Azure Testing Methodology

• azure background

(Unauthenticated) Recon and Discovery

We might only know the domain name or email address (from OSINT). Trying to find out information about users, public available services, subdomains, etc.

• Unauthenticated Enumeration

Initial Access

Typically you try to abuse exposed users or services to get an initial foothold (which could be user credentials and/or access tokens).

• Initial Access

There is an overlap to malware development, e.g., Creating Malicious Word Files

Authenticated Enumeration

Now the gained access is used to enumerate further.

• Authenticated Enumeration

Privilege Escalation and Lateral Movement

Based upon the gained information from enumeration, we try to gain access to additional things. We never stop with enumeration.

Most of the techniques stay within the cloud environment (but might move to other clouds and/or tenants). We named those Moving Around.

Some other techniques are more suited to move vertically, e.g., from the cloud to on-premise of vice-versa, those are described in Cloud to On-Prem. Please note that there is no hard separation between those two.

Persistence

After we have owned the azure directory, we want to keep our control over the systems → Azure Persistence

Further Links to Azure Information

• https://github.com/0xJs/CARTP-cheatsheet/
• https://github.com/rootsecdev/Azure-Red-Team