AzureHound BloodHound Data Collector Cheat Sheet

Overview

AzureHound is a data collector for BloodHound developed by SpecterOps that gathers information from Azure Active Directory and Azure Resource Manager. It maps Azure AD relationships and attack paths, providing visualization capabilities for Azure environments similar to BloodHound's on-premises Active Directory analysis.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using in any environment.

Installation

Pre-compiled Binaries

# Download latest release for Linux
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-linux-amd64.zip
unzip azurehound-linux-amd64.zip
chmod +x azurehound

# Download for Windows
# Download azurehound-windows-amd64.zip from GitHub releases

# Download for macOS
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-darwin-amd64.zip
unzip azurehound-darwin-amd64.zip
chmod +x azurehound

Build from Source

# Install Go (version 1.19+)
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
go build -o azurehound ./cmd/azurehound

Docker Installation

# Build Docker image
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
docker build -t azurehound .

# Run AzureHound in Docker
docker run -it -v $(pwd):/data azurehound

Basic Usage

Authentication Methods

# Interactive authentication
./azurehound -u user@domain.com -p password

# Device code authentication
./azurehound --device-code

# Service principal authentication
./azurehound --client-id <client-id> --client-secret <secret> --tenant-id <tenant-id>

# Certificate authentication
./azurehound --client-id <client-id> --cert-path cert.pem --key-path key.pem --tenant-id <tenant-id>

# Managed identity authentication (Azure VM)
./azurehound --managed-identity

Basic Data Collection

# Collect all available data
./azurehound list all

# Collect specific data types
./azurehound list users,groups,applications

# Output to specific file
./azurehound list all -o azure_data.json

# Collect with specific tenant
./azurehound list all --tenant-id <tenant-id>

Command Reference

Authentication Options

Option	Description
-u, --username	Username for authentication
-p, --password	Password for authentication
--device-code	Use device code flow
--client-id	Service principal client ID
--client-secret	Service principal secret
--cert-path	Certificate file path
--tenant-id	Azure AD tenant ID

Collection Options

Option	Description
list	Collect specified data types
-o, --output	Output file path
--threads	Number of concurrent threads
--delay	Delay between requests (ms)
--jitter	Random jitter percentage
--timeout	Request timeout (seconds)

Data Types

Type	Description
users	Azure AD users
groups	Azure AD groups
applications	App registrations
service-principals	Service principals
devices	Azure AD devices
roles	Directory roles
subscriptions	Azure subscriptions
resource-groups	Resource groups

Data Collection Strategies

Comprehensive Collection

# Collect all Azure AD data
./azurehound list users,groups,applications,service-principals,devices,roles -o azuread_complete.json

# Collect all Azure Resource Manager data
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults,storage-accounts -o azure_resources.json

# Collect everything
./azurehound list all -o azure_full_dump.json

Targeted Collection

# Focus on privileged accounts
./azurehound list users,groups,roles --filter "privileged" -o privileged_accounts.json

# Application and service principal focus
./azurehound list applications,service-principals -o applications.json

# Device and compliance focus
./azurehound list devices,conditional-access-policies -o device_compliance.json

Stealth Collection

# Low and slow collection
./azurehound list all --threads 1 --delay 5000 --jitter 50 -o stealth_collection.json

# Randomized collection order
./azurehound list users,groups,applications --random-order --delay 2000 -o random_collection.json

# Time-based collection
./azurehound list all --start-time "09:00" --end-time "17:00" -o business_hours.json

Advanced Collection Techniques

Multi-Tenant Collection

# Collect from multiple tenants
tenants=("tenant1-id" "tenant2-id" "tenant3-id")
for tenant in "${tenants[@]}"; do
    ./azurehound list all --tenant-id $tenant -o "tenant_${tenant}.json"
done

# Merge tenant data
jq -s 'add' tenant_*.json > multi_tenant_data.json

Subscription Enumeration

# List all accessible subscriptions
./azurehound list subscriptions -o subscriptions.json

# Collect data from specific subscription
./azurehound list resource-groups,virtual-machines --subscription-id <sub-id> -o subscription_data.json

# Iterate through all subscriptions
for sub_id in $(jq -r '.data[].properties.subscriptionId' subscriptions.json); do
    ./azurehound list all --subscription-id $sub_id -o "sub_${sub_id}.json"
done

Custom Queries and Filters

# Filter by specific attributes
./azurehound list users --filter "department eq 'IT'" -o it_users.json

# Search for specific patterns
./azurehound list applications --search "admin" -o admin_apps.json

# Collect only enabled accounts
./azurehound list users --filter "accountEnabled eq true" -o active_users.json

BloodHound Integration

Data Import to BloodHound

# Start BloodHound Community Edition
docker run -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/bloodhound specterops/bloodhound

# Import AzureHound data
# Use BloodHound GUI to import the JSON files
# File -> Import Data -> Select AzureHound JSON files

Custom Cypher Queries

-- Find all Global Administrators
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole {displayname: "Global Administrator"})
RETURN u.displayname, u.userprincipalname

-- Find applications with high privileges
MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole)
WHERE role.value CONTAINS "All"
RETURN app.displayname, role.value

-- Find users with direct role assignments
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole)
WHERE NOT (u)-[:AZMemberOf]->()-[:AZHasRole]->(r)
RETURN u.displayname, r.displayname

-- Find privilege escalation paths
MATCH p = (u:AZUser)-[:AZMemberOf*1..3]->(g:AZGroup)-[:AZHasRole]->(r:AZRole)
WHERE r.displayname CONTAINS "Administrator"
RETURN p

-- Find applications owned by users
MATCH (u:AZUser)-[:AZOwns]->(app:AZApp)
RETURN u.displayname, app.displayname

-- Find service principals with secrets
MATCH (sp:AZServicePrincipal)-[:AZHasSecret]->(s:AZSecret)
RETURN sp.displayname, s.displayname

Custom BloodHound Queries

{
  "queries": [
    {
      "name": "Azure Global Admins",
      "category": "Azure",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole {displayname: 'Global Administrator'}) RETURN u"
        }
      ]
    },
    {
      "name": "High Privilege Applications",
      "category": "Azure",
      "queryList": [
        {
          "final": true,
          "query": "MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole) WHERE role.value CONTAINS 'All' RETURN app"
        }
      ]
    },
    {
      "name": "Privilege Escalation Paths to Global Admin",
      "category": "Azure",
      "queryList": [
        {
          "final": true,
          "query": "MATCH p = shortestPath((u:AZUser)-[*1..6]->(r:AZRole {displayname: 'Global Administrator'})) RETURN p"
        }
      ]
    }
  ]
}

Data Analysis and Processing

JSON Data Processing

# Extract user information
jq '.data[] | select(.kind == "AZUser") | {name: .properties.displayName, upn: .properties.userPrincipalName, enabled: .properties.accountEnabled}' azure_data.json

# Find privileged users
jq '.data[] | select(.kind == "AZUser" and (.properties.assignedRoles // []) | length > 0)' azure_data.json

# Extract application permissions
jq '.data[] | select(.kind == "AZApp") | {name: .properties.displayName, permissions: .properties.requiredResourceAccess}' azure_data.json

# Count objects by type
jq '.data | group_by(.kind) | map({kind: .[0].kind, count: length})' azure_data.json

PowerShell Analysis

# Load and analyze AzureHound data
$azureData = Get-Content -Path "azure_data.json" | ConvertFrom-Json

# Find users with administrative roles
$adminUsers = $azureData.data | Where-Object {
    $_.kind -eq "AZUser" -and 
    $_.properties.assignedRoles -contains "Global Administrator"
}

# Find applications with high privileges
$highPrivApps = $azureData.data | Where-Object {
    $_.kind -eq "AZApp" -and
    $_.properties.requiredResourceAccess.resourceAppId -contains "00000003-0000-0000-c000-000000000000"
}

# Generate summary report
$report = @{
    TotalUsers = ($azureData.data | Where-Object {$_.kind -eq "AZUser"}).Count
    TotalGroups = ($azureData.data | Where-Object {$_.kind -eq "AZGroup"}).Count
    TotalApps = ($azureData.data | Where-Object {$_.kind -eq "AZApp"}).Count
    AdminUsers = $adminUsers.Count
    HighPrivApps = $highPrivApps.Count
}

$report | ConvertTo-Json | Out-File "azure_summary.json"

Python Analysis

import json
import pandas as pd

# Load AzureHound data
with open('azure_data.json', 'r') as f:
    azure_data = json.load(f)

# Convert to DataFrame for analysis
df = pd.json_normalize(azure_data['data'])

# Analyze user distribution
users_df = df[df['kind'] == 'AZUser']
user_stats = {
    'total_users': len(users_df),
    'enabled_users': len(users_df[users_df['properties.accountEnabled'] == True]),
    'guest_users': len(users_df[users_df['properties.userType'] == 'Guest']),
    'admin_users': len(users_df[users_df['properties.assignedRoles'].notna()])
}

# Analyze applications
apps_df = df[df['kind'] == 'AZApp']
app_stats = {
    'total_apps': len(apps_df),
    'apps_with_secrets': len(apps_df[apps_df['properties.passwordCredentials'].notna()]),
    'apps_with_certs': len(apps_df[apps_df['properties.keyCredentials'].notna()])
}

print(f"User Statistics: {user_stats}")
print(f"Application Statistics: {app_stats}")

Operational Security

Stealth Techniques

# Use legitimate user agent
./azurehound list all --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Randomize request timing
./azurehound list all --delay 3000 --jitter 75

# Use proxy for requests
./azurehound list all --proxy http://proxy:8080

# Limit concurrent requests
./azurehound list all --threads 2

Rate Limiting Avoidance

# Implement exponential backoff
./azurehound list all --retry-count 5 --retry-delay 30

# Spread collection over time
./azurehound list users --delay 10000
sleep 300
./azurehound list groups --delay 10000
sleep 300
./azurehound list applications --delay 10000

Log Evasion

# Use service principal instead of user account
./azurehound list all --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

# Perform collection during business hours
current_hour=$(date +%H)
if [ $current_hour -ge 9 ] && [ $current_hour -le 17 ]; then
    ./azurehound list all -o business_hours_collection.json
fi

Automation and Scripting

Automated Collection Script

#!/bin/bash

# AzureHound automated collection script
TENANT_ID="your-tenant-id"
CLIENT_ID="your-client-id"
CLIENT_SECRET="your-client-secret"
OUTPUT_DIR="./azurehound_output"

# Create output directory
mkdir -p $OUTPUT_DIR

# Collect Azure AD data
echo "Collecting Azure AD data..."
./azurehound list users,groups,applications,service-principals,devices,roles \
    --client-id $CLIENT_ID \
    --client-secret $CLIENT_SECRET \
    --tenant-id $TENANT_ID \
    --threads 3 \
    --delay 2000 \
    -o "$OUTPUT_DIR/azuread_$(date +%Y%m%d_%H%M%S).json"

# Collect Azure Resource data
echo "Collecting Azure Resource data..."
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults \
    --client-id $CLIENT_ID \
    --client-secret $CLIENT_SECRET \
    --tenant-id $TENANT_ID \
    --threads 2 \
    --delay 3000 \
    -o "$OUTPUT_DIR/azure_resources_$(date +%Y%m%d_%H%M%S).json"

echo "Collection completed. Files saved to $OUTPUT_DIR"

PowerShell Automation

# PowerShell automation script
param(
    [string]$TenantId,
    [string]$ClientId,
    [string]$ClientSecret,
    [string]$OutputPath = ".\azurehound_output"
)

# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force

# Define collection types
$collections = @(
    @{Name = "users"; Types = "users,groups,roles"},
    @{Name = "applications"; Types = "applications,service-principals"},
    @{Name = "devices"; Types = "devices,conditional-access-policies"},
    @{Name = "resources"; Types = "subscriptions,resource-groups,virtual-machines"}
)

# Perform collections
foreach ($collection in $collections) {
    $outputFile = Join-Path $OutputPath "$($collection.Name)_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"
    
    Write-Host "Collecting $($collection.Name) data..."
    
    & .\azurehound.exe list $collection.Types `
        --client-id $ClientId `
        --client-secret $ClientSecret `
        --tenant-id $TenantId `
        --threads 2 `
        --delay 2000 `
        -o $outputFile
    
    Start-Sleep -Seconds 30
}

Write-Host "Collection completed. Files saved to $OutputPath"

Troubleshooting

Authentication Issues

# Test authentication
./azurehound auth test --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

# Debug authentication
./azurehound list users --debug --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

# Check token validity
./azurehound auth token --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

Permission Issues

# Check required permissions
./azurehound permissions check --client-id $CLIENT_ID --tenant-id $TENANT_ID

# List current permissions
./azurehound permissions list --client-id $CLIENT_ID --tenant-id $TENANT_ID

# Test specific permission
./azurehound permissions test --permission "User.Read.All" --client-id $CLIENT_ID --tenant-id $TENANT_ID

Rate Limiting Issues

# Handle rate limiting
./azurehound list all --retry-count 10 --retry-delay 60 --threads 1

# Monitor rate limit headers
./azurehound list users --debug | grep -i "rate\|limit\|throttle"

# Use exponential backoff
./azurehound list all --backoff-strategy exponential --max-delay 300

Data Collection Issues

# Validate output
jq empty azure_data.json && echo "Valid JSON" || echo "Invalid JSON"

# Check data completeness
jq '.data | group_by(.kind) | map({kind: .[0].kind, count: length})' azure_data.json

# Verify specific data types
jq '.data[] | select(.kind == "AZUser") | length' azure_data.json

Integration with Other Tools

ROADtools Integration

# Convert AzureHound data for ROADtools
jq '.data[] | select(.kind == "AZUser")' azure_data.json > users_for_roadtools.json

# Use with ROADtools database
roadrecon import --file azure_data.json
roadrecon gui

AADInternals Integration

# Use AzureHound data with AADInternals
$azureHoundData = Get-Content -Path "azure_data.json" | ConvertFrom-Json

# Extract user information for AADInternals
$users = $azureHoundData.data | Where-Object {$_.kind -eq "AZUser"}
foreach ($user in $users) {
    # Use AADInternals to get additional information
    $additionalInfo = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName $user.properties.userPrincipalName
}

Custom Tool Integration

# Python integration example
import json
import requests

def process_azurehound_data(file_path):
    with open(file_path, 'r') as f:
        data = json.load(f)
    
    # Process users
    users = [item for item in data['data'] if item['kind'] == 'AZUser']
    
    # Process groups
    groups = [item for item in data['data'] if item['kind'] == 'AZGroup']
    
    # Process applications
    apps = [item for item in data['data'] if item['kind'] == 'AZApp']
    
    return {
        'users': users,
        'groups': groups,
        'applications': apps
    }

# Usage
processed_data = process_azurehound_data('azure_data.json')

Resources

• AzureHound GitHub Repository
• BloodHound Documentation
• SpecterOps Blog
• Azure AD Attack and Defense
• BloodHound Community Edition

---

This cheat sheet provides a comprehensive reference for using AzureHound. Always ensure you have proper authorization before conducting Azure AD security assessments.