Tool: AADInternals

Description

[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)

External References

• mitre-attack
• AADInternals
• AADInternals Documentation
• AADInternals Github

Techniques Used by This Tool

• T1003.004 — LSA Secrets
• T1048 — Exfiltration Over Alternative Protocol
• T1059.001 — PowerShell
• T1069.003 — Cloud Groups
• T1087.004 — Cloud Account
• T1098.005 — Device Registration
• T1112 — Modify Registry
• T1136.003 — Cloud Account
• T1484.002 — Trust Modification
• T1526 — Cloud Service Discovery
• T1528 — Steal Application Access Token
• T1530 — Data from Cloud Storage
• T1552.001 — Credentials In Files
• T1552.004 — Private Keys
• T1556.006 — Multi-Factor Authentication
• T1556.007 — Hybrid Identity
• T1558.002 — Silver Ticket
• T1566.002 — Spearphishing Link
• T1589.002 — Email Addresses
• T1590.001 — Domain Properties
• T1598.003 — Spearphishing Link
• T1606.002 — SAML Tokens
• T1649 — Steal or Forge Authentication Certificates
• T1651 — Cloud Administration Command

APT Groups Using This Tool

• APT29