AzureADLateralMovement on


Lateral movement graph for Azure Active Directory.

AzureADLateralMovement allows to build Lateral Movement graph for Azure Active Directory entities - Users, Computers, Groups and Roles. Using the Microsoft Graph API AzureADLateralMovement extracts interesting information and builds JSON files containing lateral movement graph data compatible with Bloodhound 2.2.0.

Some of the implemented features are:
- Extraction of Users, Computers, Groups, Roles and more.
- Transform the entities to Graph objects
- Inject the object to Azure CosmosDB Graph

The lateral movement graph allows investigate available attack paths truly available in the AAD environment. The graph is combined by Nodes of Users, Groups and Devices, where the edges are connecting them by the logic of AdminTo, MemberOf and HasSession. This logic is explained in details by the original research document:

In the on-premise environment BloodHound collects data using SMAR and SMB protocols to each machine in the domain, and LDAP to the on-premise AD.

In Azure AD environment, the relevant data regarding Azure AD device, users and logon sessions can be retrieved using Microsoft Graph API. Once the relevant data is gathered it is possible to build similar graph of connections for users, groups and Windows machines registered in the Azure Active Directory.

To retrive the data and build the graph data this project uses: Azure app Microsoft Graph API Hybrid AD+AAD domain environment synced using pass-through authentication BloodHound UI and entities objects