AzureHound BloodHound Datensammler Cheat Sheet¶
Überblick¶
AzureHound ist ein Datensammler für BloodHound, entwickelt von SpecterOps, der Informationen aus Azure Active Directory und Azure Resource Manager sammelt. Er kartiert Azure AD-Beziehungen und Angriffspfade und bietet Visualisierungsmöglichkeiten für Azure-Umgebungen, ähnlich der BloodHound-Analyse von lokalen Active Directories.
⚠️ Warnung: Dieses Tool ist ausschließlich für autorisierte Penetrationstests und Sicherheitsbewertungen vorgesehen. Stellen Sie sicher, dass Sie eine entsprechende Autorisierung haben, bevor Sie es in einer Umgebung verwenden.
Installation¶
Vorkompilierte Binärdateien¶
# Download latest release for Linux
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-linux-amd64.zip
unzip azurehound-linux-amd64.zip
chmod +x azurehound
# Download for Windows
# Download azurehound-windows-amd64.zip from GitHub releases
# Download for macOS
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-darwin-amd64.zip
unzip azurehound-darwin-amd64.zip
chmod +x azurehound
Aus Quellcode erstellen¶
# Install Go (version 1.19+)
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
go build -o azurehound ./cmd/azurehound
Docker-Installation¶
# Build Docker image
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
docker build -t azurehound .
# Run AzureHound in Docker
docker run -it -v $(pwd):/data azurehound
Grundlegende Nutzung¶
Authentifizierungsmethoden¶
# Interactive authentication
./azurehound -u user@domain.com -p password
# Device code authentication
./azurehound --device-code
# Service principal authentication
./azurehound --client-id <client-id> --client-secret <secret> --tenant-id <tenant-id>
# Certificate authentication
./azurehound --client-id <client-id> --cert-path cert.pem --key-path key.pem --tenant-id <tenant-id>
# Managed identity authentication (Azure VM)
./azurehound --managed-identity
Grundlegende Datensammlung¶
# Collect all available data
./azurehound list all
# Collect specific data types
./azurehound list users,groups,applications
# Output to specific file
./azurehound list all -o azure_data.json
# Collect with specific tenant
./azurehound list all --tenant-id <tenant-id>
Befehlsreferenz¶
Authentifizierungsoptionen¶
| Option | Beschreibung |
|---|---|
-u, --username |
Benutzername zur Authentifizierung |
-p, --password |
Passwort zur Authentifizierung |
--device-code |
Geräte-Code-Ablauf verwenden |
--client-id |
Service Principal Client ID |
--client-secret |
Service Principal Secret |
--cert-path |
Zertifikatsdateipfad |
--tenant-id |
Azure AD Mandanten-ID |
| ### Sammlungsoptionen | |
| Option | Beschreibung |
| -------- | ------------- |
list |
Sammle spezifizierte Datentypen |
-o, --output |
Ausgabedateipfad |
--threads |
Anzahl gleichzeitiger Threads |
--delay |
Verzögerung zwischen Anfragen (ms) |
--jitter |
Zufälliger Jitter-Prozentsatz |
--timeout |
Anforderungs-Timeout (Sekunden) |
| ### Datentypen | |
| Typ | Beschreibung |
| ------ | ------------- |
users |
Azure AD-Benutzer |
groups |
Azure AD-Gruppen |
applications |
App-Registrierungen |
service-principals |
Service Principals |
devices |
Azure AD-Geräte |
roles |
Verzeichnisrollen |
subscriptions |
Azure-Abonnements |
resource-groups |
Ressourcengruppen |
| ## Datensammlungsstrategien |
Umfassende Sammlung¶
# Collect all Azure AD data
./azurehound list users,groups,applications,service-principals,devices,roles -o azuread_complete.json
# Collect all Azure Resource Manager data
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults,storage-accounts -o azure_resources.json
# Collect everything
./azurehound list all -o azure_full_dump.json
Gezielte Sammlung¶
# Focus on privileged accounts
./azurehound list users,groups,roles --filter "privileged" -o privileged_accounts.json
# Application and service principal focus
./azurehound list applications,service-principals -o applications.json
# Device and compliance focus
./azurehound list devices,conditional-access-policies -o device_compliance.json
Stealthsammlung¶
# Low and slow collection
./azurehound list all --threads 1 --delay 5000 --jitter 50 -o stealth_collection.json
# Randomized collection order
./azurehound list users,groups,applications --random-order --delay 2000 -o random_collection.json
# Time-based collection
./azurehound list all --start-time "09:00" --end-time "17:00" -o business_hours.json
Erweiterte Sammeltechniken¶
Mandantenübergreifende Sammlung¶
# Collect from multiple tenants
tenants=("tenant1-id" "tenant2-id" "tenant3-id")
for tenant in "$\\\\{tenants[@]\\\\}"; do
./azurehound list all --tenant-id $tenant -o "tenant_$\\\\{tenant\\\\}.json"
done
# Merge tenant data
jq -s 'add' tenant_*.json > multi_tenant_data.json
Abonnement-Aufzählung¶
# List all accessible subscriptions
./azurehound list subscriptions -o subscriptions.json
# Collect data from specific subscription
./azurehound list resource-groups,virtual-machines --subscription-id <sub-id> -o subscription_data.json
# Iterate through all subscriptions
for sub_id in $(jq -r '.data[].properties.subscriptionId' subscriptions.json); do
./azurehound list all --subscription-id $sub_id -o "sub_$\\\\{sub_id\\\\}.json"
done
Benutzerdefinierte Abfragen und Filter¶
# Filter by specific attributes
./azurehound list users --filter "department eq 'IT'" -o it_users.json
# Search for specific patterns
./azurehound list applications --search "admin" -o admin_apps.json
# Collect only enabled accounts
./azurehound list users --filter "accountEnabled eq true" -o active_users.json
BloodHound-Integration¶
Datenimport in BloodHound¶
# Start BloodHound Community Edition
docker run -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/bloodhound specterops/bloodhound
# Import AzureHound data
# Use BloodHound GUI to import the JSON files
# File -> Import Data -> Select AzureHound JSON files
Benutzerdefinierte Cypher-Abfragen¶
-- Find all Global Administrators
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: "Global Administrator"\\\\})
RETURN u.displayname, u.userprincipalname
-- Find applications with high privileges
MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole)
WHERE role.value CONTAINS "All"
RETURN app.displayname, role.value
-- Find users with direct role assignments
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole)
WHERE NOT (u)-[:AZMemberOf]->()-[:AZHasRole]->(r)
RETURN u.displayname, r.displayname
-- Find privilege escalation paths
MATCH p = (u:AZUser)-[:AZMemberOf*1..3]->(g:AZGroup)-[:AZHasRole]->(r:AZRole)
WHERE r.displayname CONTAINS "Administrator"
RETURN p
-- Find applications owned by users
MATCH (u:AZUser)-[:AZOwns]->(app:AZApp)
RETURN u.displayname, app.displayname
-- Find service principals with secrets
MATCH (sp:AZServicePrincipal)-[:AZHasSecret]->(s:AZSecret)
RETURN sp.displayname, s.displayname
Benutzerdefinierte BloodHound-Abfragen¶
\\\\{
"queries": [
\\\\{
"name": "Azure Global Admins",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\}) RETURN u"
\\\\}
]
\\\\},
\\\\{
"name": "High Privilege Applications",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole) WHERE role.value CONTAINS 'All' RETURN app"
\\\\}
]
\\\\},
\\\\{
"name": "Privilege Escalation Paths to Global Admin",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH p = shortestPath((u:AZUser)-[*1..6]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\})) RETURN p"
\\\\}
]
\\\\}
]
\\\\}
Datenanalyse und -verarbeitung¶
JSON-Datenverarbeitung¶
# Extract user information
jq '.data[]|select(.kind == "AZUser")|\\\\{name: .properties.displayName, upn: .properties.userPrincipalName, enabled: .properties.accountEnabled\\\\}' azure_data.json
# Find privileged users
jq '.data[]|select(.kind == "AZUser" and (.properties.assignedRoles // [])|length > 0)' azure_data.json
# Extract application permissions
jq '.data[]|select(.kind == "AZApp")|\\\\{name: .properties.displayName, permissions: .properties.requiredResourceAccess\\\\}' azure_data.json
# Count objects by type
jq '.data|group_by(.kind)|map(\\\\{kind: .[0].kind, count: length\\\\})' azure_data.json
PowerShell-Analyse```powershell¶
Load and analyze AzureHound data¶
$azureData = Get-Content -Path "azure_data.json"|ConvertFrom-Json
Find users with administrative roles¶
$adminUsers = $azureData.data|Where-Object \\{ $.kind -eq "AZUser" -and $.properties.assignedRoles -contains "Global Administrator" \\}
Find applications with high privileges¶
$highPrivApps = $azureData.data|Where-Object \\{ $.kind -eq "AZApp" -and $.properties.requiredResourceAccess.resourceAppId -contains "00000003-0000-0000-c000-000000000000" \\}
Generate summary report¶
\(report = @\\\\{ TotalUsers = (\)azureData.data|Where-Object \\{\(_.kind -eq "AZUser"\\\\}).Count TotalGroups = (\)azureData.data|Where-Object \\{\(_.kind -eq "AZGroup"\\\\}).Count TotalApps = (\)azureData.data|Where-Object \\{$_.kind -eq "AZApp"\\}).Count AdminUsers = $adminUsers.Count HighPrivApps = $highPrivApps.Count \\}
$report|ConvertTo-Json|Out-File "azure_summary.json"
### Python-Analysepython
import json
import pandas as pd
Load AzureHound data¶
with open('azure_data.json', 'r') as f: azure_data = json.load(f)
Convert to DataFrame for analysis¶
df = pd.json_normalize(azure_data['data'])
Analyze user distribution¶
users_df = df[df['kind'] == 'AZUser'] user_stats = \\{ 'total_users': len(users_df), 'enabled_users': len(users_df[users_df['properties.accountEnabled'] == True]), 'guest_users': len(users_df[users_df['properties.userType'] == 'Guest']), 'admin_users': len(users_df[users_df['properties.assignedRoles'].notna()]) \\}
Analyze applications¶
apps_df = df[df['kind'] == 'AZApp'] app_stats = \\{ 'total_apps': len(apps_df), 'apps_with_secrets': len(apps_df[apps_df['properties.passwordCredentials'].notna()]), 'apps_with_certs': len(apps_df[apps_df['properties.keyCredentials'].notna()]) \\}
print(f"User Statistics: \\{user_stats\\}")
print(f"Application Statistics: \\{app_stats\\}")
## Betriebliche Sicherheitbash
Use legitimate user agent¶
./azurehound list all --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
Randomize request timing¶
./azurehound list all --delay 3000 --jitter 75
Use proxy for requests¶
./azurehound list all --proxy http://proxy:8080
Limit concurrent requests¶
./azurehound list all --threads 2
### Rate Limiting Umgehungbash
Implement exponential backoff¶
./azurehound list all --retry-count 5 --retry-delay 30
Spread collection over time¶
./azurehound list users --delay 10000
sleep 300
./azurehound list groups --delay 10000
sleep 300
./azurehound list applications --delay 10000
### Log-Verschleierungbash
Use service principal instead of user account¶
./azurehound list all --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
Perform collection during business hours¶
current_hour=$(date +%H)
if [ $current_hour -ge 9 ] && [ $current_hour -le 17 ]; then
./azurehound list all -o business_hours_collection.json
fi
## Automatisierung und Scriptingbash
!/bin/bash¶
AzureHound automated collection script¶
TENANT_ID="your-tenant-id" CLIENT_ID="your-client-id" CLIENT_SECRET="your-client-secret" OUTPUT_DIR="./azurehound_output"
Create output directory¶
mkdir -p $OUTPUT_DIR
Collect Azure AD data¶
echo "Collecting Azure AD data..." ./azurehound list users,groups,applications,service-principals,devices,roles \ --client-id $CLIENT_ID \ --client-secret \(CLIENT_SECRET \ --tenant-id \(TENANT_ID \ --threads 3 \ --delay 2000 \ -o "\)OUTPUT_DIR/azuread_\)(date +%Y%m%d_%H%M%S).json"
Collect Azure Resource data¶
echo "Collecting Azure Resource data..." ./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults \ --client-id $CLIENT_ID \ --client-secret \(CLIENT_SECRET \ --tenant-id \(TENANT_ID \ --threads 2 \ --delay 3000 \ -o "\)OUTPUT_DIR/azure_resources_\)(date +%Y%m%d_%H%M%S).json"
echo "Collection completed. Files saved to $OUTPUT_DIR"
### Automatisiertes Sammelskriptpowershell
PowerShell automation script¶
param( [string]\(TenantId, [string]\)ClientId, [string]\(ClientSecret, [string]\)OutputPath = ".\azurehound_output" )
Create output directory¶
New-Item -ItemType Directory -Path $OutputPath -Force
Define collection types¶
$collections = @( @\\{Name = "users"; Types = "users,groups,roles"\\}, @\\{Name = "applications"; Types = "applications,service-principals"\\}, @\\{Name = "devices"; Types = "devices,conditional-access-policies"\\}, @\\{Name = "resources"; Types = "subscriptions,resource-groups,virtual-machines"\\} )
Perform collections¶
foreach ($collection in \(collections) \\\\{ (outputFile = Join-Path \(OutputPath "\)(\)collection.Name)_\)(Get-Date -Format 'yyyyMMdd_HHmmss').json"
Write-Host "Collecting $($collection.Name) data..."
& .\azurehound.exe list $collection.Types `
--client-id $ClientId `
--client-secret $ClientSecret `
--tenant-id $TenantId `
--threads 2 `
--delay 2000 `
-o $outputFile
Start-Sleep -Seconds 30
\\}
Write-Host "Collection completed. Files saved to $OutputPath"
### PowerShell-Automatisierungbash
Test authentication¶
./azurehound auth test --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
Debug authentication¶
./azurehound list users --debug --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
Check token validity¶
./azurehound auth token --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
## Fehlerbehebungbash
Check required permissions¶
./azurehound permissions check --client-id $CLIENT_ID --tenant-id $TENANT_ID
List current permissions¶
./azurehound permissions list --client-id $CLIENT_ID --tenant-id $TENANT_ID
Test specific permission¶
./azurehound permissions test --permission "User.Read.All" --client-id $CLIENT_ID --tenant-id $TENANT_ID
### Authentifizierungsproblemebash
Handle rate limiting¶
./azurehound list all --retry-count 10 --retry-delay 60 --threads 1
Monitor rate limit headers¶
./azurehound list users --debug|grep -i "rate|limit|throttle"
Use exponential backoff¶
./azurehound list all --backoff-strategy exponential --max-delay 300
### Berechtigungsproblemebash
Validate output¶
jq empty azure_data.json && echo "Valid JSON"||echo "Invalid JSON"
Check data completeness¶
jq '.data|group_by(.kind)|map(\\{kind: .[0].kind, count: length\\})' azure_data.json
Verify specific data types¶
jq '.data[]|select(.kind == "AZUser")|length' azure_data.json
### Rate Limiting Problemebash
Convert AzureHound data for ROADtools¶
jq '.data[]|select(.kind == "AZUser")' azure_data.json > users_for_roadtools.json
Use with ROADtools database¶
roadrecon import --file azure_data.json
roadrecon gui
### Datensammlungsproblemepowershell
Use AzureHound data with AADInternals¶
$azureHoundData = Get-Content -Path "azure_data.json"|ConvertFrom-Json
Extract user information for AADInternals¶
\(users = \(azureHoundData.data|Where-Object \\\\{\)_.kind -eq "AZUser"\\\\}
foreach (\)user in $users) \\{
# Use AADInternals to get additional information
$additionalInfo = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName $user.properties.userPrincipalName
\\}
## Integration mit anderen Toolspython
Python integration example¶
import json import requests
def process_azurehound_data(file_path): with open(file_path, 'r') as f: data = json.load(f)
# Process users
users = [item for item in data['data'] if item['kind'] == 'AZUser']
# Process groups
groups = [item for item in data['data'] if item['kind'] == 'AZGroup']
# Process applications
apps = [item for item in data['data'] if item['kind'] == 'AZApp']
return \\\\{
'users': users,
'groups': groups,
'applications': apps
\\\\}
Usage¶
processed_data = process_azurehound_data('azure_data.json') ```### ROADtools Integration https://github.com/BloodHoundAD/AzureHound##
AADInternals Integration¶
https://bloodhound.readthedocs.io/##
Benutzerdefinierte Tool-Integration¶
Ressourcen¶
https://cloudbrothers.info/en/azure-attack-defense/- AzureHound GitHub Repository