🔍 Detection Method
===================

🔍 OSINT

Executive summary: Public-facing identity services such as Entra ID
(Azure AD) are at risk from non-credential enumeration techniques that
combine OSINT with identity-focused tooling. References to
AADInternals and email-harvesting workflows indicate a threat model
where reconnaissance informs credential-based attempts rather than
zero-day exploitation.

Technical details:
• Tools and techniques mentioned include AADInternals for Entra
enumeration and common OSINT sources (LinkedIn, Hunter.io) for
collecting potential usernames and emails.
• Attacks described focus on credential-driven vectors: password
spraying and targeted authentication attempts that probe MFA and
Conditional Access responses.

Analysis:
• The core risk arises from visibility: externally discoverable
identities and role metadata enable focused attacks that bypass noisy
scanning. Entra/AD telemetry can be used to detect reconnaissance if
logs are instrumented.
• The presence of Conditional Access and MFA changes the attacker
tradeoffs: failures and policy evaluation events become important
detection signals.

Detection guidance:
• Surface and aggregate failed sign-in patterns across tenants; alert
on unusual volumes of password-spray–style failures targeting many
accounts in short windows.
• Monitor Conditional Access evaluation logs for repeated policy
decisions from anomalous IPs or device states.
• Correlate OSINT-derived lists with authentication telemetry to spot
targeted attempts.

Mitigation:
• Enforce MFA for all privileged and high-risk accounts and reduce
legacy authentication allowances.
• Harden user discovery: limit public exposure of role-based emails
and group memberships where possible.
• Implement rate-limiting and suspicious-activity thresholds in
identity platforms and enrich logs with UEBA for context.

Limitations:
• Public reporting does not supply IoCs or exploitation artifacts;
analysis is high-level and defensive.

🔹 AzureAD #Entra #AADInternals #OSINT #MFA

🔗 Source: https://dmcxblue.net/2025/08/23/how-to-rob-a-hotel/

This is a multipart challenge. All the flags can be found within the live Microsoft 365 instance that we’ll ssh into.

The clue is street address. I’m not too fluent in the capabilities of AADInternals, so the first thing I do is head over to the documentation.

If I do a search on ‘street’ I see that it’s part of an Output example for Get-AADintTenantDetails

Ok, let’s give that command a go.

And there’s the flag under the street value.

For the next one, It not so subtly says that Conditional Access Policies will be part of this, so again we reference the docs. Get-AADIntConditionalAccessPolicies seems like a good candidate.

Two for two.

Microsoft Teams will be our focus on the third one. There’s dozens of Teams commands available within AADInternals. If we focus on message, that will get us to Get-AADIntTeamsMessages.

Having the documentation for the syntax really helped on this one.

And for the last one, no there isn’t a Get-AADIntPresident command. That would be too easy. How about a command that will show us all the users?

Scrolling up through the output, we find that the President (PattiF), has a flag in the telephone number field.

4 out of 4.

Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.

https://bakerstreetforensics.com/2023/11/03/huntress-ctf-week-3-m-three-sixty-five/

#AADInternals #CTF #HuntressCTF #M365 #O365

#AADInternals #DEFCON32 edition I demonstrated in my @defcon talk is now available on GitHub and #PowerShellGallery:
◾ Spoof SPO, Teams, and OneDrive files
◾ Tamper with existing files
◾ Nothing is logged

Change log available at: https://aadinternals.com/aadinternals/#version-info

#AADInternals
@WEareTROOPERS
edition OUT NOW at #PowerShell Gallery and GitHub!!

Thanks to
@_dirkjan
for WHfB research & inspiration,
@cnotin
for PR, and
Nevada Romsdahl
&
@nullg0re
&
@santasalojoosua
for helping with AADDS research!

Lots of new stuff:
🔹Export NTHashes from AzureAD 😱
🔹Command line based interactive login
🔹Automatic MFA with OTP
🔹TAP support
🔹Export PRT & Session key from CloudAP cache (with user credentials)
🔹Setting WHfB key
🔹Getting PRT & Session key with WHfB key
🔹PS 7 support 🤞

If/when you find any bugs, please let me know asap (Twitter, GitHub issue/PR, etc.)

Full changelog: https://aadinternals.com/aadinternals/#version-info

I recently published a blog about an EoP technique I use in #AADInternals 😊

TL;DR: Local admin can run any service as gMSA just by adding gMSA account name to ObjectName property of the service in registry 😈

https://aadinternals.com/post/local_admin_to_gmsa/

My #BHEU #Arsenal #AADInternals presentation slides and screen recording (HD 1080p) available at https://aadinternals.com/talks

The audio quality is bad, has a lot of background noise, and you can even hear Paula Januszkiewicz from the booth next to me 😁

p.s. All the passwords shown are reset 😉

#AADInternals @bsidesorlando edition is out now!

New functionality:
▪ Get access tokens for managed identities
▪ Add new MOERA domains (.onmicrosoft.com)

And as demonstrated in my BSides Orlando talk:
▪ Modify #AzureAD policy details (including Conditional Access metadata) without detailed Audit Log events

Change log: https://aadinternals.com/aadinternals/#version-info