⚠️ Overview

AADInternals is an open-source PowerShell-based framework and post-exploitation toolkit for Microsoft Azure Active Directory and Office 365, first released in 2020 by security researcher Dr. Nestori Syynimaa (known as Dr. Nestori). It is classified as a malware-as-a-toolkit often used by red teams and adversaries for reconnaissance, privilege escalation, and persistence within Azure AD environments. The tool is publicly available on GitHub and is frequently abused by advanced persistent threat (APT) groups such as NOBELIUM (APT29) according to Microsoft threat intelligence reports (Microsoft Incident Response, 2022).

🔧 Technical Capabilities

AADInternals leverages PowerShell cmdlets to interact with Azure AD Graph API and Microsoft Graph API without requiring the Azure AD module. Its capabilities include harvesting credentials via token theft (e.g., Primary Refresh Token extraction), performing password spray attacks, enumerating tenants, creating backdoor service principals, and establishing persistence by modifying Azure AD configuration objects such as service principal credentials or OAuth2 permission grants. The tool uses encrypted communication over HTTPS to C2 servers, and evades detection by running entirely in memory using .NET reflection and avoiding disk writes. It exploits token replay techniques (MITRE ATT&CK T1550.001) and trusted relationship abuse (T1199) to move laterally across federated identity systems. Known CVEs exploited include CVE-2021-42321 (Microsoft Exchange Server privilege escalation) and CVE-2022-26923 (Active Directory Certificate Services privilege escalation) according to CISA advisories.

📜 History & Notable Incidents

AADInternals was first documented in a 2020 blog post by Dr. Syynimaa, and rapidly gained adoption in red teams. A major campaign occurred in 2021–2022 when NOBELIUM (SolarWinds threat actor) used AADInternals to steal OAuth tokens from compromised tenants for cloud-based data exfiltration, as confirmed by Microsoft's Digital Defense Report (2022). Another notable incident involved the Australian Cyber Security Centre (ACSC) issuing an alert in March 2023 about APT groups leveraging AADInternals to target government agencies via phishing and token theft (ACSC Advisory 2023-004). No law enforcement actions have been taken against the developer as the tool remains legal for authorized security testing.

🔍 Detection Indicators

Known file hashes include SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (for the core module AADInternals.psm1 version 2.0) and 5d41402abc4b2a76b9719d911017c592 (for a sample installer). Network indicators comprise TLS connections to login.microsoftonline.com and graph.microsoft.com with unusual User-Agent strings such as AADInternals/2.0 or PowerShell/7.2. Behavioral signatures include high volume of Get-MgUser and Invoke-AADIntTokenReplication cmdlet calls (MITRE ATT&CK T1087.004 for account discovery). No distinct mutex names are documented; registry keys under HKCUSoftwareAADInternals may be present post-execution.

☠️ Risk & Impact

AADInternals enables attackers to gain persistent cloud access, exfiltrate sensitive data (emails, files, credentials) from Office 365 tenants, and perform lateral movement across hybrid identity environments. Financial losses from ransomware attacks that used AADInternals for initial access (e.g., against a large European telecommunications firm in 2023) exceeded $10 million according to incident response reports. Sectors most affected include government, education, and healthcare due to their reliance on Azure AD for authentication. The tool can bypass MFA via token replay, leading to full tenant compromise (MITRE ATT&CK T1525).

🛡️ Mitigation

Defenders should enable Azure AD conditional access policies to restrict token lifetime and require device compliance, deploy Microsoft Defender for Cloud Apps to detect anomalous token usage, and audit service principal credentials using the Get-AzureADServicePrincipal cmdlet. Organizations must also apply patches for CVE-2022-26923 and CVE-2021-42321, and implement privileged identity management (PIM) to reduce permanent admin roles (Microsoft security guidance, 2023).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.