S0677: AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
Analyst context for executives and security teams
AADInternals matters because it is a publicly available PowerShell framework focused on Azure Active Directory administration, enumeration, and exploitation. For leaders, the risk is not the tool name alone; it is whether identity, Office Suite, and Windows telemetry can show when legitimate-looking cloud identity functions are being used for discovery, persistence, credential access, or trust/MFA manipulation.
Executive priority
Treat this as an identity and cloud-control validation item. ATT&CK links AADInternals to techniques involving cloud account and group discovery, device registration, MFA and hybrid identity modification, token theft/forgery, cloud storage access, and Windows credential/registry activity. Executives should ask whether the organization can produce audit evidence for privileged identity changes, device/MFA enrollment, federation or trust changes, PowerShell use, and cloud data access during an incident.
Technical view
MITRE provides no official detection text for AADInternals, so SOC and IR teams should validate coverage by behavior rather than tool name. Focus on Windows PowerShell execution, Azure AD/Entra ID and Office Suite audit activity, identity provider changes, device registration events, MFA configuration changes, cloud account/group enumeration, application access token activity, SAML/federation trust changes, and access to cloud storage. Relationship context shows ATT&CK associates this tool with APT29 and Storm-0501 use, but local detection should be based on observed behaviors and environment baselines, not attribution assumptions.
Likely telemetry
- PowerShell script block, module, transcription, and process execution logs on Windows endpoints
- Identity provider audit logs for users, groups, roles, devices, MFA methods, application permissions, and federation or trust configuration
- Cloud and Office Suite audit logs for account enumeration, administrative actions, mailbox or storage access, and application activity
- Sign-in and token-related logs, including unusual application access, service principal activity, and SAML/federation-related events where available
- Windows Security and registry telemetry relevant to LSA secrets, private keys, and registry modification
Detection direction
- Do not rely only on detecting the string "AADInternals"; validate detections for the ATT&CK-related behaviors the tool is mapped to.
- Baseline normal administrative PowerShell and cloud identity administration so enumeration and configuration changes can be separated from expected operations.
- Prioritize alerting on high-risk identity changes: new cloud accounts, privileged role/group changes, new device registrations, MFA method changes, hybrid identity or federation/trust changes, and application/token abuse indicators.
- Correlate endpoint PowerShell activity with identity provider audit events; a local script invocation followed by cloud discovery or identity changes is higher value than either signal alone.
- Tune for false positives from legitimate administrators and security teams, but require change tickets or privileged-access context for sensitive identity and trust modifications.
Mitigation priorities
- Ensure required Windows, identity provider, and Office Suite audit logging is enabled and retained long enough for incident response and compliance evidence.
- Apply least privilege to cloud and identity administration; tightly govern roles capable of modifying users, groups, devices, MFA, applications, tokens, and federation/trust settings.
- Require strong change control and review for device registration, MFA configuration, hybrid identity, and trust/federation changes.
- Harden administrative workstations and PowerShell usage with appropriate logging, constrained administration, and monitoring of privileged sessions.
- Protect credential material, private keys, token-signing assets, and registry/LSA-sensitive areas with access controls and monitoring.
Analyst notes and limits
The ATT&CK object identifies AADInternals as a PowerShell-based framework for Azure Active Directory administration, enumeration, and exploitation, publicly available on GitHub. Relationship mappings are the primary source of defensive direction here, spanning credential access, discovery, persistence, privilege escalation, defense impairment, collection, exfiltration, reconnaissance, execution, and initial access techniques. ATT&CK also records use relationships with APT29 and Storm-0501; this should inform threat modeling, not automatic attribution.
No official ATT&CK detection guidance, tactics list, aliases, or labels were supplied for this tool. The assessment is limited to the provided STIX fields, external references, and relationships. Actual exposure and detection quality depend on local Azure AD/Entra ID, Office Suite, identity provider, Windows endpoint, network, and retention configurations.
AADInternals
AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1526 | Cloud Service Discovery | AADInternals can enumerate information about a variety of cloud services, such as Office 365 and Sharepoint instances or OpenID Configurations.CitationAADInternals Documentation |
| Enterprise | T1649 | Steal or Forge Authentication Certificates | AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices.CitationAADInternals Documentation |
| Enterprise | T1556.007 | Hybrid Identity Sub-technique | AADInternals can inject a malicious DLL (`PTASpy`) into the `AzureADConnectAuthenticationAgentService` to backdoor Azure AD Pass-Through Authentication.CitationAADInternals Azure AD On-Prem to Cloud |
| Enterprise | T1098.005 | Device Registration Sub-technique | AADInternals can register a device to Azure AD.CitationAADInternals Documentation |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | AADInternals can send phishing emails containing malicious links designed to collect users’ credentials.CitationAADInternals Documentation |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine.CitationAADInternals Documentation |
| Enterprise | T1484.002 | Trust Modification Sub-technique | AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information.CitationAADInternals DocumentationCitationAzure AD Federation Vulnerability |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | AADInternals can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.CitationAADInternals Documentation |
| Enterprise | T1069.003 | Cloud Groups Sub-technique | AADInternals can enumerate Azure AD groups.CitationAADInternals Documentation |
| Enterprise | T1136.003 | Cloud Account Sub-technique | AADInternals can create new Azure AD users.CitationAADInternals Documentation |
| Enterprise | T1606.002 | SAML Tokens Sub-technique | AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate.CitationAADInternals Documentation |
| Enterprise | T1590.001 | Domain Properties Sub-technique | AADInternals can gather information about a tenant’s domains using public Microsoft APIs.CitationAADInternals DocumentationCitationAzure AD Recon |
| Enterprise | T1589.002 | Email Addresses Sub-technique | AADInternals can check for the existence of user email addresses using public Microsoft APIs.CitationAADInternals DocumentationCitationAzure AD Recon |
| Enterprise | T1558.002 | Silver Ticket Sub-technique | AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.CitationAADInternals Documentation |
| Enterprise | T1552.004 | Private Keys Sub-technique | AADInternals can gather encryption keys from Azure AD services such as ADSync and Active Directory Federated Services servers.CitationAADInternals Documentation |
| Enterprise | T1528 | Steal Application Access Token | AADInternals can steal users’ access tokens via phishing emails containing malicious links.CitationAADInternals Documentation |
| Enterprise | T1087.004 | Cloud Account Sub-technique | AADInternals can enumerate Azure AD users.CitationAADInternals Documentation |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | AADInternals can dump secrets from the Local Security Authority.CitationAADInternals Documentation |
| Enterprise | T1556.006 | Multi-Factor Authentication Sub-technique | The AADInternals `Set-AADIntUserMFA` command can be used to disable MFA for a specified user. |
| Enterprise | T1651 | Cloud Administration Command | AADInternals can execute commands on Azure virtual machines using the VM agent.CitationAADInternals Root Access to Azure VMs |
| Enterprise | T1530 | Data from Cloud Storage | AADInternals can collect files from a user’s OneDrive.CitationAADInternals |
| Enterprise | T1059.001 | PowerShell Sub-technique | AADInternals is written and executed via PowerShell.CitationAADInternals Documentation |
| Enterprise | T1112 | Modify Registry | AADInternals can modify registry keys as part of setting a new pass-through authentication agent.CitationAADInternals Documentation |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | AADInternals can directly download cloud user data such as OneDrive files.CitationAADInternals Documentation |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
G1053: Storm-0501
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 996a7c42d426… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
AADInternals Github
Dr. Nestori Syynimaa. (2021, December 13). AADInternals. Retrieved February 1, 2022.
Open source URL -
[2]
AADInternals Documentation
Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
Open source URL -
[3]
AADInternals
Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 1, 2022.
Open source URL -
[4]
mitre-attack S0677Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.