# Enumerate Azure AD with AzureHound from Userland ## Introduction In a [previous article](https://red.0xbad53c.com/red-team-operations/azure-and-o365/prt-abuse-from-userland-with-cobalt-strike), we discussed how to acquire a Primary Refresh Token (PRT) cookie from a compromised normal user's session on a Windows machine. This Single Sign-On token allows an attacker to impersonate the victim user in Azure AD and opens up a variety of attack possibilities. In this article, we will discuss how to use the acquired PRT to enumerate Azure AD with [AzureHound](https://github.com/BloodHoundAD/AzureHound). AzureHound is the official ingestor for the famous [BloodHound](https://github.com/BloodHoundAD/BloodHound) Active Directory Enumeration tool. ## Requesting a PRT Follow the "Requesting PRTs" step from the [previous article](https://red.0xbad53c.com/red-team-operations/azure-and-o365/prt-abuse-from-userland-with-cobalt-strike) to acquire a new Primary Refresh Token from the victim's session. This approach relies on [Dirk-jan Mollema](https://twitter.com/_dirkjan)'s [ROADTools](https://github.com/dirkjanm/ROADtools) and worwot563's [aad\_prt\_bof](https://github.com/wotwot563/aad_prt_bof). ## Requesting Tokens for the MS Graph API According to the [documentation](https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html), AzureHound can enumerate Azure AD via the [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/use-the-api). This means that we need to use the acquired PRT to request tokens for this API first. We will impersonate the Azure PowerShell app ([1950a258-227b-4e31-a9cf-717495945fc2](https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications)) in the process to obtain the necessary permissions for the MS Graph API. Luckily, ROADTools makes this very easy: ``` roadrecon auth --prt-cookie -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2" ```

Command to request a new access and refresh token for the MS Graph API

The previous command wrote tokens to the .roadtools\_auth file. The refresh token can be read and copied from this file. This leaves us with a valid refresh token for the MS Graph API, impersonating the Azure PowerShell app as the Pepper Mintstix user in this Azure tenant. ``` cat .roadtools_auth ```

## AzureHound Enumeration Finally, we can start the enumeration process of the targeted Azure tenant with the acquired refresh token. We can output the results to output.json in the process. ``` ./azurehound --refresh-token list --tenant "" -o output.json ```

Successful enumeration of the targeted tenant with the acquired MS Graph refresh token

All that is left now, is to import the output.json in BloodHound via the usual "upload data" button and start graphing!

## Conclusion In this article, we explored how to enumerate Azure AD via AzureHound, starting from a Primary Refresh Token request from a normal compromised user session. ## References * * * * * * *