azbelt
Standalone DLL and sliver extension for enumerating Azure related credentials, primarily on AAD joined machines
Modules
aadjoin
- Gets info about machine AAD status viaNetGetAadJoinInformation
credman
- Gets credentials from Credential Managerenv
- Looks for Azure/AAD specific environment variables that may contain secretsmanaged
- Calls IMDS endpoint to get info about machine with managed identitymsal
- Looks in various MSAL caches for tokens. Tokens are parsed to display scope and validitysso
- If machine is AAD joined, get signed PRT cookietbres
- Gets tokens from Token Broker cacheall
- Runs all enumeration except SSO
Building from source
A devcontainer is a provided for easy development and building. The devcontainer base definition is located here.
To build, simply:
nimble release
This will drop the DLLs into the project folder. If you want the exe for testing the DLL, you can also build the DLL runner:
nimble dllrun
You can do both at the same time:
nimble all