A Powershell Module Implementing Numerous Azure Pink Crew Techniques

Powershell module implementing numerous cmdlets to work together with Azure and Azure AD from an offensive perspective.

Useful utilities coping with entry token based mostly authentication, switching from Az to AzureAD and az cli interfaces, simple to make use of pre-made assaults akin to Runbook-based command execution and extra.

Credentials Stolen -> Authenticate to Azure/AzureAD -> discover whether or not they're legitimate -> discover out what you are able to do with them

• Juggling with entry tokens from Az to AzureAD and again once more.
• Properly print authentication context (aka whoami) in Az, AzureAD, Microsoft.Graph and az cli on the identical time
• Show accessible permissions granted to the consumer on a goal Azure VM
• Show accessible Azure Assets together with permissions we now have in opposition to them
• Simply learn all accessible Azure Key Vault secrets and techniques
• Authenticate as a Service Principal to leverage Privileged Function Administrator function assigned to that Service Principal
• Execute assault in opposition to Azure Automation through malicious Runbook

Set up

This module is dependent upon Powershell Az and AzureAD modules pre-installed. Microsoft.Graph and az cli are non-obligatory however nonetheless actually helpful. Earlier than one begins crafting round Azure, following instructions could also be used to organize one’s offensive surroundings:

Set up-Module Az -Power -Verify -AllowClobber -Scope CurrentUser
Set up-Module AzureAD -Power -Verify -AllowClobber -Scope CurrentUser
Set up-Module Microsoft.Graph -Power -Verify -AllowClobber -Scope CurrentUser # OPTIONAL
Set up-Module MSOnline -Power -Verify -AllowClobber -Scope CurrentUser        # OPTIONAL
Set up-Module AzureADPreview -Power -Verify -AllowClobber -Scope CurrentUser  # OPTIONAL
Set up-Module AADInternals -Power -Verify -AllowClobber -Scope CurrentUser    # OPTIONAL
Import-Module Az
Import-Module AzureAD

Regardless that solely first two modules are required by AzureRT, its good to have others pre-installed too.

Then to load this module, merely kind:

And also you’re good to go.

Or you’ll be able to let AzureRT to put in and import all of the dependencies:

PS> . .AzureRT.ps1
PS> Import-ARTModules

Batteries Included

The module shall be step by step receiving subsequent instruments and utilities, naturally categorised onto subsequent kill chain phases.

Each cmdlet has a pleasant assist message detailing parameters, description and instance utilization:

PS C:> Get-Assist Join-ART

At present, following utilities are included:

Authentication & Token mechanics

• Get-ARTWhoami – Shows and validates our authentication context on Azure, AzureAD, Microsoft.Graph and on AZ CLI interfaces.

• Join-ART – Invokes Join-AzAccount to authenticate present session to the Azure Portal through supplied Entry Token or credentials. Skips the burden of offering Tenant ID and Account ID by routinely extracting these from supplied Token.

• Join-ARTAD – Invokes Join-AzureAD (and optionally Join-MgGraph) to authenticate present session to the Azure Energetic Listing through supplied Entry Token or credentials. Skips the burden of offering Tenant ID and Account ID by routinely extracting these from supplied Token.

• Join-ARTADServicePrincipal – Invokes Join-AzAccount to authenticate present session to the Azure Portal through supplied Entry Token or credentials. Skips the burden of offering Tenant ID and Account ID by routinely extracting these from supplied Token. Then it creates self-signed PFX certificates and associates it with Service Principal for authentication. Afterwards, authenticates as that Service Principal to AzureAD and deassociates that certificates to cleanup

• Get-ARTAccessTokenAzCli – Acquires entry token from az cli, through az account get-access-token

• Get-ARTAccessTokenAz – Acquires entry token from Az module, through Get-AzAccessToken .

• Get-ARTAccessTokenAzureAD – Will get an entry token from Azure Energetic Listing. Authored by Simon Wahlin, @SimonWahlin

• Get-ARTAccessTokenAzureADCached – Makes an attempt to retrieve regionally cached AzureAD entry token (https://graph.microsoft.com), saved after Join-AzureAD occurred.

• Take away-ARTServicePrincipalKey – Performs cleanup actions after working Join-ARTADServicePrincipal

Recon & Situational Consciousness

• Get-ARTAccess – Performs Azure Situational Consciousness.

• Get-ARTADAccess – Performs Azure AD Situational Consciousness.

• Get-ARTTenants – Record Tenants accessible for the at present authenticated consumer (or the one based mostly on provided Entry Token)

• Get-ARTDangerousPermissions – Analyzes accessible Azure Assets and related permissions consumer has on them to seek out all of the Harmful ones that might be abused by an attacker.

• Get-ARTResource – Authenticates to the https://administration.azure.com utilizing supplied Entry Token and pulls accessible sources and permissions that token Proprietor have in opposition to them.

• Get-ARTRoleAssignment – Shows a bit simpler to learn illustration of assigned Azure RBAC roles to the at present used Principal.

• Get-ARTADRoleAssignment – Shows Azure AD Function assignments on a present consumer or on all Azure AD customers.

• Get-ARTADScopedRoleAssignment – Shows Azure AD Scoped Function assignments on a present consumer or on all Azure AD customers, related to Administrative Models

• Get-ARTRolePermissions – Shows all granted permissions on a specified Azure RBAC function.

• Get-ARTADRolePermissions – Shows all granted permissions on a specified Azure AD function.

• Get-ARTADDynamicGroups – Shows Azure AD Dynamic Teams together with their consumer Membership Guidelines, members depend and present consumer membership standing

• Get-ARTApplication – Lists Azure AD Enterprise Functions that present consumer is proprietor of (or all present when -All used) together with their homeowners and Service Principals

• Get-ARTApplicationProxy – Lists Azure AD Enterprise Functions which have Software Proxy setup.

• Get-ARTApplicationProxyPrincipals – Shows customers and teams assigned to the required Software Proxy software.

• Get-ARTStorageAccountKeys – Shows all of the accessible Storage Account keys.

• Get-ARTKeyVaultSecrets – Lists all accessible Azure Key Vault secrets and techniques. This cmdlet assumes that requesting consumer linked to the Azure AD with KeyVaultAccessToken (scoped to https://vault.azure.internet) and has “Key Vault Secrets and techniques Consumer” function assigned (or equal).

• Get-ARTAutomationCredentials – Lists all accessible Azure Automation Account credentials and makes an attempt to drag their values (unable to drag values!).

• Get-ARTAutomationRunbookCode – Invokes REST API technique to drag specified Runbook’s supply code.

• Get-ARTAzVMPublicIP – Retrieves Azure VM Public IP deal with

• Get-ARTResourceGroupDeploymentTemplate – Shows Useful resource Group Deployment Template JSON based mostly on enter parameters, or pulls all of them without delay.

• Get-ARTAzVMUserDataFromInside – Retrieves Azure VM Consumer Knowledge from within a VM by reaching to Occasion Metadata endpoint.

Privilege Escalation

• Add-ARTADGuestUser – Sends Azure AD Visitor consumer invitation e-mail, permitting to increase entry to AAD tenant for the exterior attacker & returns Invite Redeem URL used to simply settle for the invitation.

• Set-ARTADUserPassword – Abuses Authentication Administrator Function Task to reset different non-admin customers password.

• Add-ARTUserToGroup – Provides a specified Azure AD Consumer to the required Azure AD Group.

• Add-ARTUserToRole – Provides a specified Azure AD Consumer to the required Azure AD Function.

• Add-ARTADAppSecret – Add consumer secret to the Azure AD Functions. Authored by Nikhil Mittal, @nikhil_mitt

Lateral Motion

• Invoke-ARTAutomationRunbook – Creates an Automation Runbook below specified Automation Account and in opposition to chosen Employee Group. That Runbook will include Powershell instructions to be executed on all of the affected Azure VMs.

• Invoke-ARTRunCommand – Abuses virtualMachines/runCommand permission in opposition to a specified Azure VM to run customized Powershell command.

• Replace-ARTAzVMUserData – Modifies Azure VM Consumer Knowledge script by way of a direct API invocation.

• Invoke-ARTCustomScriptExtension – Creates new or modifies Azure VM Customized Script Extension resulting in distant code execution.

Misc

• Get-ARTTenantID – Retrieves Present consumer’s Tenant ID or Tenant ID based mostly on Area identify provided.

• Get-ARTPRTToken – Retrieves Present consumer’s PRT (Main Refresh Token) worth utilizing Dirk-Jan Mollema’s ROADtoken

• Get-ARTPRTNonce – Retrieves Present consumer’s PRT (Main Refresh Token) nonce worth

• Get-ARTUserId – Acquires present consumer or consumer laid out in parameter ObjectId through Az module

• Get-ARTSubscriptionId – Helper that collects present Subscription ID.

• Parse-JWTtokenRT – Parses enter JWT token and prints it out properly.

• Invoke-ARTGETRequest – Takes Entry Token and invokes GET REST technique API request in opposition to a specified URI. It additionally verifies whether or not supplied token has required viewers set.

• Import-ARTModules – Installs & Imports required & non-obligatory Powershell modules for Azure Pink Crew actions

Present Assist

This and different tasks are consequence of sleepless nights and loads of exhausting work. In the event you like what I do and recognize that I all the time give again to the group, Think about shopping for me a espresso (or higher a beer) simply to say thanks!



Mariusz Banach / mgeeky, (@mariuszbit)
<mb [at] binary-offensive.com>