 minutes)

AADInternals is an open-source hacking toolkit for Azure AD and Microsoft 365, having over 14,000 downloads from the PowerShell gallery. It has over 230 different functions in 15 categories for various purposes. The most famous ones are related to Golden SAML attacks: you can export AD FS token signing certificates remotely, forge SAML tokens, and impersonate users w/ MFA bypass. These techniques have been used in multiple attacks during the last two years, including Solorigate and other NOBELIUM attacks. AADInternals also allows you to harvest credentials, export Azure AD Connect passwords and modify numerous Azure AD / Office 365 settings not otherwise possible. The latest update can extract certificates and impersonate Azure AD joined devices allowing bypassing device based conditional access rules. https://o365blog.com/aadinternals/ https://attack.mitre.org/software/S0677

Audience: Blue teamers, red teamers, administrators, wannabe-hackers, etc.

Presenters:

• Dr. Nestori Syynimaa   as Nestori Syynimaa
  Dr Nestori Syynimaa (@DrAzureAD) is one of the leading Azure AD / M365 security experts globally and the developer of the AADInternals toolkit. For over a decade, he has worked with Microsoft cloud services and was awarded Microsoft Most Valuable Security Researcher for 2021. Currently, Dr Syynimaa works as a Senior Principal Security Researcher for Secureworks Counter Threat Unit and hunts for vulnerabilities full time. He has spoken at many international scientific and professional conferences, including IEEE TrustCom, Black Hat Arsenal USA and Europe, RSA Conference, and TROOPERS.

Similar Presentations:

• DeepSec 2020 „The Masquerade“ / Abusing Azure Active Directory: Who Would You Like To Be Today?
• Black Hat USA 2022 / Backdooring and Hijacking Azure AD Accounts by Abusing External Identities
• Black Hat USA 2022 / AAD Joined Machines - The New Lateral Movement