Legacy-AzureHound.ps1 icon indicating copy to clipboard operation
Legacy-AzureHound.ps1 copied to clipboard

Published 20 hours ago verified publisher icon BloodHoundAD

Add support for national clouds

Open milesgratz opened this issue 3 years ago • 0 comments

It would be good to add support for national clouds. Since you may be using stolen AAD tokens, I am wondering the best way to accomplish.

National cloud AzureADEndpoint GraphEndpoint
Global https://login.microsoftonline.com https://graph.microsoft.com
USGov https://login.microsoftonline.us https://graph.microsoft.us
USGovDoD https://login.microsoftonline.us https://dod-graph.microsoft.us
Germany https://login.microsoftonline.de https://graph.microsoft.de
China https://login.chinacloudapi.cn https://microsoftgraph.chinacloudapi.cn

Recreating the Microsoft.Graph PS module behavior would make the most sense -- Add optional -Environment parameter, add AAD/graph endpoint logic, default to Azure Global -- Example: msgraph-sdk-powershell/src/Authentication/Authentication/GraphEnvironmentConstants.cs

Could also do some parsing of the AAD JWT token and warn the user before attempting an auth -- Example: Decode JWT access and id tokens via PowerShell -- Example: Microsoft Docs | How do I identify an Azure Government tenant? -- Example: https://www.powershellgallery.com/packages/Get-GccHighWhitelistInfo/1.4/Content/Get-GccHighWhitelistInfo.ps1

milesgratz avatar Oct 03 '21 17:10 milesgratz