{"description": "Enterprise techniques used by AADInternals, ATT&CK software S0677 (v1.2)", "name": "AADInternals (S0677)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.004", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can enumerate Azure AD users.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.005", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can register a device to Azure AD.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1651", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can execute commands on Azure virtual machines using the VM agent.(Citation: AADInternals Root Access to Azure VMs)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1526", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) is written and executed via PowerShell.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.003", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can create new Azure AD users.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1530", "comment": "AADInternals can collect files from a user\u2019s OneDrive.(Citation: AADInternals)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.002", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. [AADInternals](https://attack.mitre.org/software/S0677) can also modify DesktopSSO information.(Citation: AADInternals Documentation)(Citation: Azure AD Federation Vulnerability)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can directly download cloud user data such as OneDrive files.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1606", "showSubtechniques": true}, {"techniqueID": "T1606.002", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can be used to create SAML tokens using the AD Federated Services token signing certificate.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1589", "showSubtechniques": true}, {"techniqueID": "T1589.002", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can check for the existence of user email addresses using public Microsoft APIs.(Citation: AADInternals Documentation)(Citation: Azure AD Recon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1590", "showSubtechniques": true}, {"techniqueID": "T1590.001", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can gather information about a tenant\u2019s domains using public Microsoft APIs.(Citation: AADInternals Documentation)(Citation: Azure AD Recon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.006", "comment": "The [AADInternals](https://attack.mitre.org/software/S0677) `Set-AADIntUserMFA` command can be used to disable MFA for a specified user.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.007", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can inject a malicious DLL (`PTASpy`) into the `AzureADConnectAuthenticationAgentService` to backdoor Azure AD Pass-Through Authentication.(Citation: AADInternals Azure AD On-Prem to Cloud)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can modify registry keys as part of setting a new pass-through authentication agent.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.004", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can dump secrets from the Local Security Authority.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.003", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can enumerate Azure AD groups.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can send \"consent phishing\" emails containing malicious links designed to steal users\u2019 access tokens.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can send phishing emails containing malicious links designed to collect users\u2019 credentials.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1528", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can steal users\u2019 access tokens via phishing emails containing malicious links.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1649", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1558", "showSubtechniques": true}, {"techniqueID": "T1558.002", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[AADInternals](https://attack.mitre.org/software/S0677) can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.(Citation: AADInternals Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by AADInternals", "color": "#66b1ff"}]}