AADInternals: The Ultimate Azure AD Hacking Toolkit - Nestori Syynimaa

AADInternals: The Ultimate Azure AD Hacking Toolkit

Nestori Syynimaa

AADInternals is an open-source hacking toolkit for Azure AD and Microsoft 365, having over 14,000 downloads from the PowerShell gallery. It has over 230 different functions in 15 categories for various purposes. The most famous ones are related to Golden SAML attacks: you can export AD FS token signing certificates remotely, forge SAML tokens, and impersonate users w/ MFA bypass. These techniques have been used in multiple attacks during the last two years, including Solorigate and other NOBELIUM attacks. AADInternals also allows you to harvest credentials, export Azure AD Connect passwords and modify numerous Azure AD / Office 365 settings not otherwise possible. The latest update can extract certificates and impersonate Azure AD joined devices allowing bypassing device based conditional access rules. https://o365blog.com/aadinternals/ https://attack.mitre.org/software/S0677

Dr Nestori Syynimaa is a white hat hacker working as a Senior Principal Security Researcher at Secureworks CTU. He holds Microsoft MVP and MVR awards and has published and maintained AADInternals since 2018.