AzureHound BloodHound Datenerfassung Cheat Sheet
Überblick
AzureHound ist ein Datensammler für BloodHound entwickelt von SpecterOps, der Informationen aus Azure Active Directory und Azure Resource Manager sammelt. Es kartiert Azure AD-Beziehungen und Angriffspfade, bietet Visualisierungsmöglichkeiten für Azure-Umgebungen ähnlich wie BloodHounds On-Premises Active Directory-Analyse.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.
Installation
Vorkompilierte Binäre
```bash
Download latest release for Linux
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-linux-amd64.zip unzip azurehound-linux-amd64.zip chmod +x azurehound
Download for Windows
Download azurehound-windows-amd64.zip from GitHub releases
Download for macOS
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-darwin-amd64.zip unzip azurehound-darwin-amd64.zip chmod +x azurehound ```_
Aufbau von Source
```bash
Install Go (version 1.19+)
git clone https://github.com/BloodHoundAD/AzureHound.git cd AzureHound go build -o azurehound ./cmd/azurehound ```_
Docker Installation
```bash
Build Docker image
git clone https://github.com/BloodHoundAD/AzureHound.git cd AzureHound docker build -t azurehound .
Run AzureHound in Docker
docker run -it -v $(pwd):/data azurehound ```_
Basisnutzung
Authentifizierungsmethoden
```bash
Interactive authentication
./azurehound -u user@domain.com -p password
Device code authentication
./azurehound --device-code
Service principal authentication
./azurehound --client-id
Certificate authentication
./azurehound --client-id
Managed identity authentication (Azure VM)
./azurehound --managed-identity ```_
Grunddatenerhebung
```bash
Collect all available data
./azurehound list all
Collect specific data types
./azurehound list users,groups,applications
Output to specific file
./azurehound list all -o azure_data.json
Collect with specific tenant
./azurehound list all --tenant-id
Befehlsnummer
Authentifizierungsoptionen
| | Option | Description | |
| --- | --- |
| | -u, --username | Username for authentication | |
| | -p, --password | Password for authentication | |
| | --device-code | Use device code flow | |
| | --client-id | Service principal client ID | |
| | --client-secret | Service principal secret | |
| | --cert-path | Certificate file path | |
| | --tenant-id | Azure AD tenant ID | |
Optionen zur Sammlung
| | Option | Description | |
| --- | --- |
| | list | Collect specified data types | |
| | -o, --output | Output file path | |
| | --threads | Number of concurrent threads | |
| | --delay | Delay between requests (ms) | |
| | --jitter | Random jitter percentage | |
| | --timeout | Request timeout (seconds) | |
Datentypen
| | Type | Description | |
| --- | --- |
| | users | Azure AD users | |
| | groups | Azure AD groups | |
| | applications | App registrations | |
| | service-principals | Service principals | |
| | devices | Azure AD devices | |
| | roles | Directory roles | |
| | subscriptions | Azure subscriptions | |
| | resource-groups | Resource groups | |
Strategien zur Datenerhebung
Umfassende Sammlung
```bash
Collect all Azure AD data
./azurehound list users,groups,applications,service-principals,devices,roles -o azuread_complete.json
Collect all Azure Resource Manager data
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults,storage-accounts -o azure_resources.json
Collect everything
./azurehound list all -o azure_full_dump.json ```_
Gezielte Sammlung
```bash
Focus on privileged accounts
./azurehound list users,groups,roles --filter "privileged" -o privileged_accounts.json
Application and service principal focus
./azurehound list applications,service-principals -o applications.json
Device and compliance focus
./azurehound list devices,conditional-access-policies -o device_compliance.json ```_
Stealth Collection
```bash
Low and slow collection
./azurehound list all --threads 1 --delay 5000 --jitter 50 -o stealth_collection.json
Randomized collection order
./azurehound list users,groups,applications --random-order --delay 2000 -o random_collection.json
Time-based collection
./azurehound list all --start-time "09:00" --end-time "17:00" -o business_hours.json ```_
Techniken der erweiterten Sammlung
Multi-Tenant Sammlung
```bash
Collect from multiple tenants
tenants=("tenant1-id" "tenant2-id" "tenant3-id") for tenant in "$\\{tenants[@]\\}"; do ./azurehound list all --tenant-id $tenant -o "tenant_$\\{tenant\\}.json" done
Merge tenant data
jq -s 'add' tenant_*.json > multi_tenant_data.json ```_
Abonnement Aufzählung
```bash
List all accessible subscriptions
./azurehound list subscriptions -o subscriptions.json
Collect data from specific subscription
./azurehound list resource-groups,virtual-machines --subscription-id
Iterate through all subscriptions
for sub_id in $(jq -r '.data[].properties.subscriptionId' subscriptions.json); do ./azurehound list all --subscription-id $sub_id -o "sub_$\\{sub_id\\}.json" done ```_
Benutzerdefinierte Abfragen und Filter
```bash
Filter by specific attributes
./azurehound list users --filter "department eq 'IT'" -o it_users.json
Search for specific patterns
./azurehound list applications --search "admin" -o admin_apps.json
Collect only enabled accounts
./azurehound list users --filter "accountEnabled eq true" -o active_users.json ```_
BlutHound Integration
Datenimport nach BloodHound
```bash
Start BloodHound Community Edition
docker run -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/bloodhound specterops/bloodhound
Import AzureHound data
Use BloodHound GUI to import the JSON files
File -> Import Data -> Select AzureHound JSON files
```_
Benutzerdefinierte Cypher Quers
```cypher -- Find all Global Administrators MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\{displayname: "Global Administrator"\\}) RETURN u.displayname, u.userprincipalname
-- Find applications with high privileges MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole) WHERE role.value CONTAINS "All" RETURN app.displayname, role.value
-- Find users with direct role assignments MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole) WHERE NOT (u)-[:AZMemberOf]->()-[:AZHasRole]->(r) RETURN u.displayname, r.displayname
-- Find privilege escalation paths MATCH p = (u:AZUser)-[:AZMemberOf*1..3]->(g:AZGroup)-[:AZHasRole]->(r:AZRole) WHERE r.displayname CONTAINS "Administrator" RETURN p
-- Find applications owned by users MATCH (u:AZUser)-[:AZOwns]->(app:AZApp) RETURN u.displayname, app.displayname
-- Find service principals with secrets MATCH (sp:AZServicePrincipal)-[:AZHasSecret]->(s:AZSecret) RETURN sp.displayname, s.displayname ```_
Benutzerdefinierte BloodHound Quers
json
\\\\{
"queries": [
\\\\{
"name": "Azure Global Admins",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\}) RETURN u"
\\\\}
]
\\\\},
\\\\{
"name": "High Privilege Applications",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole) WHERE role.value CONTAINS 'All' RETURN app"
\\\\}
]
\\\\},
\\\\{
"name": "Privilege Escalation Paths to Global Admin",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH p = shortestPath((u:AZUser)-[*1..6]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\})) RETURN p"
\\\\}
]
\\\\}
]
\\\\}_
Datenanalyse und -verarbeitung
JSON Datenverarbeitung
```bash
Extract user information
| jq '.data[] | select(.kind == "AZUser") | \\{name: .properties.displayName, upn: .properties.userPrincipalName, enabled: .properties.accountEnabled\\}' azure_data.json |
Find privileged users
| jq '.data[] | select(.kind == "AZUser" and (.properties.assignedRoles // []) | length > 0)' azure_data.json |
Extract application permissions
| jq '.data[] | select(.kind == "AZApp") | \\{name: .properties.displayName, permissions: .properties.requiredResourceAccess\\}' azure_data.json |
Count objects by type
| jq '.data | group_by(.kind) | map(\\{kind: .[0].kind, count: length\\})' azure_data.json | ```_
Powershell Analyse
```powershell
Load and analyze AzureHound data
$azureData = Get-Content -Path "azure_data.json"|ConvertFrom-Json
Find users with administrative roles
$adminUsers = $azureData.data|Where-Object \\{ $.kind -eq "AZUser" -and $.properties.assignedRoles -contains "Global Administrator" \\}
Find applications with high privileges
$highPrivApps = $azureData.data|Where-Object \\{ $.kind -eq "AZApp" -and $.properties.requiredResourceAccess.resourceAppId -contains "00000003-0000-0000-c000-000000000000" \\}
Generate summary report
$report = @\\{ TotalUsers = ($azureData.data|Where-Object \\{$.kind -eq "AZUser"\\}).Count TotalGroups = ($azureData.data|Where-Object \\{$.kind -eq "AZGroup"\\}).Count TotalApps = ($azureData.data|Where-Object \\{$_.kind -eq "AZApp"\\}).Count AdminUsers = $adminUsers.Count HighPrivApps = $highPrivApps.Count \\}
| $report | ConvertTo-Json | Out-File "azure_summary.json" | ```_
Python Analyse
```python import json import pandas as pd
Load AzureHound data
with open('azure_data.json', 'r') as f: azure_data = json.load(f)
Convert to DataFrame for analysis
df = pd.json_normalize(azure_data['data'])
Analyze user distribution
users_df = df[df['kind'] == 'AZUser'] user_stats = \\{ 'total_users': len(users_df), 'enabled_users': len(users_df[users_df['properties.accountEnabled'] == True]), 'guest_users': len(users_df[users_df['properties.userType'] == 'Guest']), 'admin_users': len(users_df[users_df['properties.assignedRoles'].notna()]) \\}
Analyze applications
apps_df = df[df['kind'] == 'AZApp'] app_stats = \\{ 'total_apps': len(apps_df), 'apps_with_secrets': len(apps_df[apps_df['properties.passwordCredentials'].notna()]), 'apps_with_certs': len(apps_df[apps_df['properties.keyCredentials'].notna()]) \\}
print(f"User Statistics: \\{user_stats\\}") print(f"Application Statistics: \\{app_stats\\}") ```_
Operationelle Sicherheit
Stealth Techniques
```bash
Use legitimate user agent
./azurehound list all --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
Randomize request timing
./azurehound list all --delay 3000 --jitter 75
Use proxy for requests
./azurehound list all --proxy http://proxy:8080
Limit concurrent requests
./azurehound list all --threads 2 ```_
Geschwindigkeitsbegrenzung Vermeidung
```bash
Implement exponential backoff
./azurehound list all --retry-count 5 --retry-delay 30
Spread collection over time
./azurehound list users --delay 10000 sleep 300 ./azurehound list groups --delay 10000 sleep 300 ./azurehound list applications --delay 10000 ```_
Log Evasion
```bash
Use service principal instead of user account
./azurehound list all --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
Perform collection during business hours
current_hour=$(date +%H) if [ $current_hour -ge 9 ] && [ $current_hour -le 17 ]; then ./azurehound list all -o business_hours_collection.json fi ```_
Automatisierung und Schrift
Automatisierte Sammlung Script
```bash
!/bin/bash
AzureHound automated collection script
TENANT_ID="your-tenant-id" CLIENT_ID="your-client-id" CLIENT_SECRET="your-client-secret" OUTPUT_DIR="./azurehound_output"
Create output directory
mkdir -p $OUTPUT_DIR
Collect Azure AD data
echo "Collecting Azure AD data..." ./azurehound list users,groups,applications,service-principals,devices,roles \ --client-id $CLIENT_ID \ --client-secret $CLIENT_SECRET \ --tenant-id $TENANT_ID \ --threads 3 \ --delay 2000 \ -o "$OUTPUT_DIR/azuread_$(date +%Y%m%d_%H%M%S).json"
Collect Azure Resource data
echo "Collecting Azure Resource data..." ./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults \ --client-id $CLIENT_ID \ --client-secret $CLIENT_SECRET \ --tenant-id $TENANT_ID \ --threads 2 \ --delay 3000 \ -o "$OUTPUT_DIR/azure_resources_$(date +%Y%m%d_%H%M%S).json"
echo "Collection completed. Files saved to $OUTPUT_DIR" ```_
PowerShell Automation
```powershell
PowerShell automation script
param( [string]$TenantId, [string]$ClientId, [string]$ClientSecret, [string]$OutputPath = ".\azurehound_output" )
Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force
Define collection types
$collections = @( @\\{Name = "users"; Types = "users,groups,roles"\\}, @\\{Name = "applications"; Types = "applications,service-principals"\\}, @\\{Name = "devices"; Types = "devices,conditional-access-policies"\\}, @\\{Name = "resources"; Types = "subscriptions,resource-groups,virtual-machines"\\} )
Perform collections
foreach ($collection in $collections) \\{ $outputFile = Join-Path $OutputPath "$($collection.Name)_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"
Write-Host "Collecting $($collection.Name) data..."
& .\azurehound.exe list $collection.Types `
--client-id $ClientId `
--client-secret $ClientSecret `
--tenant-id $TenantId `
--threads 2 `
--delay 2000 `
-o $outputFile
Start-Sleep -Seconds 30
\\}
Write-Host "Collection completed. Files saved to $OutputPath" ```_
Fehlerbehebung
Authentifizierungsfragen
```bash
Test authentication
./azurehound auth test --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
Debug authentication
./azurehound list users --debug --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
Check token validity
./azurehound auth token --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID ```_
Genehmigungsfragen
```bash
Check required permissions
./azurehound permissions check --client-id $CLIENT_ID --tenant-id $TENANT_ID
List current permissions
./azurehound permissions list --client-id $CLIENT_ID --tenant-id $TENANT_ID
Test specific permission
./azurehound permissions test --permission "User.Read.All" --client-id $CLIENT_ID --tenant-id $TENANT_ID ```_
Beschränkungsfragen
```bash
Handle rate limiting
./azurehound list all --retry-count 10 --retry-delay 60 --threads 1
Monitor rate limit headers
| ./azurehound list users --debug | grep -i "rate\ | limit\ | throttle" |
Use exponential backoff
./azurehound list all --backoff-strategy exponential --max-delay 300 ```_
Probleme der Datenerhebung
```bash
Validate output
| jq empty azure_data.json && echo "Valid JSON" | | echo "Invalid JSON" |
Check data completeness
| jq '.data | group_by(.kind) | map(\\{kind: .[0].kind, count: length\\})' azure_data.json |
Verify specific data types
| jq '.data[] | select(.kind == "AZUser") | length' azure_data.json | ```_
Integration mit anderen Tools
ROADtools Integration
```bash
Convert AzureHound data for ROADtools
jq '.data[]|select(.kind == "AZUser")' azure_data.json > users_for_roadtools.json
Use with ROADtools database
roadrecon import --file azure_data.json roadrecon gui ```_
AADInternals Integration
```powershell
Use AzureHound data with AADInternals
$azureHoundData = Get-Content -Path "azure_data.json"|ConvertFrom-Json
Extract user information for AADInternals
$users = $azureHoundData.data|Where-Object \\{$.kind -eq "AZUser"\\} foreach ($user in $users) \\{ # Use AADInternals to get additional information $additionalInfo = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName $user.properties.userPrincipalName \\} ```
Individuelle Werkzeugintegration
```python
Python integration example
import json import requests
def process_azurehound_data(file_path): with open(file_path, 'r') as f: data = json.load(f)
# Process users
users = [item for item in data['data'] if item['kind'] == 'AZUser']
# Process groups
groups = [item for item in data['data'] if item['kind'] == 'AZGroup']
# Process applications
apps = [item for item in data['data'] if item['kind'] == 'AZApp']
return \\\\{
'users': users,
'groups': groups,
'applications': apps
\\\\}
Usage
processed_data = process_azurehound_data('azure_data.json') ```_
Ressourcen
- (LINK_5)
- BloodHound Dokumentation
- [SpecterOps Blog](_LINK_5__ -%20Angriff%20und%20Verteidigung%20Azure%20AD
- [BloodHound Community Edition](_LINK_5___
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von AzureHound. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie Azure AD Sicherheitsbewertungen durchführen. *