دليل مختصر لـ AzureHound جامع بيانات BloodHound
نظرة عامة
AzureHound هو جامع بيانات لـ BloodHound طُوِّر بواسطة SpecterOps يجمع معلومات من Azure Active Directory وAzure Resource Manager. يقوم بتعيين علاقات Azure AD ومسارات الهجوم، ويوفر إمكانيات تصور للبيئات Azure مشابهة لتحليل Active Directory المحلي بواسطة BloodHound.
⚠️ تحذير: هذه الأداة مخصصة للاختبار الاختراقي المصرح به وتقييمات الأمن فقط. تأكد من وجود التفويض المناسب قبل الاستخدام في أي بيئة.
التثبيت
الثنائيات المجمعة مسبقًا
# Download latest release for Linux
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-linux-amd64.zip
unzip azurehound-linux-amd64.zip
chmod +x azurehound
# Download for Windows
# Download azurehound-windows-amd64.zip from GitHub releases
# Download for macOS
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-darwin-amd64.zip
unzip azurehound-darwin-amd64.zip
chmod +x azurehoundالبناء من المصدر
# Install Go (version 1.19+)
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
go build -o azurehound ./cmd/azurehoundتثبيت Docker
# Build Docker image
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
docker build -t azurehound .
# Run AzureHound in Docker
docker run -it -v $(pwd):/data azurehoundالاستخدام الأساسي
طرق المصادقة
# Interactive authentication
./azurehound -u user@domain.com -p password
# Device code authentication
./azurehound --device-code
# Service principal authentication
./azurehound --client-id <client-id> --client-secret <secret> --tenant-id <tenant-id>
# Certificate authentication
./azurehound --client-id <client-id> --cert-path cert.pem --key-path key.pem --tenant-id <tenant-id>
# Managed identity authentication (Azure VM)
./azurehound --managed-identityجمع البيانات الأساسي
# Collect all available data
./azurehound list all
# Collect specific data types
./azurehound list users,groups,applications
# Output to specific file
./azurehound list all -o azure_data.json
# Collect with specific tenant
./azurehound list all --tenant-id <tenant-id>مرجع الأوامر
خيارات المصادقة
| خيار | وصف |
|---|---|
-u, --username | اسم المستخدم للمصادقة |
-p, --password | كلمة المرور للمصادقة |
--device-code | استخدم تدفق رمز الجهاز |
--client-id | معرف عميل المبدأ الخدمي |
--client-secret | سر المبدأ الخدمي |
--cert-path | مسار ملف الشهادة |
--tenant-id | معرف مستأجر Azure AD |
خيارات التجميع
| خيار | وصف |
|---|---|
list | جمع أنواع البيانات المحددة |
-o, --output | مسار ملف الإخراج |
--threads | عدد الخيوط المتزامنة |
--delay | التأخير بين الطلبات (مللي ثانية) |
--jitter | نسبة التذبذب العشوائي |
--timeout | مهلة الطلب (ثواني) |
أنواع البيانات
| نوع | وصف |
|---|---|
users | مستخدمي Azure AD |
groups | مجموعات Azure AD |
applications | تسجيلات التطبيقات |
service-principals | رؤساء الخدمة |
devices | أجهزة Azure AD |
roles | أدوار الدليل |
subscriptions | اشتراكات Azure |
resource-groups | مجموعات الموارد |
استراتيجيات جمع البيانات
التجميع الشامل
# Collect all Azure AD data
./azurehound list users,groups,applications,service-principals,devices,roles -o azuread_complete.json
# Collect all Azure Resource Manager data
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults,storage-accounts -o azure_resources.json
# Collect everything
./azurehound list all -o azure_full_dump.jsonالتجميع المستهدف
# Focus on privileged accounts
./azurehound list users,groups,roles --filter "privileged" -o privileged_accounts.json
# Application and service principal focus
./azurehound list applications,service-principals -o applications.json
# Device and compliance focus
./azurehound list devices,conditional-access-policies -o device_compliance.jsonالتجميع التسلل
# Low and slow collection
./azurehound list all --threads 1 --delay 5000 --jitter 50 -o stealth_collection.json
# Randomized collection order
./azurehound list users,groups,applications --random-order --delay 2000 -o random_collection.json
# Time-based collection
./azurehound list all --start-time "09:00" --end-time "17:00" -o business_hours.jsonتقنيات التجميع المتقدمة
التجميع متعدد المستأجرين
# Collect from multiple tenants
tenants=("tenant1-id" "tenant2-id" "tenant3-id")
for tenant in "$\\\\{tenants[@]\\\\}"; do
./azurehound list all --tenant-id $tenant -o "tenant_$\\\\{tenant\\\\}.json"
done
# Merge tenant data
jq -s 'add' tenant_*.json > multi_tenant_data.jsonحصر الاشتراكات
# List all accessible subscriptions
./azurehound list subscriptions -o subscriptions.json
# Collect data from specific subscription
./azurehound list resource-groups,virtual-machines --subscription-id <sub-id> -o subscription_data.json
# Iterate through all subscriptions
for sub_id in $(jq -r '.data[].properties.subscriptionId' subscriptions.json); do
./azurehound list all --subscription-id $sub_id -o "sub_$\\\\{sub_id\\\\}.json"
doneالاستعلامات والفلاتر المخصصة
# Filter by specific attributes
./azurehound list users --filter "department eq 'IT'" -o it_users.json
# Search for specific patterns
./azurehound list applications --search "admin" -o admin_apps.json
# Collect only enabled accounts
./azurehound list users --filter "accountEnabled eq true" -o active_users.jsonتكامل BloodHound
استيراد البيانات إلى BloodHound
# Start BloodHound Community Edition
docker run -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/bloodhound specterops/bloodhound
# Import AzureHound data
# Use BloodHound GUI to import the JSON files
# File -> Import Data -> Select AzureHound JSON filesاستعلامات Cypher المخصصة
-- Find all Global Administrators
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: "Global Administrator"\\\\})
RETURN u.displayname, u.userprincipalname
-- Find applications with high privileges
MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole)
WHERE role.value CONTAINS "All"
RETURN app.displayname, role.value
-- Find users with direct role assignments
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole)
WHERE NOT (u)-[:AZMemberOf]->()-[:AZHasRole]->(r)
RETURN u.displayname, r.displayname
-- Find privilege escalation paths
MATCH p = (u:AZUser)-[:AZMemberOf*1..3]->(g:AZGroup)-[:AZHasRole]->(r:AZRole)
WHERE r.displayname CONTAINS "Administrator"
RETURN p
-- Find applications owned by users
MATCH (u:AZUser)-[:AZOwns]->(app:AZApp)
RETURN u.displayname, app.displayname
-- Find service principals with secrets
MATCH (sp:AZServicePrincipal)-[:AZHasSecret]->(s:AZSecret)
RETURN sp.displayname, s.displaynameاستعلامات BloodHound المخصصة
\\\\{
"queries": [
\\\\{
"name": "Azure Global Admins",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\}) RETURN u"
\\\\}
]
\\\\},
\\\\{
"name": "High Privilege Applications",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole) WHERE role.value CONTAINS 'All' RETURN app"
\\\\}
]
\\\\},
\\\\{
"name": "Privilege Escalation Paths to Global Admin",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH p = shortestPath((u:AZUser)-[*1..6]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\})) RETURN p"
\\\\}
]
\\\\}
]
\\\\}معالجة وتحليل البيانات
معالجة بيانات JSON
# Extract user information
jq '.data[]|select(.kind == "AZUser")|\\\\{name: .properties.displayName, upn: .properties.userPrincipalName, enabled: .properties.accountEnabled\\\\}' azure_data.json
# Find privileged users
jq '.data[]|select(.kind == "AZUser" and (.properties.assignedRoles // [])|length > 0)' azure_data.json
# Extract application permissions
jq '.data[]|select(.kind == "AZApp")|\\\\{name: .properties.displayName, permissions: .properties.requiredResourceAccess\\\\}' azure_data.json
# Count objects by type
jq '.data|group_by(.kind)|map(\\\\{kind: .[0].kind, count: length\\\\})' azure_data.jsonتحليل PowerShell
I’ve translated the headings and overview text. The placeholders for sections 3-20 remain empty as no specific text was provided for those sections.```powershell
Load and analyze AzureHound data
$azureData = Get-Content -Path “azure_data.json”|ConvertFrom-Json
Find users with administrative roles
$adminUsers = $azureData.data|Where-Object \\{ $.kind -eq “AZUser” -and $.properties.assignedRoles -contains “Global Administrator” \\}
Find applications with high privileges
$highPrivApps = $azureData.data|Where-Object \\{ $.kind -eq “AZApp” -and $.properties.requiredResourceAccess.resourceAppId -contains “00000003-0000-0000-c000-000000000000” \\}
Generate summary report
$report = @\\{ TotalUsers = ($azureData.data|Where-Object \\{$.kind -eq “AZUser”\\}).Count TotalGroups = ($azureData.data|Where-Object \\{$.kind -eq “AZGroup”\\}).Count TotalApps = ($azureData.data|Where-Object \\{$_.kind -eq “AZApp”\\}).Count AdminUsers = $adminUsers.Count HighPrivApps = $highPrivApps.Count \\}
$report|ConvertTo-Json|Out-File “azure_summary.json”
```python
import json
import pandas as pd
# Load AzureHound data
with open('azure_data.json', 'r') as f:
azure_data = json.load(f)
# Convert to DataFrame for analysis
df = pd.json_normalize(azure_data['data'])
# Analyze user distribution
users_df = df[df['kind'] == 'AZUser']
user_stats = \\\\{
'total_users': len(users_df),
'enabled_users': len(users_df[users_df['properties.accountEnabled'] == True]),
'guest_users': len(users_df[users_df['properties.userType'] == 'Guest']),
'admin_users': len(users_df[users_df['properties.assignedRoles'].notna()])
\\\\}
# Analyze applications
apps_df = df[df['kind'] == 'AZApp']
app_stats = \\\\{
'total_apps': len(apps_df),
'apps_with_secrets': len(apps_df[apps_df['properties.passwordCredentials'].notna()]),
'apps_with_certs': len(apps_df[apps_df['properties.keyCredentials'].notna()])
\\\\}
print(f"User Statistics: \\\\{user_stats\\\\}")
print(f"Application Statistics: \\\\{app_stats\\\\}")
```## الأمن التشغيلي
### تقنيات التخفي
```bash
# Use legitimate user agent
./azurehound list all --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# Randomize request timing
./azurehound list all --delay 3000 --jitter 75
# Use proxy for requests
./azurehound list all --proxy http://proxy:8080
# Limit concurrent requests
./azurehound list all --threads 2
```### تجنب تحديد المعدل
```bash
# Implement exponential backoff
./azurehound list all --retry-count 5 --retry-delay 30
# Spread collection over time
./azurehound list users --delay 10000
sleep 300
./azurehound list groups --delay 10000
sleep 300
./azurehound list applications --delay 10000
```### التهرب من السجلات
```bash
# Use service principal instead of user account
./azurehound list all --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
# Perform collection during business hours
current_hour=$(date +%H)
if [ $current_hour -ge 9 ] && [ $current_hour -le 17 ]; then
./azurehound list all -o business_hours_collection.json
fi
```## الأتمتة والبرمجة النصية
### البرنامج النصي للتجميع التلقائي
```bash
#!/bin/bash
# AzureHound automated collection script
TENANT_ID="your-tenant-id"
CLIENT_ID="your-client-id"
CLIENT_SECRET="your-client-secret"
OUTPUT_DIR="./azurehound_output"
# Create output directory
mkdir -p $OUTPUT_DIR
# Collect Azure AD data
echo "Collecting Azure AD data..."
./azurehound list users,groups,applications,service-principals,devices,roles \
--client-id $CLIENT_ID \
--client-secret $CLIENT_SECRET \
--tenant-id $TENANT_ID \
--threads 3 \
--delay 2000 \
-o "$OUTPUT_DIR/azuread_$(date +%Y%m%d_%H%M%S).json"
# Collect Azure Resource data
echo "Collecting Azure Resource data..."
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults \
--client-id $CLIENT_ID \
--client-secret $CLIENT_SECRET \
--tenant-id $TENANT_ID \
--threads 2 \
--delay 3000 \
-o "$OUTPUT_DIR/azure_resources_$(date +%Y%m%d_%H%M%S).json"
echo "Collection completed. Files saved to $OUTPUT_DIR"
```### أتمتة PowerShell
```powershell
# PowerShell automation script
param(
[string]$TenantId,
[string]$ClientId,
[string]$ClientSecret,
[string]$OutputPath = ".\azurehound_output"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force
# Define collection types
$collections = @(
@\\\\{Name = "users"; Types = "users,groups,roles"\\\\},
@\\\\{Name = "applications"; Types = "applications,service-principals"\\\\},
@\\\\{Name = "devices"; Types = "devices,conditional-access-policies"\\\\},
@\\\\{Name = "resources"; Types = "subscriptions,resource-groups,virtual-machines"\\\\}
)
# Perform collections
foreach ($collection in $collections) \\\\{
$outputFile = Join-Path $OutputPath "$($collection.Name)_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"
Write-Host "Collecting $($collection.Name) data..."
& .\azurehound.exe list $collection.Types `
--client-id $ClientId `
--client-secret $ClientSecret `
--tenant-id $TenantId `
--threads 2 `
--delay 2000 `
-o $outputFile
Start-Sleep -Seconds 30
\\\\}
Write-Host "Collection completed. Files saved to $OutputPath"
```## استكشاف الأخطاء وإصلاحها
### مشاكل المصادقة
```bash
# Test authentication
./azurehound auth test --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
# Debug authentication
./azurehound list users --debug --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
# Check token validity
./azurehound auth token --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
```### مشاكل الأذونات
```bash
# Check required permissions
./azurehound permissions check --client-id $CLIENT_ID --tenant-id $TENANT_ID
# List current permissions
./azurehound permissions list --client-id $CLIENT_ID --tenant-id $TENANT_ID
# Test specific permission
./azurehound permissions test --permission "User.Read.All" --client-id $CLIENT_ID --tenant-id $TENANT_ID
```### مشاكل تحديد المعدل
```bash
# Handle rate limiting
./azurehound list all --retry-count 10 --retry-delay 60 --threads 1
# Monitor rate limit headers
./azurehound list users --debug|grep -i "rate\|limit\|throttle"
# Use exponential backoff
./azurehound list all --backoff-strategy exponential --max-delay 300
```### مشاكل جمع البيانات
```bash
# Validate output
jq empty azure_data.json && echo "Valid JSON"||echo "Invalid JSON"
# Check data completeness
jq '.data|group_by(.kind)|map(\\\\{kind: .[0].kind, count: length\\\\})' azure_data.json
# Verify specific data types
jq '.data[]|select(.kind == "AZUser")|length' azure_data.json
```## التكامل مع الأدوات الأخرى
### التكامل مع ROADtools
```bash
# Convert AzureHound data for ROADtools
jq '.data[]|select(.kind == "AZUser")' azure_data.json > users_for_roadtools.json
# Use with ROADtools database
roadrecon import --file azure_data.json
roadrecon gui
```### التكامل مع AADInternals
```powershell
# Use AzureHound data with AADInternals
$azureHoundData = Get-Content -Path "azure_data.json"|ConvertFrom-Json
# Extract user information for AADInternals
$users = $azureHoundData.data|Where-Object \\\\{$_.kind -eq "AZUser"\\\\}
foreach ($user in $users) \\\\{
# Use AADInternals to get additional information
$additionalInfo = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName $user.properties.userPrincipalName
\\\\}
```### التكامل مع الأداة المخصصة
```python
# Python integration example
import json
import requests
def process_azurehound_data(file_path):
with open(file_path, 'r') as f:
data = json.load(f)
# Process users
users = [item for item in data['data'] if item['kind'] == 'AZUser']
# Process groups
groups = [item for item in data['data'] if item['kind'] == 'AZGroup']
# Process applications
apps = [item for item in data['data'] if item['kind'] == 'AZApp']
return \\\\{
'users': users,
'groups': groups,
'applications': apps
\\\\}
# Usage
processed_data = process_azurehound_data('azure_data.json')
```## الموارد
- [مستودع AzureHound على GitHub](https://github.com/BloodHoundAD/AzureHound)
- [توثيق BloodHound](https://bloodhound.readthedocs.io/)
- [مدونة SpecterOps](https://posts.specterops.io/)
- [هجوم وحماية Azure AD](https://cloudbrothers.info/en/azure-attack-defense/)
- [إصدار المجتمع من BloodHound](https://github.com/SpecterOps/BloodHound)
---
*يوفر هذا الدليل المرجعي مرجعًا شاملًا لاستخدام AzureHound. تأكد دائمًا من وجود التفويض المناسب قبل إجراء تقييمات أمان Azure AD.*