Tool - AADInternal
Azure AD and Microsoft 365 Kill Chain
https://aadinternals.com/aadkillchain/
Image from AADinternals
# Install the module
Install-Module -Name "AADInternals"
# Import the module
Import-Module -Name "AADInternals"
Markdown Table
| User Level | Recon Commands | Compromise Commands | Persistence Commands | Actions on Intent Commands |
|---|---|---|---|---|
| Add Cache | Get-AADIntAccessTokenForAADGraph -SaveToCache |
|||
| Outsider | Get-AADIntTenantDomains,Get-AADIntOpenIDConfiguration, Get-AADIntLoginInformation, Invoke-AADIntReconAsOutsider,Invoke-AADIntUserEnumerationAsOutsider |
Invoke-AADIntPhishing |
||
| Guest | Get-AADIntAzureTenants,Get-AADIntAzureInformation,Get-AADIntSPOSiteUsers,Invoke-AADIntReconAsGuest,Invoke-AADIntUserEnumerationAsGuest |
New-AADIntBulkPRTToken,Join-AADIntDeviceToAzureAD, Join-AADIntDeviceToIntune |
||
| User | Get-AADIntTenantDetails,Get-AADIntGlobalAdmins,Get-AADIntSyncConfiguration,Get-AADIntCompanyInformation, Invoke-AADIntReconAsInsider, Invoke-AADIntUserEnumerationAsInsider |
New-AADIntSAMLToken, New-AADIntKerberosTicket,Open-AADIntOffice365Portal |
||
| Admin | Get-AADIntAzureSubscriptions |
Grant-AADIntAzureUserAccessAdminRole, Set-AADIntAzureRoleAssignment, Invoke-AADIntAzureVMScript, Register-AADIntPTAAgent, Set-UserMFA,Set-UserMFAApps |
ConvertTo-AADIntBackdoor,Set-AADIntPassThroughAuthentication |
New-AADIntSAMLToken, New-AADIntKerberosTicket, Open-AADIntOffice365Portal |
| On-prem Admin | Export-AADIntADFSSigningCertificate, Get-AADIntSyncCredentials, Set-AADIntUserPassword, Install-AADIntPTASpy |
New-AADIntSAMLToken, New-AADIntKerberosTicket, Open-AADIntOffice365Portal |
Mermaid
Here are the full diagrams including all commands per user level:
1. Outsider
graph TD
Recon --> Compromise --> Persistence --> ActionsOnIntent
Recon["Recon:
- Get-AADIntTenantDomains
- Get-AADIntOpenIDConfiguration
- Get-AADIntLoginInformation
- Invoke-AADIntReconAsOutsider
- Invoke-AADIntUserEnumerationAsOutsider"]
Compromise["Compromise:
- Invoke-AADIntPhishing"]
Persistence["Persistence: None"]
ActionsOnIntent["Actions on Intent: None"]2. Guest
graph TD
Recon --> Compromise --> Persistence --> ActionsOnIntent
Recon["Recon:
- Get-AADIntAzureTenants
- Get-AADIntAzureInformation
- Get-AADIntSPOServiceInformation
- Get-AADIntSPOServiceInformation
- Invoke-AADIntReconAsGuest
- Invoke-AADIntUserEnumerationAsGuest"]
Compromise["Compromise: None"]
Persistence["Persistence: None"]
ActionsOnIntent["Actions on Intent:
- New-AADIntBulkPRTToken
- Join-AADIntDeviceToAzureAD
- Join-AADIntDeviceToIntune"]3. User
graph TD
Recon --> Compromise --> Persistence --> ActionsOnIntent
Recon["Recon:
- Get-AADIntTenantDetails
- Get-AADIntGlobalAdmins
- Get-AADIntSyncConfiguration
- Get-AADIntCompanyInformation
- Get-AADIntSPOServiceInformation
- Invoke-AADIntReconAsInsider
- Invoke-AADIntUserEnumerationAsInsider"]
Compromise["Compromise: None"]
Persistence["Persistence: None"]
ActionsOnIntent["Actions on Intent:
- New-AADIntBulkPRTToken
- New-AADIntSAMLToken
- Join-AADIntDeviceToAzureAD
- New-AADIntKerberosTicket"]4. Admin
graph TD
Recon --> Compromise --> Persistence --> ActionsOnIntent
Recon["Recon:
- Get-AADIntAzureSubscriptions"]
Compromise["Compromise:
- Grant-AADIntAzureUserAccessAdminRole
- Set-AADIntAzureRoleAssignment
- Invoke-AADIntAzureVMScript
- Register-AADIntPTAAgent
- Set-UserMFA
- Set-UserMFAApps"]
Persistence["Persistence:
- ConvertTo-AADIntBackdoor
- Set-AADIntPassThroughAuthentication"]
ActionsOnIntent["Actions on Intent:
- New-AADIntSAMLToken
- New-AADIntKerberosTicket
- Open-AADIntOffice365Portal"]5. On-prem Admin
graph TD
Recon --> Compromise --> Persistence --> ActionsOnIntent
Recon["Recon:
- Export-AADIntADFSSigningCertificate
- Get-AADIntSyncCredentials"]
Compromise["Compromise:
- Set-AADIntUserPassword
- Install-AADIntPTASpy"]
Persistence["Persistence: None"]
ActionsOnIntent["Actions on Intent:
- New-AADIntSAMLToken
- New-AADIntKerberosTicket
- Open-AADIntOffice365Portal"]