Cloud

We would start with OSINT per normal then it will be similar to External Pentesting to a small degree, but hopefully we are provided user credentials to perform a compromised user perspective.

Azure/Entra ID

We can start with logging into https://portal.azure.com to see if we have access to the Entra ID portal. Within there we can find multiple things such as the users, Global Admins, Roles, etc. While in there, we can find if users can register applications or create security groups as well.

We use GraphRunner, AzureHound, and Sharefiltrator for more enumeration.

Using this we can find additional information such as if users can register applications or create security groups, dump conditional access policies, and so much more. We can also scan Sharepoint and OneDrive for files.

  • General Enumeration

Import-Module .\GraphRunner.ps1
Get-GraphTokens # login on with URL / Code
Invoke-GraphRunner -Tokens $tokens
  • Scan Sharepoint/OneDrive for files

Invoke-SearchSharePointAndOneDrive -tokens $Tokens

COMING SOON

  • Search for files containing "password" and download them

python sharefiltrator.py -d COMPANY.sharepoint.com -r <rtFa_cookie> -f <FedAuth_cookie> -o password_files.txt -q "password" -s downloaded_passwords

Last updated