AADInternals and AADInternals-Endpoints toolkits are PowerShell modules containing tools for administering and hacking Entra ID (ex. Azure AD), Office 365, and Entra ID related endpoints. It is listed in MITRE ATT&CK with id S0677.
- AADInternals (Official Documentation)
Installation
ForceNTHash.dll is flagged by CrowdStrike when importing the AADInternals in Visual Studio Code.
powershell
Install-Module -Name "AADInternals"
Install-Module -Name "AADInternals-Endpoints"Usage
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUserImport-Module -Name "AADInternals"
#Import-Module -Name "AADInternals-Endpoints"Help
Get-Help <function name>Get-Help Get-AADIntAccessTokenGet-Help Get-AADIntAccessToken -detailedget-help Get-AADIntAccessToken -examplesClientIDs
Client IDs are application IDs.
| Client App | Client ID | Resource |
|---|---|---|
| MS Graph API | 1b730954-1685-4b74-9bfd-dac224a7b894 | graph_api |
| MS Exchange Remote PowerShell | a0c73c16-a7e3-4564-9a95-2bdf47383716 | exo |
| Exchange Online | 00000002-0000-0ff1-ce00-000000000000 | o365exo |
| SharePoint Online | 00000003-0000-0ff1-ce00-000000000000 | o365spo |
| MS Teams | 1fec8e78-bce4-4aaf-ab1b-5451cc387264 | teams |
| Microsoft Support and Recovery Assistant (SARA) | d3590ed6-52b3-4102-aeff-aad2292ab01c | sara |
| OneDrive Sync Engine | ab9b8c07-8f02-4f72-87fa-80105867a763 | onedrive |
| Windows Configuration Designer (WCD) | de0853a1-ab20-47bd-990b-71ad5077ac7b | |
| Skype for Business online | 00000004-0000-0ff1-ce00-000000000000 | |
| Microsoft Intune | 0000000a-0000-0000-c000-000000000000 | |
MS Graph API for "Microsoft Office" | d3590ed6-52b3-4102-aeff-aad2292ab01c | https://graph.microsoft.com |
| My Signins | 19db86c3-b2b9-44cc-b339-36da233a3be2 | |
| Microsoft Azure PowerShell | 1950a258-227b-4e31-a9cf-717495945fc2 | |
| Microsoft Azure CLI | 04b07795-8ddb-461a-bbee-02f9e1bf7b46 | |
| Azure Portal | c44b4083-3bb0-49c1-b47d-974e53cbdf3c |
Get the access token to MS Graph using cookie ESTSAUTH
$ESTSAUTH = "my cookie value here"# Decrypt the ESTSAUTH cookie
Unprotect-AADIntEstsAuthPersistentCookie -Cookie $ESTSAUTH
For MS Graph APIs (e.g. https://graph.microsoft.com/v1.0/me/messages), use -Resource “https://graph.microsoft.com”
# JWT Token
$Tokens = Get-AADIntAccessToken -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c" -Resource "https://graph.windows.net" -ESTSAUTH $ESTSAUTH -IncludeRefreshToken $true
Write-Output "=== AccessToken ==="
$Tokens[0]
Write-Output "=== RefreshToken ==="
$Tokens[1]Get MFA information
$Tokens = Get-AADIntAccessToken -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c" -Resource "https://graph.windows.net" -ESTSAUTH $ESTSAUTH -IncludeRefreshToken $trueGet-AADIntUserMFA -AccessToken $Tokens[0]Set MFA
See Deep-dive to Azure AD MFA: Creating a custom authenticator app (AADInternals).
Use the AADInternals Authenticator app. The full source code of the app is available at GitHub and the Android app can be installed from:
AADInternalsAuthenticator-0.4.0-release.apk
Set-AADIntUserMFAApps -AccessToken $Tokens[0] -Id 454b8d53-d97e-4ead-a69c-724166394334 -DeviceToken $DeviceToken