Azure

🔍 Reconnaissance & Enumeration

Initial Discovery

  • Identify Azure tenant (login.microsoftonline.com)
  • Enumerate Azure AD users (o365creeper)
  • Check for open blob storage
  • Subdomain enumeration for Azure services
  • Identify exposed Azure APIs
  • Check for Azure DevOps instances
  • App Registration

AADInternals Enumeration

# Install module
Install-Module AADInternals

# Get tenant info
Get-AADIntLoginInformation -UserName user@target.com
Get-AADIntTenantDomains -Domain target.com

Azure CLI Reconnaissance

# Login
az login

# Get subscription info
az account list --output table

# List resource groups
az group list --output table

# List all resources
az resource list --output table

👤 Azure AD Assessment

User & Group Enumeration

  • Enumerate all users
  • Identify privileged users (Global Admin, etc.)
  • List all groups and memberships
  • Check for guest users
  • Identify service principals
  • Review app registration

AzureHound Collection

# Invoke AzureHound
Import-Module Az
Import-Module AzureADPreview
Connect-AzureAD

# Collect data for BloodHound
Invoke-AzureHound

Conditional Access

  • Review conditional access policies
  • Identify policy gaps
  • Test MFA enforcement
  • Check for legacy auth enabled
  • Verify device compliance policies

🔐 Authentication & Identity

Password Security

  • Test password spray attacks
  • Check for password hash sync
  • Review self-service password reset
  • Test for weak passwords
  • Check banned password list

Token Abuse

  • Extract access tokens
  • Test token replay
  • Check refresh token validity
  • Test for token leakage
  • JWT manipulation testing
# Get access token
$token = (Get-AzAccessToken).Token

# Use token with REST API
$headers = @{Authorization = "Bearer $token"}
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/me" -Headers $headers

☁️ Azure Resources Assessment

Storage Accounts

  • Check for public blob access
  • Enumerate containers
  • Test SAS token permissions
  • Check for anonymous access
  • Review access policies
  • Test for misconfigured CORS
# List public blobs
az storage blob list --account-name TARGET --container-name CONTAINER --output table

# Anonymous access check
curl https://TARGET.blob.core.windows.net/CONTAINER/FILE

Key Vault

  • Enumerate key vaults
  • Check access policies
  • List secrets and keys
  • Test for over-permissive access
  • Review soft-delete settings
# List key vaults
az keyvault list --output table

# List secrets
az keyvault secret list --vault-name VAULT_NAME

Virtual Machines

  • Enumerate all VMs
  • Check for public IPs
  • Review NSG rules
  • Test for exposed management ports
  • Check disk encryption
  • Review extension configurations
  • Test Managed Identity abuse

SQL Databases

  • Check for public endpoints
  • Test firewall rules
  • Review Azure AD integration
  • Check for TDE encryption
  • Test for SQL injection

🔄 Managed Identities

System-Assigned Identity

# From compromised VM, get token
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H Metadata:true

User-Assigned Identity

  • Identify user-assigned identities
  • Check assigned permissions
  • Test for privilege escalation
  • Review cross-resource access

IMDS Exploitation

  • Access Instance Metadata Service
  • Extract tokens from IMDS
  • Test token permissions
  • Pivot using obtained tokens

⚙️ Azure DevOps Security

Pipeline Security

  • Check for exposed repos
  • Review pipeline configurations
  • Test for secrets in pipelines
  • Check variable group permissions
  • Review service connections

Repository Access

  • Enumerate repositories
  • Check branch policies
  • Test for sensitive data in code
  • Review commit history
  • Check for leaked credentials

Azure Role Abuse

  • Check for custom roles
  • Identify over-permissive roles
  • Test for role assignment capability
  • Check management group inheritance

🛡️ Security Configurations

Network Security

  • Review NSG rules
  • Check for open management ports (3389, 22, 5985)
  • Verify service endpoints
  • Test private endpoints
  • Review VNet peering
  • Check for Azure Firewall

Logging & Monitoring

  • Verify Azure Activity Log
  • Check diagnostic settings
  • Review Azure Monitor alerts
  • Test for log gaps
  • Verify Microsoft Defender status

Installation

# Azure CLI
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

# AADInternals
Install-Module AADInternals

# MicroBurst
git clone https://github.com/NetSPI/MicroBurst
Import-Module .\MicroBurst.psm1

📋 Quick Commands Reference

# Enumerate users
az ad user list --output table

# Get current user permissions
az role assignment list --assignee $(az ad signed-in-user show --query id -o tsv)

# List all storage accounts
az storage account list --query "[].{name:name,location:location}" -o table

# Check VM managed identity
az vm identity show --resource-group RG --name VM

# Get Key Vault secrets
az keyvault secret list --vault-name VAULT --output table

Let's Connect

Have a project in mind or want to discuss cybersecurity? Let's talk!

Email LinkedIn GitHub