Azure Security Assessment Checklist
🔍 Reconnaissance & Enumeration
Initial Discovery
AADInternals Enumeration
# Install module
Install-Module AADInternals
Get tenant info
Get-AADIntLoginInformation -UserName user@target.com
Get-AADIntTenantDomains -Domain target.com
Azure CLI Reconnaissance
# Login
az login
Get subscription info
az account list --output table
List resource groups
az group list --output table
List all resources
az resource list --output table
👤 Azure AD Assessment
User & Group Enumeration
AzureHound Collection
# Invoke AzureHound
Import-Module Az
Import-Module AzureADPreview
Connect-AzureAD
Collect data for BloodHound
Invoke-AzureHound
Conditional Access
🔐 Authentication & Identity
Password Security
Token Abuse
# Get access token
$token = (Get-AzAccessToken).Token
Use token with REST API
$headers = @{Authorization = "Bearer $token"}
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me" -Headers $headers
☁️ Azure Resources Assessment
Storage Accounts
# List public blobs
az storage blob list --account-name TARGET --container-name CONTAINER --output table
Anonymous access check
curl https://TARGET.blob.core.windows.net/CONTAINER/FILE
Key Vault
# List key vaults
az keyvault list --output table
List secrets
az keyvault secret list --vault-name VAULT_NAME
Virtual Machines
SQL Databases
🔄 Managed Identities
System-Assigned Identity
# From compromised VM, get token
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:true
User-Assigned Identity
IMDS Exploitation
⚙️ Azure DevOps Security
Pipeline Security
Repository Access
📊 Privilege Escalation Paths
Common Paths
| Vector |
Risk |
Impact |
| Managed Identity abuse |
High |
Resource access |
| Storage key exposure |
High |
Data access |
| App registration secrets |
High |
API access |
| Contributor to Owner |
Critical |
Full control |
| VM command execution |
High |
Code execution |
| Automation runbook abuse |
High |
Privilege escalation |
Azure Role Abuse
🛡️ Security Configurations
Network Security
Logging & Monitoring
🛠️ Essential Tools
| Tool |
Purpose |
| AzureHound |
Azure AD attack paths |
| AADInternals |
Azure AD recon |
| MicroBurst |
Azure pentesting |
| ROADtools |
Azure AD analysis |
| Azure CLI |
Azure management |
| PowerZure |
Azure exploitation |
| ScoutSuite |
Cloud security audit |
Installation
# Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
AADInternals
Install-Module AADInternals
MicroBurst
git clone https://github.com/NetSPI/MicroBurst
Import-Module .\MicroBurst.psm1
📋 Quick Commands Reference
# Enumerate users
az ad user list --output table
Get current user permissions
az role assignment list --assignee $(az ad signed-in-user show --query id -o tsv)
List all storage accounts
az storage account list --query "[].{name:name,location:location}" -o table
Check VM managed identity
az vm identity show --resource-group RG --name VM
Get Key Vault secrets
az keyvault secret list --vault-name VAULT --output table
Last updated: 2024