gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-12 07:40:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Cloud Discovery With AzureHound

Browse Source
This commit is contained in:
HackTricks News Bot
2025-10-25 01:21:33 +00:00
parent a41bcbce89
commit 2a67405a78
6 changed files with 104 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/SUMMARY.md
View File

@@ -578,4 +578,5 @@
- [HackTricks Pentesting Services$$external:https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ssh.html$$]()
- [Feature Store Poisoning](pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md)
- [Aws Sqs Dlq Redrive Exfiltration](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-dlq-redrive-exfiltration.md)
- [Aws Sqs Dlq Redrive Exfiltration](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-dlq-redrive-exfiltration.md)
- [Readme](pentesting-cloud/aws-security/aws-post-exploitation/aws-mwaa-post-exploitation/README.md)

4
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-bedrock-post-exploitation/README.md
View File

@@ -1,6 +1,6 @@
# AWS - Bedrock Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
{{#include ../../../../banners/hacktricks-training.md}}
## AWS - Bedrock Agents Memory Poisoning (Indirect Prompt Injection)
@@ -90,4 +90,4 @@ Notes:
- [Track agents step-by-step reasoning process using trace Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/trace-events.html)
- [Amazon Bedrock Guardrails](https://aws.amazon.com/bedrock/guardrails/)
{{#include ../../../banners/hacktricks-training.md}}
{{#include ../../../../banners/hacktricks-training.md}}

3
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-mwaa-post-exploitation/README.md
View File

@@ -1,5 +1,7 @@
# AWS MWAA Execution Role Account Wildcard Vulnerability
{{#include ../../../../banners/hacktricks-training.md}}
## The Vulnerability
MWAA's execution role (the IAM role that Airflow workers use to access AWS resources) requires this mandatory policy to function:
@@ -44,3 +46,4 @@ All attacks bypass network controls since they use AWS APIs, not direct internet
This is an architectural flaw in MWAA with no IAM-based mitigation. Every MWAA deployment following AWS documentation has this vulnerability.
**Network Control Bypass:** These attacks work even in private VPCs with no internet access. The SQS API calls use AWS's internal network and VPC endpoints, completely bypassing traditional network security controls, firewalls, and egress monitoring. Organizations cannot detect or block this data exfiltration path through network-level controls.
{{#include ../../../../banners/hacktricks-training.md}}

1
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md
View File

@@ -158,3 +158,4 @@ echo "Feature Group ready: $FG"
## References
- [AWS SageMaker Feature Store Documentation](https://docs.aws.amazon.com/sagemaker/latest/dg/feature-store.html)
- [Feature Store Security Best Practices](https://docs.aws.amazon.com/sagemaker/latest/dg/feature-store-security.html)
{{#include ../../../../banners/hacktricks-training.md}}

91
src/pentesting-cloud/azure-security/az-enumeration-tools.md
View File

@@ -302,17 +302,85 @@ roadrecon gui
### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
AzureHound is the BloodHound collector for Microsoft Entra ID and Azure. It is a single static Go binary for Windows/Linux/macOS that talks directly to:
- Microsoft Graph (Entra ID directory, M365) and
- Azure Resource Manager (ARM) control plane (subscriptions, resource groups, compute, storage, key vault, app services, AKS, etc.)
Key traits
- Runs from anywhere on the public internet against tenant APIs (no internal network access required)
- Outputs JSON for BloodHound CE ingestion to visualize attack paths across identities and cloud resources
- Default User-Agent observed: azurehound/v2.x.x
Authentication options
- Username + password: -u <upn> -p <password>
- Refresh token: --refresh-token <rt>
- JSON Web Token (access token): --jwt <jwt>
- Service principal secret: -a <appId> -s <secret>
- Service principal certificate: -a <appId> --cert <cert.pem> --key <key.pem> [--keypass <pass>]
Examples
```bash
# Launch AzureHound
## Login with app secret
azurehound -a "<client-id>" -s "<secret>" --tenant "<tenant-id>" list -o ./output.json
## Login with user creds
azurehound -u "<user-email>" -p "<password>" --tenant "<tenant-id>" list -o ./output.json
# Full tenant collection to file using different auth flows
## User creds
azurehound list -u "<user>@<tenant>" -p "<pass>" -t "<tenant-id|domain>" -o ./output.json
## Use an access token (JWT) from az cli for Graph
JWT=$(az account get-access-token --resource https://graph.microsoft.com -o tsv --query accessToken)
azurehound list --jwt "$JWT" -t "<tenant-id>" -o ./output.json
## Use a refresh token (e.g., from device code flow)
azurehound list --refresh-token "<refresh_token>" -t "<tenant-id>" -o ./output.json
## Service principal secret
azurehound list -a "<client-id>" -s "<secret>" -t "<tenant-id>" -o ./output.json
## Service principal certificate
azurehound list -a "<client-id>" --cert "/path/cert.pem" --key "/path/key.pem" -t "<tenant-id>" -o ./output.json
# Targeted discovery
azurehound list users -t "<tenant-id>" -o users.json
azurehound list groups -t "<tenant-id>" -o groups.json
azurehound list roles -t "<tenant-id>" -o roles.json
azurehound list role-assignments -t "<tenant-id>" -o role-assignments.json
# Azure resources via ARM
azurehound list subscriptions -t "<tenant-id>" -o subs.json
azurehound list resource-groups -t "<tenant-id>" -o rgs.json
azurehound list virtual-machines -t "<tenant-id>" -o vms.json
azurehound list key-vaults -t "<tenant-id>" -o kv.json
azurehound list storage-accounts -t "<tenant-id>" -o sa.json
azurehound list storage-containers -t "<tenant-id>" -o containers.json
azurehound list web-apps -t "<tenant-id>" -o webapps.json
azurehound list function-apps -t "<tenant-id>" -o funcapps.json
```
Launch the **BloodHound** web with **`curl -L https://ghst.ly/getbhce | docker compose -f - up`** and import the `output.json` file.
What gets queried
- Graph endpoints (examples):
- /v1.0/organization, /v1.0/users, /v1.0/groups, /v1.0/roleManagement/directory/roleDefinitions, directoryRoles, owners/members
- ARM endpoints (examples):
- management.azure.com/subscriptions/.../providers/Microsoft.Storage/storageAccounts
- .../Microsoft.KeyVault/vaults, .../Microsoft.Compute/virtualMachines, .../Microsoft.Web/sites, .../Microsoft.ContainerService/managedClusters
Then, in the **EXPLORE** tab, in the **CYPHER** section you can see a **folder** icon that contains pre-built queries.
Preflight behavior and endpoints
- Each azurehound list <object> typically performs these test calls before enumeration:
1) Identity platform: login.microsoftonline.com
2) Graph: GET https://graph.microsoft.com/v1.0/organization
3) ARM: GET https://management.azure.com/subscriptions?api-version=...
- Cloud environment base URLs differ for Government/China/Germany. See constants/environments.go in the repo.
ARM-heavy objects (less visible in Activity/Resource logs)
- The following list targets predominantly use ARM control plane reads: automation-accounts, container-registries, function-apps, key-vaults, logic-apps, managed-clusters, management-groups, resource-groups, storage-accounts, storage-containers, virtual-machines, vm-scale-sets, web-apps.
- These GET/list operations are typically not written to Activity Logs; data-plane reads (e.g., *.blob.core.windows.net, *.vault.azure.net) are covered by Diagnostic Settings at the resource level.
OPSEC and logging notes
- Microsoft Graph Activity Logs are not enabled by default; enable and export to SIEM to gain visibility of Graph calls. Expect the Graph preflight GET /v1.0/organization with UA azurehound/v2.x.x.
- Entra ID non-interactive sign-in logs record the identity platform auth (login.microsoftonline.com) used by AzureHound.
- ARM control-plane read/list operations are not recorded in Activity Logs; many azurehound list operations against resources wont appear there. Only data-plane logging (via Diagnostic Settings) will capture reads to service endpoints.
- Defender XDR GraphApiAuditEvents (preview) can expose Graph calls and token identifiers but may lack UserAgent and have limited retention.
Tip: When enumerating for privilege paths, dump users, groups, roles, and role assignments, then ingest in BloodHound and use prebuilt cypher queries to surface Global Administrator/Privileged Role Administrator and transitive escalation via nested groups and RBAC assignments.
Launch the BloodHound web with `curl -L https://ghst.ly/getbhce | docker compose -f - up` and import the `output.json` file. Then, in the EXPLORE tab, in the CYPHER section you can see a folder icon that contains pre-built queries.
### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
@@ -429,5 +497,14 @@ python stormspotter\stormcollector\sscollector.pyz cli
# This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
```
## References
- [Cloud Discovery With AzureHound (Unit 42)](https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/)
- [AzureHound repository](https://github.com/SpecterOps/AzureHound)
- [BloodHound repository](https://github.com/SpecterOps/BloodHound)
- [AzureHound Community Edition Flags](https://bloodhound.specterops.io/collect-data/ce-collection/azurehound-flags)
- [AzureHound constants/environments.go](https://github.com/SpecterOps/AzureHound/blob/main/constants/environments.go)
- [AzureHound client/storage_accounts.go](https://github.com/SpecterOps/AzureHound/blob/main/client/storage_accounts.go)
- [AzureHound client/roles.go](https://github.com/SpecterOps/AzureHound/blob/main/client/roles.go)
{{#include ../../banners/hacktricks-training.md}}

12
src/pentesting-cloud/azure-security/az-services/az-monitoring.md
View File

@@ -48,6 +48,15 @@ In summary, a Log Analytics workspace is essential for advanced monitoring, trou
You can configure a resource to send data to an analytics workspace from the **diagnostic settings** of the resource.
## Graph vs ARM logging visibility (useful for OPSEC/hunting)
- Microsoft Graph Activity Logs are not enabled by default. Enable and export them (Event Hubs/Log Analytics/SIEM) to see Graph read calls. Tools like AzureHound perform a preflight GET to /v1.0/organization that will appear here; default UA observed: azurehound/v2.x.x.
- Entra ID non-interactive sign-in logs record the identity platform authentication (login.microsoftonline.<tld>) used by scripts/tools.
- ARM control-plane read/list (HTTP GET) operations are generally not written to Activity Logs. Visibility of read operations comes from resource Diagnostic Settings for data-plane endpoints only (e.g., *.blob.core.windows.net, *.vault.azure.net) and not from ARM control-plane calls to management.azure.<tld>.
- Microsoft Defender XDR Advanced Hunting GraphApiAuditEvents (preview) can expose Graph calls and token identifiers but may omit UserAgent and has limited default retention.
When hunting for AzureHound, correlate Entra sign-in logs with Graph Activity Logs on session ID, IP, user/object IDs, and look for bursts of Graph requests plus ARM management calls that lack Activity Log coverage.
## Enumeration
### Entra ID
@@ -105,5 +114,8 @@ az monitor metrics alert list --output table
az monitor activity-log alert list --output table
```
## References
- [Cloud Discovery With AzureHound (Unit 42)](https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/)
{{#include ../../../banners/hacktricks-training.md}}