Enumerate Azure AD with AzureHound from Userland

This page describes how to enumerate Azure AD with AzureHound, starting from a non-privileged user session on a Windows machine.

Introduction
In a previous article, we discussed how to acquire a Primary Refresh Token (PRT) cookie from a compromised normal user's session on a Windows machine. This Single Sign-On token allows an attacker to impersonate the victim user in Azure AD and opens up a variety of attack possibilities. In this article, we will discuss how to use the acquired PRT to enumerate Azure AD with AzureHound. AzureHound is the official ingestor for the famous BloodHound Active Directory Enumeration tool.
Requesting a PRT
Follow the "Requesting PRTs" step from the previous article to acquire a new Primary Refresh Token from the victim's session. This approach relies on Dirk-jan Mollema's ROADTools and worwot563's aad_prt_bof.
Requesting Tokens for the MS Graph API
According to the documentation, AzureHound can enumerate Azure AD via the Microsoft Graph API. This means that we need to use the acquired PRT to request tokens for this API first. We will impersonate the Azure PowerShell app (1950a258-227b-4e31-a9cf-717495945fc2) in the process to obtain the necessary permissions for the MS Graph API. Luckily, ROADTools makes this very easy:
roadrecon auth --prt-cookie <primary refresh token value> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
Command to request a new access and refresh token for the MS Graph API
The previous command wrote tokens to the .roadtools_auth file. The refresh token can be read and copied from this file. This leaves us with a valid refresh token for the MS Graph API, impersonating the Azure PowerShell app as the Pepper Mintstix user in this Azure tenant.
cat .roadtools_auth
Copying the refresh token for MS Graph.
AzureHound Enumeration
Finally, we can start the enumeration process of the targeted Azure tenant with the acquired refresh token. We can output the results to output.json in the process.
./azurehound --refresh-token <copied MS Graph refresh token> list --tenant "<target tenant id>" -o output.json
Successful enumeration of the targeted tenant with the acquired MS Graph refresh token
All that is left now, is to import the output.json in BloodHound via the usual "upload data" button and start graphing!
Browsing the imported AzureHound data
Conclusion
In this article, we explored how to enumerate Azure AD via AzureHound, starting from a Primary Refresh Token request from a normal compromised user session.
References
​https://github.com/BloodHoundAD/AzureHound​
​https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/​
​https://github.com/dirkjanm/ROADtools​
​https://github.com/dirkjanm/ROADtoken​
​https://github.com/leechristensen/RequestAADRefreshToken​
​https://github.com/trustedsec/CS-Situational-Awareness-BOF​
​https://github.com/wotwot563/aad_prt_bof​

PRT Abuse from Userland with Cobalt Strike

Next - Red Team Operations

AWS

Last modified 4mo ago