Listen to this Post
Introduction:
The emergence of ANIMO (Azure Network Intel & Mission Ops) represents a significant evolution in cloud security assessment, providing red teams with a unified framework for orchestrating attacks against Microsoft 365 and Azure environments. This modular command-and-control-style workbench consolidates numerous attack techniques into a single multi-session desktop interface, enabling security professionals to authenticate, enumerate, and interact with cloud resources with unprecedented efficiency. As organizations continue their rapid migration to cloud platforms like Azure, understanding and testing these environments against sophisticated toolkits becomes paramount for building robust defensive postures.
Learning Objectives:
- Understand the core modules and capabilities of the ANIMO framework for Azure/Entra-ID security testing.
- Learn essential PowerShell and Graph API commands for enumerating Azure AD and Microsoft 365 resources.
- Implement critical defensive controls and monitoring strategies to detect and mitigate ANIMO-style attacks.
You Should Know:
1. Token Acquisition and Management
Get MSAL token for Graph API interactively
$token = Get-MsalToken -ClientId "d3590ed6-52b3-4102-aeff-aad2292ab01c" -TenantId "your-tenant-id" -Interactive -Scopes "User.Read","Group.Read.All"
Extract access token for use with Invoke-RestMethod
$accessToken = $token.AccessToken
Use token to call Microsoft Graph
$headers = @{Authorization = "Bearer $accessToken"}
$users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users" -Headers $headers
This PowerShell sequence demonstrates how ANIMO likely acquires and utilizes access tokens for Microsoft Graph API. The Get-MsalToken cmdlet from the MSAL.PS module authenticates interactively, obtaining a token with specified scopes. The access token is then used in the Authorization header for REST API calls to enumerate users. Defenders should monitor for unusual token requests, especially those requesting excessive permissions or originating from unexpected locations.
2. Azure AD Enumeration Techniques
Enumerate all users with specific properties
$users = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users?`$select=displayName,userPrincipalName,mail,jobTitle,department,lastSignInDateTime" -Headers $headers
Enumerate Azure AD groups and members
$groups = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/groups" -Headers $headers
foreach ($group in $groups.value) {
$members = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/groups/$($group.id)/members" -Headers $headers
}
Enumerate service principals and applications
$servicePrincipals = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/servicePrincipals" -Headers $headers
ANIMO automates comprehensive Azure AD enumeration through Graph API queries. These commands extract user details, group memberships, and service principals – critical reconnaissance for identifying high-value targets and attack paths. Defenders should implement baseline monitoring for unusual enumeration patterns, particularly large-scale user or group listing operations outside normal business hours.
3. SharePoint and OneDrive Reconnaissance
Get all SharePoint sites accessible to the user $sites = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/sites" -Headers $headers List documents in a specific SharePoint site $siteId = "root" $drives = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/sites/$siteId/drives" -Headers $headers Search for specific file types across OneDrive $searchUri = "https://graph.microsoft.com/v1.0/me/drive/root/search(q='.pdf')" $files = Invoke-RestMethod -Uri $searchUri -Headers $headers
These commands demonstrate how ANIMO performs data reconnaissance across SharePoint and OneDrive, identifying accessible sites and searching for sensitive documents. The framework’s GUI likely presents this information in an intuitive file explorer interface. Organizations should implement Data Loss Prevention (DLP) policies and monitor for unusual access patterns to sensitive documents.
4. Teams Data Extraction
Get all Teams chats for the authenticated user
$chats = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me/chats" -Headers $headers
Get messages from a specific chat
foreach ($chat in $chats.value) {
$messages = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me/chats/$($chat.id)/messages" -Headers $headers
}
List all Teams the user is member of
$teams = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me/joinedTeams" -Headers $headers
ANIMO’s Teams module leverages these Graph API endpoints to extract chat histories, files, and team memberships. This represents a significant data exfiltration risk as Teams often contains sensitive business communications. Defensive monitoring should include alerting on unusual volumes of Teams data access, particularly when combined with other suspicious activities.
5. Privilege Escalation Detection
Check for privileged Azure AD roles
az role assignment list --assignee $USER_PRINCIPAL_NAME --include-classic-administrators
Check service principal permissions
az ad sp list --query "[].{displayName:displayName, appId:appId, appRoles:appRoles}" --output table
Review conditional access policies
az ad conditional-access policy list
While ANIMO automates privilege escalation techniques, defenders can use these Azure CLI commands to identify overprivileged accounts and service principals. Regular reviews of role assignments and application permissions are critical, as ANIMO specifically targets token stealing for privilege escalation. Implement Just-In-Time and Just-Enough-Access principles to minimize standing privileges.
6. Persistence Mechanism Identification
Check for suspicious application registrations
Get-AzADApplication | Where-Object {$<em>.DisplayName -like "test" -or $</em>.PublisherName -eq $null}
Review service principals with high privileges
Get-AzADServicePrincipal | Get-AzADAppPermission | Where-Object {$_.RoleDefinitions -ne $null}
Check for unusual credential additions
Get-AzADAppCredential | Where-Object {$_.StartDate -gt (Get-Date).AddDays(-1)}
ANIMO includes persistence capabilities, likely through creating backdoor application registrations or adding credentials to existing service principals. These PowerShell commands help identify such persistence mechanisms. Defenders should implement application governance policies and monitor for new application registrations, particularly those with high-privilege permissions.
7. Defensive Monitoring and Detection
// Azure Sentinel query for suspicious Graph API patterns SigninLogs | where AppDisplayName has "Microsoft Graph" | where ResultType == "0" | summarize LoginCount = count(), DistinctUserAgents = dcount(UserAgent), DistinctIPs = dcount(IPAddress) by UserPrincipalName, AppDisplayName | where LoginCount > 100 or DistinctIPs > 5 | project UserPrincipalName, AppDisplayName, LoginCount, DistinctUserAgents, DistinctIPs
This Kusto Query Language (KQL) query detects potential ANIMO activity by identifying unusual Microsoft Graph API usage patterns, including high login counts from multiple IP addresses or user agents. Organizations should deploy such detection rules in Azure Sentinel and establish baselines for normal Graph API usage to identify anomalies more effectively.
What Undercode Say:
- ANIMO represents the increasing commoditization of advanced attack frameworks specifically targeting cloud environments, lowering the barrier to entry for sophisticated Azure attacks.
- The multi-session, collaborative nature of the toolkit enables more efficient red team operations but also presents new challenges for detection as activities can be distributed across multiple identities and sessions.
The emergence of ANIMO signals a maturation in cloud attack tooling, moving from scattered scripts to integrated frameworks that mirror traditional C2 capabilities in cloud contexts. This development necessitates a parallel evolution in cloud security monitoring, focusing on behavioral detection rather than signature-based approaches. Defenders must now contend with attacks that leverage legitimate APIs and protocols, making anomaly detection in normal administrative activities increasingly critical. The framework’s emphasis on token-based authentication highlights the urgent need for implementing token protection measures, conditional access policies, and continuous access evaluation. As ANIMO and similar tools evolve, organizations must accelerate their zero-trust implementations, particularly around application permissions and user-to-service access patterns.
Prediction:
The release and eventual open-sourcing of ANIMO will catalyze a significant shift in cloud attack methodologies, leading to a 40-60% increase in sophisticated Azure compromises over the next 18 months. Security vendors will rapidly develop specialized detections for ANIMO-specific TTPs, but the underlying techniques will be incorporated into other frameworks, creating a new baseline for cloud penetration testing capabilities. This evolution will force Microsoft to enhance native logging and detection capabilities in Entra ID and Purview, particularly around Graph API anomaly detection and token usage analytics. Organizations that fail to implement comprehensive cloud security monitoring, application control policies, and regular entitlement reviews will face substantially increased risk of cloud environment compromise through ANIMO-derived attack chains.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Dmcxblue Happy – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
