Azure Cheatsheet

Getting Started

Install latest version of Azure CLI on Mac

brew update && brew install azure-cli

Resource: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos

Install PowerShell

brew install --cask powershell

Run a powershell terminal with:

pwsh

Resource: https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-macos?view=powershell-7.1

Install Azure PowerShell module

For the current user:

if ($PSVersionTable.PSEdition -eq 'Desktop' -and (Get-Module -Name AzureRM -ListAvailable)) {
    Write-Warning -Message ('Az module not installed. Having both the AzureRM and ' +
      'Az modules installed at the same time is not supported.')
} else {
    Install-Module -Name Az -AllowClobber -Scope CurrentUser
}

Resource:
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.5.0

Get authenticated in Powershell

Connect-AzAccount

Install latest version of Azure CLI on linux

# YOLO
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Resource: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt

Resource: https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.5.0

Authenticate via the CLI

Run this command to get authenticated:

az login

This will result in a web browser opening, or a URL prompt. Navigating to this url will prompt you for a code, which you've been provided in the command line. Paste it in, click next, and select the proper account.

Resource: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos

Info Gathering

List accounts

az account list

Get tenant id

az account list | jq '.[].tenantId'

List tenants

az account tenant list

List Resource Groups

az group list | jq -r '.[].name'

Resource: https://docs.microsoft.com/en-us/cli/azure/group?view=azure-cli-latest

Get Subscription via Powershell

Get-AzSubscription

Resource: https://docs.microsoft.com/en-us/powershell/module/az.accounts/get-azsubscription?view=azps-5.5.0

Set Subscription via Powershell

Set-AzureSubscription -Id [Subscription ID]

Resource: https://powerzure.readthedocs.io/en/latest/Requirements/requirements.html

List all VMs

az vm list

Resource: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest

Blob Storage

List all storage accounts and output in a table format:

az storage account list -o table

List all storage accounts and get storage account names:

az storage account list -o json | jq -r '.[].name'

You can assign one of the account names to an env var if you'd like:

export AZURE_STORAGE_ACCOUNT=<storage account name from output>

Get storage keys

If you set the env var:

az storage account keys list -n $AZURE_STORAGE_ACCOUNT

You can assign one of the keys to an env var if you'd like:

export AZURE_STORAGE_KEY='<your key from the output of the previous command>'

List storage containers

az storage container list --account-name $AZURE_STORAGE_ACCOUNT --account-key "$AZURE_STORAGE_KEY"

List storage container contents

az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY

Resource: https://www.secsignal.org/en/news/how-i-hacked-a-domain-controller-in-azure-during-a-penetration-test/

List blob names

az storage blob list --container-name <name of storage container from previous command> --account-name $AZURE_STORAGE_ACCOUNT --account-key $AZURE_STORAGE_KEY | jq '.[].name'

Azure Kubernetes (k8s)

Get available versions of k8s in a region

REGION=westus2 # This will vary depending on the region you're using
az aks get-versions --location $REGION -o table

Resource: https://gist.github.com/yokawasa/fd9d9b28f7c79461f60d86c23f615677#aks-cheat-sheet

List managed k8s clusters

az aks list

Resource: https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest

Get Resource Group Name for clusters

AZ_RESOURCE_GROUP_NAME=$(az aks list | jq -r '.[].resourceGroup')

Get Cluster Name

AZ_CLUSTER_NAME=$(az aks list | jq -r '.[].name')

Configure kubectl

This is pretty awesome, good job Microsoft:

az aks get-credentials --resource-group $AZ_RESOURCE_GROUP_NAME --name $AZ_CLUSTER_NAME

Resources: https://www.reddit.com/r/kubernetes/comments/8ohxcz/how_to_connect_kubectl_to_aks/
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-deploy-cluster

Security Auditing

ScoutSuite

https://github.com/nccgroup/ScoutSuite will generate an HTML report outlining various issues that exist in the configuration for a given account.

Install:

git clone git@github.com:nccgroup/ScoutSuite.git
cd ScoutSuite
pipenv --python 3
pipenv shell
pip install -r requirements.txt

Run:

python scout.py azure --cli

Resources: https://kalilinuxtutorials.com/scout-suite-multi-cloud-security-auditing-tool/

PowerZure

git clone git@github.com:hausec/PowerZure.git
cd PowerZure
pwsh

# Install required modules
Install-Module MSOnline -Force
Install-Module AzureAD -Force
Install-Module AzureADPreview -Force

# Authenticate
Connect-AzAccount

# Import PowerZure
ipmo ./PowerZure.ps1

Install-Module Connect-AzAccount
Set-AzureSubscription -Id [Subscription ID]
# Enumerate all roles
Get-AzureRole
# Enumerate resources the current user has access to
Get-AzureTargets

Resources:
https://powerzure.readthedocs.io/en/latest/
https://stackoverflow.com/questions/64792108/getting-error-could-not-load-file-or-assembly-system-windows-forms-at-import - fix the weird error that comes up for Importing the AzureADPreview module
https://github.com/Azure/azure-docs-powershell-azuread/issues/189 - fix missing modules like Get-AzureADDirectoryRole

Show all functions

powerzure -h 

Get help for a particular function

For example:

get-help Get-AzureTargets

Get all content from all KeyVaults

Show-AzureKeyVaultContent -All

Resource: https://hausec.com/2020/01/31/attacking-azure-azure-ad-and-introducing-powerzure/ - PowerZure general usage info

Azure AD

List all applications

az ad app list --output=table --query='[].{Name:displayName,URL:homepage}'

Resource: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/

VMSS

View all VMSS in a subscription

Simply navigate to this page and use the magical Try it button to use the REST API to grab this info. Neat!

CLI

az vmss list

Get VMSS by name and associated resource group

az vmss list | jq '.[].name, .[].resourceGroup'

List vms in a VMSS

az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP

Resource: https://docs.microsoft.com/en-us/cli/azure/vmss?view=azure-cli-latest
https://github.com/andyt530/az2tf/blob/master/scripts/295_azurerm_virtual_machine_scale_set.sh

Get computer name of vms in a VMSS

az vmss list-instances -n $VMSS_NAME -g $RESOURCE_GROUP | jq '.[].osProfile.computerName'

Run command in vm in a VMSS

az vmss run-command invoke -g $RESOURCE_GROUP -n $VMSS_NAME --command-id RunShellScript --instance-id 0 --scripts 'echo $1 $1' --parameters hello world

Add SSH key to VMSS via Powershell

Please not that the Az module replaces the AzureRM module, and this documentation reflects that.

Before opening up powershell, generate an ssh key:

ssh-keygen -m PEM -t rsa -b 4096 -f ~/.ssh/key-name.pem

Run pwsh and let the powershell begin:

# Import required module
Import-Module Az.Compute

Get-AzVM -ResourceGroupName "ResourceGroup11" -Name "VirtualMachine07"

$VMSS = New-AzureRmVmssConfig
Add-AzVMSshPublicKey -VM $VirtualMachine -KeyData "MIIDszCCApugAwIBAgIJALBV9YJCF/tAMA0GCSq12Ib3DQEB21QUAMEUxCzAJBgNV" -Path "/home/admin/.ssh/authorized_keys"

If you run into issues with importing the module, run this command:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

and restart powershell.

Resources:
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvmsshpublickey?view=azps-5.5.0
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys - doc from microsoft to create an ssh key pair
https://heranonazure.wordpress.com/2017/08/30/solution-change-vm-scale-set-ssh-key/ - cli args
https://stackoverflow.com/questions/56238475/connect-azurermaccount-the-term-connect-azurermaccount-is-not-recognized-as - the hero that mentions that AzureRM doesn't work on Mac OS
https://stackoverflow.com/questions/55357865/the-get-azvm-command-was-found-in-the-module-az-compute-but-the-module-coul - for module import issue