Archive for September, 2018


ADFS – export RP and its claims

If you choose not to use the AD FS Rapid Restore Tool, then at a minimum, you should export the “Microsoft Office 365 Identity Platform” relying party trust and any associated custom claim rules you may have added. You can do this via the following PowerShell example

(Get-AdfsRelyingPartyTrust -Name “Microsoft Office 365 Identity Platform”) | Export-CliXML “C:\temp\O365-RelyingPartyTrust.xml”

Advertisements

Implement password hash synchronization:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-password-hash-synchronization

 

Migrating from federated authentication (ADFS) to password hash synchronization:

https://github.com/Identity-Deployment-Guides/Identity-Deployment-Guides/blob/master/Authentication/Migrating%20from%20Federated%20Authentication%20to%20Password%20Hash%20Synchronization.docx

 

AAD Connect configuration documenter is a tool to generate documentation of an Azure AD Connect installation. Currently, the documentation is only limited to the Azure AD Connect sync configuration.

The current capabilities of the tool include:

  • Documentation of the complete configuration of Azure AD Connect sync.
  • Documentation of any changes in the configuration of two Azure AD Connect sync servers or changes from a given configuration baseline.
  • Generation of the PowerShell deployment script to migrate the sync rule differences or customisations from one server to another.

https://github.com/Microsoft/AADConnectConfigDocumenter

To download the tools : https://github.com/Microsoft/AADConnectConfigDocumenter/releases

https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-data-storage-eu

There are four main options on how you can configure SSO:

 

http://www.interlink.com/blog/entry/active-directory-federation-services-adfs-vs-password-sync

 

More and more C# usage and tools collection (http://www.harmj0y.net/blog/redteaming/ghostpack/)

Some related links :

https://www.forcepoint.com/blog/security-labs/using-c-post-powershell-attacks

https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb

http://www.harmj0y.net/blog/redteaming/ghostpack/

https://medium.com/@malcomvetter/net-process-injection-1a1af00359bc

https://www.fortynorthsecurity.com/microsoft-workflow-compiler-exe-veil-and-cobalt-strike/

https://isc.sans.edu/forums/diary/Malicious+PowerShell+Compiling+C+Code+on+the+Fly/24072/

https://zeltser.com/fileless-malware-beyond-buzzword/

https://docs.microsoft.com/en-us/dotnet/api/microsoft.csharp.csharpcodeprovider?view=netframework-4.7.2

 

 

Monitoring SPO (and Onedrive!) performance and slowness:

https://docs.microsoft.com/en-us/sharepoint/dev/general-development/how-to-avoid-getting-throttled-or-blocked-in-sharepoint-online

https://docs.microsoft.com/en-us/office365/enterprise/diagnosing-performance-issues-with-sharepoint-online?redirectSourcePath=%252fen-us%252farticle%252f3c364f9e-b9f6-4da4-a792-c8e8c8cd2e86

  • The F12 tool bar network monitor or using third-party tool like fiddler or equivalent

  • SharePoint Online response header metrics (SPRequestDuration and X-SharePointHealthScore)

     SharePoint response header information

  1. Ensure that you have the F12 tools installed. For more information on downloading and installing these tools, see What’s new in F12 tools.

  2. In the F12 tools, on the Network tab, press the green play button to load a page.

  3. Click one of the .aspx files returned by the tool and then click DETAILS.Shows details of the response header
  4. Click Response headers.

    Diagram showing the URL of the response header

How to run scripts or commands in parallel with PS:

https://blogs.technet.microsoft.com/heyscriptingguy/2013/01/09/powershell-workflows-nesting/

https://blogs.technet.microsoft.com/rgullick/2017/01/10/run-a-powershell-script-multi-threaded-i-mean-in-parallel/

 

https://dnsdumpster.com/

Introduction to device management in Azure Active Directory:

https://docs.microsoft.com/fr-fr/azure/active-directory/devices/overview

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#getting-devices-under-the-control-of-azure-ad

As a rule of a thumb, you should use:

  • Azure AD registered devices:
    • For personal devices
    • To manually register devices with Azure AD
  • Azure AD joined devices:
    • For devices that are owned by your organization
    • For devices that are not joined to an on-premises AD
    • To manually register devices with Azure AD
    • To change the local state of a device
  • Hybrid Azure AD joined devices for devices that are joined to an on-premises AD
    • For devices that are owned by your organization
    • For devices that are joined to an on-premises AD
    • To automatically register devices with Azure AD
    • To change the local state of a device

How to Setup: https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

c

Azure AD registered devices:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#azure-ad-registered-devices

 

Hybrid Azure AD joined devices:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#hybrid-azure-ad-joined-devices

 

To configure Hybrid Azure AD joined devices, kindly visit the link:

https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-manual-steps

 

Azure AD joined devices:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction#azure-ad-joined-devices

 

Azure AD Join vs Azure AD Device Registration:

https://blogs.technet.microsoft.com/trejo/2016/04/09/azure-ad-join-vs-azure-ad-device-registration/

 

Manage devices:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#manage-devices

 

Device management tasks:

https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#device-management-tasks

 

Configure On-Premises Conditional Access using registered devices:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-device-based-conditional-access-on-premises