Azure

1. Azure Cloud Overview

Core Components

• Azure Active Directory (AAD / Entra ID) – Identity & Access Management (users, groups, roles, service principals, managed identities).

• Azure Resource Manager (ARM) – Control plane for deploying, managing, securing resources.

• Office 365 / M365 – Productivity suite, integrated with AAD.

Cloud Spaces

• Control Plane: ARM API, Azure Portal, PowerShell, CLI.

• Data Plane: Actual resources (VMs, Blob Storage, Functions, etc.).

• Identity Plane: AAD identities, tokens, RBAC.

2. Authentication in Azure

Methods

1. Username & Password (long-term)

   Copy

   az login
   Connect-AzAccount
   Connect-MgGraph -Scopes "Directory.Read.All"

2. Service Principal (App ID + Secret/Cert)

   Copy

   az login --service-principal -u <AppID> -p <Password> --tenant <TenantID>
   $cred = Get-Credential   # AppID + Secret
   Connect-AzAccount -ServicePrincipal -Tenant <TenantID> -Credential $cred

3. Access Token (short-term)

   Copy

   az account get-access-token --resource=https://management.azure.com
   Connect-AzAccount -AccessToken <AAD_AccessToken>

4. Instance Metadata Service (IMDS) – Auto-issued tokens inside VMs

   Copy

   curl -H "Metadata:true" \
   "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

Concept: IMDS

• 169.254.169.254 = internal IP for Azure metadata.

• Exposes OAuth2 tokens for Managed Identity.

• Exploitable via SSRF or local compromise.

• IMDSv1: No session binding → SSRF-prone.

• IMDSv2 (work in progress for Azure, stronger binding).

3. Enumeration Phase

AAD Discovery

• Check if target org uses Entra ID:

• List current session:

• Enumerate roles:

• Enumerate users & groups:

• Applications / Service Principals:

4. Exploitation Scenarios

4.1 SSRF → IMDS Token Theft

1. Find SSRF in a web app on Azure VM.

2. Target IMDS endpoint:

   → Returns access token for Microsoft Graph API.

3. Configure with stolen creds:

4. Enumerate tenant, users, groups with Graph API.

4.2 ARM Token Abuse

• Request ARM-scoped token from IMDS:

• Enumerate resources:

4.3 Privilege Escalation via RBAC

• List roles:

• If attacker has Owner/Contributor → can create new role or assign higher privileges.

• Example: Attach User Access Administrator → take over.

4.4 Service Principal Abuse

• If SP creds are leaked (from GitHub, etc.):

• Check assigned roles → escalate or pivot.

5. Post-Exploitation

• Dump data from Blob Storage:

• Enumerate Key Vault secrets:

6. Lateral Movement

• Use stolen tokens to pivot tenants/subscriptions.

• Exploit custom role definitions to gain indirect access.

• Example scenario from CTF (generalized):

  • Attacker compromises VM → retrieves IMDS token.

  • Token has Reader role at subscription level.

  • However, token also has custom role at VM resource scope → allows reading group info.

  • From there, attacker enumerates applications and pivots via Graph API.

7. Detection & Defense

• Enable Azure AD logs & alerts: Monitor anomalous logins, token use.

• Restrict IMDS exposure: Disable public endpoints, enforce network rules.

• Use Conditional Access: Restrict Graph API access by location/device.

• RBAC Hardening: Audit custom roles, remove broad assignments.

• Key Vault: Enable firewall & access policies.