Azucar Azure Security Auditing Tool Cheat Sheet

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

Azucar ist ein Open-Source-Sicherheitsauditing-Tool für Azure-Umgebungen entwickelt von Juan Garrido. Es sammelt automatisch eine Vielzahl von Konfigurationsdaten aus Azure Active Directory, Azure SQL Datenbanken, Storage Accounts, Key Vaults und anderen Azure-Diensten, um potenzielle Sicherheitsprobleme und Fehlkonfigurationen zu identifizieren.

ZEIT Warnung: Dieses Tool ist nur für berechtigte Sicherheitsbewertungen und Auditing bestimmt. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Installation von PowerShell

```powershell

Install from PowerShell Gallery

Install-Module -Name Azucar

Install for current user only

Install-Module -Name Azucar -Scope CurrentUser

Update existing installation

Update-Module -Name Azucar

Import module

Import-Module Azucar ```_

Manuelle Installation

```powershell

Download from GitHub

Invoke-WebRequest -Uri "https://github.com/nccgroup/azucar/archive/master.zip" -OutFile "Azucar.zip" Expand-Archive -Path "Azucar.zip" -DestinationPath "C:\Tools\"

Import module

Import-Module C:\Tools\Azucar-master\Azucar.psd1

Install dependencies

Install-Module -Name Az Install-Module -Name AzureAD ```_

Gierinstallation

```bash

Clone repository

git clone https://github.com/nccgroup/azucar.git cd azucar

Import in PowerShell

Import-Module .\Azucar.psd1 ```_

Basisnutzung

Modulaufbau

```powershell

Import Azucar

Import-Module Azucar

Get available commands

Get-Command -Module Azucar

Get help for main function

Get-Help Invoke-Azucar -Full

Check module version

Get-Module Azucar ```_

Authentication

```powershell

Interactive authentication

Connect-AzAccount

Service principal authentication

$credential = Get-Credential Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"

Certificate authentication

Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id" ```_

Befehlsnummer

Hauptkommandos

| | Command | Description | | | --- | --- | | | Invoke-Azucar | Main auditing function | | | | Get-AzucarReport | Generate audit report | | | | Export-AzucarData | Export audit data | | | | Set-AzucarConfig | Configure audit settings | |

Prüfungsoptionen

| | Parameter | Description | | | --- | --- | | | -TenantId | Azure AD tenant ID | | | | -SubscriptionId | Azure subscription ID | | | | -OutputPath | Output directory path | | | | -Format | Report format (HTML/JSON/CSV) | | | | -Verbose | Enable verbose output | |

Umfassende Sicherheitsaudit

Grundprüfung

```powershell

Run basic security audit

Invoke-Azucar

Audit specific tenant

Invoke-Azucar -TenantId "tenant-id"

Audit specific subscription

Invoke-Azucar -SubscriptionId "subscription-id"

Audit with custom output path

Invoke-Azucar -OutputPath "C:\AzureAudit\" ```_

Erweiterte Prüfungsoptionen

```powershell

Comprehensive audit with all checks

Invoke-Azucar -All

Audit specific services

Invoke-Azucar -Services @("AzureAD", "Storage", "KeyVault", "SQL")

Audit with specific compliance framework

Invoke-Azucar -ComplianceFramework "CIS"

Audit with custom configuration

Invoke-Azucar -ConfigFile "custom-config.json" ```_

Multi-Tenant Audit

```powershell

Audit multiple tenants

$tenants = @("tenant1-id", "tenant2-id", "tenant3-id") foreach ($tenant in $tenants) \\{ Invoke-Azucar -TenantId $tenant -OutputPath "C:\AzureAudit\$tenant\" \\}

Audit all accessible tenants

$allTenants = Get-AzTenant foreach ($tenant in $allTenants) \\{ Invoke-Azucar -TenantId $tenant.Id -OutputPath "C:\AzureAudit\$($tenant.Id)\" \\} ```_

Azure Active Directory Auditing

Benutzer- und Gruppenanalyse

```powershell

Audit Azure AD users

Invoke-Azucar -Services @("AzureAD") -Focus "Users"

Check for privileged users

Invoke-Azucar -Services @("AzureAD") -Focus "PrivilegedUsers"

Audit group memberships

Invoke-Azucar -Services @("AzureAD") -Focus "Groups"

Check guest user access

Invoke-Azucar -Services @("AzureAD") -Focus "GuestUsers" ```_

Anwendung und Service Hauptanalyse

```powershell

Audit applications

Invoke-Azucar -Services @("AzureAD") -Focus "Applications"

Check application permissions

Invoke-Azucar -Services @("AzureAD") -Focus "ApplicationPermissions"

Audit service principals

Invoke-Azucar -Services @("AzureAD") -Focus "ServicePrincipals"

Check for overprivileged applications

Invoke-Azucar -Services @("AzureAD") -Focus "HighPrivilegeApps" ```_

Conditional Access und Sicherheitspolitik

```powershell

Audit Conditional Access policies

Invoke-Azucar -Services @("AzureAD") -Focus "ConditionalAccess"

Check MFA configuration

Invoke-Azucar -Services @("AzureAD") -Focus "MFA"

Audit password policies

Invoke-Azucar -Services @("AzureAD") -Focus "PasswordPolicies"

Check security defaults

Invoke-Azucar -Services @("AzureAD") -Focus "SecurityDefaults" ```_

Azure Resource Auditing

Sicherheit des Speicherkontos

```powershell

Audit storage accounts

Invoke-Azucar -Services @("Storage")

Check storage account access

Invoke-Azucar -Services @("Storage") -Focus "PublicAccess"

Audit storage encryption

Invoke-Azucar -Services @("Storage") -Focus "Encryption"

Check storage account keys

Invoke-Azucar -Services @("Storage") -Focus "AccessKeys" ```_

Schlüsselanhänger Sicherheit

```powershell

Audit Key Vaults

Invoke-Azucar -Services @("KeyVault")

Check Key Vault access policies

Invoke-Azucar -Services @("KeyVault") -Focus "AccessPolicies"

Audit Key Vault secrets

Invoke-Azucar -Services @("KeyVault") -Focus "Secrets"

Check Key Vault network access

Invoke-Azucar -Services @("KeyVault") -Focus "NetworkAccess" ```_

SQL Datenbank Security

```powershell

Audit SQL databases

Invoke-Azucar -Services @("SQL")

Check SQL server firewall rules

Invoke-Azucar -Services @("SQL") -Focus "FirewallRules"

Audit SQL database encryption

Invoke-Azucar -Services @("SQL") -Focus "Encryption"

Check SQL auditing configuration

Invoke-Azucar -Services @("SQL") -Focus "Auditing" ```_

Virtuelle Maschinensicherheit

```powershell

Audit virtual machines

Invoke-Azucar -Services @("VirtualMachines")

Check VM network security groups

Invoke-Azucar -Services @("VirtualMachines") -Focus "NetworkSecurity"

Audit VM disk encryption

Invoke-Azucar -Services @("VirtualMachines") -Focus "DiskEncryption"

Check VM backup configuration

Invoke-Azucar -Services @("VirtualMachines") -Focus "Backup" ```_

Netzwerksicherheitsprüfung

Netzwerksicherheitsgruppen

```powershell

Audit network security groups

Invoke-Azucar -Services @("Network") -Focus "SecurityGroups"

Check for overly permissive rules

Invoke-Azucar -Services @("Network") -Focus "PermissiveRules"

Audit inbound rules

Invoke-Azucar -Services @("Network") -Focus "InboundRules"

Check for default rules

Invoke-Azucar -Services @("Network") -Focus "DefaultRules" ```_

Virtuelle Netzwerkkonfiguration

```powershell

Audit virtual networks

Invoke-Azucar -Services @("Network") -Focus "VirtualNetworks"

Check subnet configuration

Invoke-Azucar -Services @("Network") -Focus "Subnets"

Audit network peering

Invoke-Azucar -Services @("Network") -Focus "Peering"

Check DNS configuration

Invoke-Azucar -Services @("Network") -Focus "DNS" ```_

Compliance und Governance

GUS Benchmarking

```powershell

Run CIS Azure benchmark

Invoke-Azucar -ComplianceFramework "CIS"

Generate CIS compliance report

Invoke-Azucar -ComplianceFramework "CIS" -Format "HTML" -OutputPath "C:\CIS_Report\"

Check specific CIS controls

Invoke-Azucar -ComplianceFramework "CIS" -Controls @("1.1", "1.2", "2.1") ```_

Integration von Azure Security Center

```powershell

Audit Security Center configuration

Invoke-Azucar -Services @("SecurityCenter")

Check security policies

Invoke-Azucar -Services @("SecurityCenter") -Focus "Policies"

Audit security recommendations

Invoke-Azucar -Services @("SecurityCenter") -Focus "Recommendations"

Check security alerts

Invoke-Azucar -Services @("SecurityCenter") -Focus "Alerts" ```_

Resource Governance

```powershell

Audit resource groups

Invoke-Azucar -Services @("ResourceManagement") -Focus "ResourceGroups"

Check resource tags

Invoke-Azucar -Services @("ResourceManagement") -Focus "Tags"

Audit resource locks

Invoke-Azucar -Services @("ResourceManagement") -Focus "Locks"

Check resource policies

Invoke-Azucar -Services @("ResourceManagement") -Focus "Policies" ```_

Generation und Analyse

HTML Reports

```powershell

Generate HTML report

Invoke-Azucar -Format "HTML" -OutputPath "C:\AzureAudit\"

Generate detailed HTML report

Invoke-Azucar -Format "HTML" -Detailed -OutputPath "C:\AzureAudit\"

Generate executive summary

Invoke-Azucar -Format "HTML" -Summary -OutputPath "C:\AzureAudit\" ```_

JSON und CSV Export

```powershell

Export to JSON

Invoke-Azucar -Format "JSON" -OutputPath "C:\AzureAudit\"

Export to CSV

Invoke-Azucar -Format "CSV" -OutputPath "C:\AzureAudit\"

Export raw data

Invoke-Azucar -Format "Raw" -OutputPath "C:\AzureAudit\" ```_

Benutzerdefinierte Berichte Vorlagen

```powershell

Use custom report template

Invoke-Azucar -Template "custom-template.html" -OutputPath "C:\AzureAudit\"

Generate report with custom branding

Invoke-Azucar -Template "branded-template.html" -CompanyName "Your Company" -OutputPath "C:\AzureAudit\" ```_

Erweiterte Konfiguration

Individuelle Konfiguration Datei

json \\\\{ "AuditSettings": \\\\{ "IncludeServices": ["AzureAD", "Storage", "KeyVault", "SQL"], "ExcludeChecks": ["LowPriority"], "OutputFormat": "HTML", "DetailLevel": "High" \\\\}, "ComplianceFrameworks": \\\\{ "CIS": \\\\{ "Version": "1.3.0", "IncludeControls": ["1.*", "2.*", "3.*"] \\\\} \\\\}, "ReportSettings": \\\\{ "IncludeRecommendations": true, "IncludeEvidence": true, "GroupByService": true \\\\} \\\\}_

PowerShell Konfiguration

```powershell

Set custom configuration

$config = @\\{ Services = @("AzureAD", "Storage", "KeyVault") OutputFormat = "HTML" DetailLevel = "High" IncludeRecommendations = $true \\}

Set-AzucarConfig -Configuration $config

Run audit with custom configuration

Invoke-Azucar -UseCustomConfig ```_

Filtern und Ausschlüsse

```powershell

Exclude specific resource groups

Invoke-Azucar -ExcludeResourceGroups @("test-rg", "dev-rg")

Include only specific subscriptions

Invoke-Azucar -IncludeSubscriptions @("sub1-id", "sub2-id")

Exclude low-priority findings

Invoke-Azucar -ExcludeSeverity @("Low", "Informational")

Filter by resource tags

Invoke-Azucar -FilterByTags @\\{Environment="Production"; Owner="Security"\\} ```_

Automatisierung und Scheduling

Automatisiertes Audit-Script

```powershell

Automated Azure security audit script

param( [string]$TenantId, [string]$OutputPath = "C:\AzureAudit", [string]$EmailRecipients = "security@company.com" )

Create output directory with timestamp

$timestamp = Get-Date -Format "yyyyMMdd_HHmmss" $auditPath = Join-Path $OutputPath "Audit_$timestamp" New-Item -ItemType Directory -Path $auditPath -Force

Authenticate to Azure

Connect-AzAccount -TenantId $TenantId

Run comprehensive audit

Write-Host "Starting Azure security audit..." Invoke-Azucar -All -Format "HTML" -OutputPath $auditPath

Generate summary report

$reportPath = Join-Path $auditPath "AzureSecurityAudit.html" if (Test-Path $reportPath) \\{ Write-Host "Audit completed successfully"

# Send email notification
$subject = "Azure Security Audit Completed - $timestamp"
$body = "Azure security audit has been completed. Report available at: $reportPath"

Send-MailMessage -To $EmailRecipients -Subject $subject -Body $body -Attachments $reportPath

\\} else \\{ Write-Error "Audit failed - report not generated" \\} ```_

Geplante Aufgabenstellung

```powershell

Create scheduled task for regular audits

$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\AzureAudit.ps1" $trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 6AM $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries

Register-ScheduledTask -TaskName "Azure Security Audit" -Action $action -Trigger $trigger -Settings $settings ```_

Kontinuierliche Überwachung

```powershell

Continuous monitoring script

param( [int]$IntervalHours = 24, [string]$LogPath = "C:\AzureAudit\monitoring.log" )

while ($true) \\{ $timestamp = Get-Date Write-Output "[$timestamp] Starting Azure security monitoring"|Tee-Object -FilePath $LogPath -Append

try \\\\{
    # Run quick security check
    $findings = Invoke-Azucar -Quick -Format "JSON"

    # Check for critical findings
    $criticalFindings = $findings|Where-Object \\\\{$_.Severity -eq "Critical"\\\\}

    if ($criticalFindings) \\\\{
        Write-Output "[$timestamp] Critical findings detected: $($criticalFindings.Count)"|Tee-Object -FilePath $LogPath -Append

        # Send alert
        $alertSubject = "ALERT: Critical Azure Security Findings"
        $alertBody = "Critical security findings detected in Azure environment. Immediate attention required."
        Send-MailMessage -To "security@company.com" -Subject $alertSubject -Body $alertBody
    \\\\}
\\\\}
catch \\\\{
    Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}

Start-Sleep -Seconds ($IntervalHours * 3600)

\\} ```_

Fehlerbehebung

Authentifizierungsfragen

```powershell

Clear cached credentials

Clear-AzContext -Force

Test authentication

$context = Get-AzContext if (-not $context) \\{ Write-Error "Not authenticated to Azure" Connect-AzAccount \\}

Verify permissions

$currentUser = Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id Write-Output "Current user: $($currentUser.DisplayName)" ```_

Modulfragen

```powershell

Check Azucar installation

Get-Module Azucar -ListAvailable

Update Azucar

Update-Module Azucar -Force

Reinstall if necessary

Uninstall-Module Azucar Install-Module Azucar -Force

Check dependencies

Get-Module Az -ListAvailable Get-Module AzureAD -ListAvailable ```_

Genehmigungsfragen

```powershell

Check required permissions

$requiredPermissions = @( "Directory.Read.All", "User.Read.All", "Application.Read.All", "Policy.Read.All" )

foreach ($permission in $requiredPermissions) \\{ try \\{ # Test permission by attempting to read data Write-Output "Testing permission: $permission" \\} catch \\{ Write-Warning "Missing permission: $permission" \\} \\} ```_

Leistungsfragen

```powershell

Run audit with reduced scope

Invoke-Azucar -Services @("AzureAD") -Quick

Use parallel processing

Invoke-Azucar -Parallel -MaxThreads 5

Exclude large datasets

Invoke-Azucar -ExcludeServices @("Logs", "Metrics") ```_

Integration mit anderen Tools

SIEM Integration

```powershell

Export findings to SIEM format

$findings = Invoke-Azucar -Format "JSON" $siemEvents = $findings|ForEach-Object \\{ @\\{ timestamp = Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ" source = "Azucar" severity = $.Severity finding = $.Description resource = $_.ResourceId \\} \\}

Send to SIEM

| $siemEvents | ConvertTo-Json | Out-File "siem_events.json" | ```_

PowerBI Integration

```powershell

Export data for PowerBI

$auditData = Invoke-Azucar -Format "CSV"

Create PowerBI dataset

$powerBIData = @\\{ findings = $auditData.Findings resources = $auditData.Resources compliance = $auditData.Compliance \\}

| $powerBIData | ConvertTo-Json | Out-File "powerbi_data.json" | ```_

Azure DevOps Integration

```yaml

Azure DevOps pipeline for security auditing

trigger: schedules: - cron: "0 6 * * 1" displayName: Weekly security audit branches: include: - main

pool: vmImage: 'windows-latest'

steps: - task: AzurePowerShell@5 inputs: azureSubscription: 'Azure-Subscription' ScriptType: 'InlineScript' Inline: | Install-Module -Name Azucar -Force Import-Module Azucar Invoke-Azucar -All -Format "HTML" -OutputPath "$(Build.ArtifactStagingDirectory)" azurePowerShellVersion: 'LatestVersion'

• task: PublishBuildArtifacts@1 inputs: PathtoPublish: '$(Build.ArtifactStagingDirectory)' ArtifactName: 'AzureSecurityAudit' ```_

Ressourcen

• Azucar GitHub Repository
• [NCC Group Blog](LINK_5 -%20(_LINK_5)
• [CIS Azure Benchmark](LINK_5 -%20(_LINK_5)

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Azucar. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie Azure Sicherheitsbewertungen durchführen. *