Hoja de Referencia del Recolector de Datos AzureHound BloodHound¶

Descripción General¶

AzureHound es un recolector de datos para BloodHound desarrollado por SpecterOps que recopila información de Azure Active Directory y Azure Resource Manager. Mapea relaciones de Azure AD y rutas de ataque, proporcionando capacidades de visualización para entornos Azure similares al análisis de Active Directory local de BloodHound.

⚠️ Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usarla en cualquier entorno.

Instalación¶

Binarios Pre-compilados¶

# Download latest release for Linux
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-linux-amd64.zip
unzip azurehound-linux-amd64.zip
chmod +x azurehound

# Download for Windows
# Download azurehound-windows-amd64.zip from GitHub releases

# Download for macOS
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-darwin-amd64.zip
unzip azurehound-darwin-amd64.zip
chmod +x azurehound

Compilar desde el Código Fuente¶

# Install Go (version 1.19+)
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
go build -o azurehound ./cmd/azurehound

Instalación con Docker¶

# Build Docker image
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
docker build -t azurehound .

# Run AzureHound in Docker
docker run -it -v $(pwd):/data azurehound

Uso Básico¶

Métodos de Autenticación¶

# Interactive authentication
./azurehound -u user@domain.com -p password

# Device code authentication
./azurehound --device-code

# Service principal authentication
./azurehound --client-id <client-id> --client-secret <secret> --tenant-id <tenant-id>

# Certificate authentication
./azurehound --client-id <client-id> --cert-path cert.pem --key-path key.pem --tenant-id <tenant-id>

# Managed identity authentication (Azure VM)
./azurehound --managed-identity

Recolección Básica de Datos¶

# Collect all available data
./azurehound list all

# Collect specific data types
./azurehound list users,groups,applications

# Output to specific file
./azurehound list all -o azure_data.json

# Collect with specific tenant
./azurehound list all --tenant-id <tenant-id>

Referencia de Comandos¶

Opciones de Autenticación¶

Opción	Descripción
`-u, --username`	Nombre de usuario para autenticación
`-p, --password`	Contraseña para autenticación
`--device-code`	Usar flujo de código de dispositivo
`--client-id`	ID de cliente de entidad de servicio
`--client-secret`	Secreto de entidad de servicio
`--cert-path`	Ruta del archivo de certificado
`--tenant-id`	ID de inquilino de Azure AD
### Opciones de Recolección
Opción	Descripción
--------	-------------
`list`	Recopilar tipos de datos especificados
`-o, --output`	Ruta de archivo de salida
`--threads`	Número de hilos concurrentes
`--delay`	Retraso entre solicitudes (ms)
`--jitter`	Porcentaje de jitter aleatorio
`--timeout`	Tiempo de espera de solicitud (segundos)
### Tipos de Datos
Type	Descripción
------	-------------
`users`	Usuarios de Azure AD
`groups`	Grupos de Azure AD
`applications`	Registros de aplicaciones
`service-principals`	Service principals
`devices`	Dispositivos de Azure AD
`roles`	Roles de directorio
`subscriptions`	Suscripciones de Azure
`resource-groups`	Grupos de recursos
## Estrategias de Recolección de Datos

Recolección Completa¶

# Collect all Azure AD data
./azurehound list users,groups,applications,service-principals,devices,roles -o azuread_complete.json

# Collect all Azure Resource Manager data
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults,storage-accounts -o azure_resources.json

# Collect everything
./azurehound list all -o azure_full_dump.json

Recolección Dirigida¶

# Focus on privileged accounts
./azurehound list users,groups,roles --filter "privileged" -o privileged_accounts.json

# Application and service principal focus
./azurehound list applications,service-principals -o applications.json

# Device and compliance focus
./azurehound list devices,conditional-access-policies -o device_compliance.json

Recolección Sigilosa¶

# Low and slow collection
./azurehound list all --threads 1 --delay 5000 --jitter 50 -o stealth_collection.json

# Randomized collection order
./azurehound list users,groups,applications --random-order --delay 2000 -o random_collection.json

# Time-based collection
./azurehound list all --start-time "09:00" --end-time "17:00" -o business_hours.json

Técnicas Avanzadas de Recolección¶

Recolección Multi-Inquilino¶

# Collect from multiple tenants
tenants=("tenant1-id" "tenant2-id" "tenant3-id")
for tenant in "$\\\\{tenants[@]\\\\}"; do
    ./azurehound list all --tenant-id $tenant -o "tenant_$\\\\{tenant\\\\}.json"
done

# Merge tenant data
jq -s 'add' tenant_*.json > multi_tenant_data.json

Enumeración de Suscripciones¶

# List all accessible subscriptions
./azurehound list subscriptions -o subscriptions.json

# Collect data from specific subscription
./azurehound list resource-groups,virtual-machines --subscription-id <sub-id> -o subscription_data.json

# Iterate through all subscriptions
for sub_id in $(jq -r '.data[].properties.subscriptionId' subscriptions.json); do
    ./azurehound list all --subscription-id $sub_id -o "sub_$\\\\{sub_id\\\\}.json"
done

Consultas y Filtros Personalizados¶

# Filter by specific attributes
./azurehound list users --filter "department eq 'IT'" -o it_users.json

# Search for specific patterns
./azurehound list applications --search "admin" -o admin_apps.json

# Collect only enabled accounts
./azurehound list users --filter "accountEnabled eq true" -o active_users.json

Integración con BloodHound¶

Importación de Datos a BloodHound¶

# Start BloodHound Community Edition
docker run -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/bloodhound specterops/bloodhound

# Import AzureHound data
# Use BloodHound GUI to import the JSON files
# File -> Import Data -> Select AzureHound JSON files

Consultas Cypher Personalizadas¶

-- Find all Global Administrators
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: "Global Administrator"\\\\})
RETURN u.displayname, u.userprincipalname

-- Find applications with high privileges
MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole)
WHERE role.value CONTAINS "All"
RETURN app.displayname, role.value

-- Find users with direct role assignments
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole)
WHERE NOT (u)-[:AZMemberOf]->()-[:AZHasRole]->(r)
RETURN u.displayname, r.displayname

-- Find privilege escalation paths
MATCH p = (u:AZUser)-[:AZMemberOf*1..3]->(g:AZGroup)-[:AZHasRole]->(r:AZRole)
WHERE r.displayname CONTAINS "Administrator"
RETURN p

-- Find applications owned by users
MATCH (u:AZUser)-[:AZOwns]->(app:AZApp)
RETURN u.displayname, app.displayname

-- Find service principals with secrets
MATCH (sp:AZServicePrincipal)-[:AZHasSecret]->(s:AZSecret)
RETURN sp.displayname, s.displayname

Consultas Personalizadas de BloodHound¶

\\\\{
  "queries": [
    \\\\{
      "name": "Azure Global Admins",
      "category": "Azure",
      "queryList": [
        \\\\{
          "final": true,
          "query": "MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\}) RETURN u"
        \\\\}
      ]
    \\\\},
    \\\\{
      "name": "High Privilege Applications",
      "category": "Azure",
      "queryList": [
        \\\\{
          "final": true,
          "query": "MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole) WHERE role.value CONTAINS 'All' RETURN app"
        \\\\}
      ]
    \\\\},
    \\\\{
      "name": "Privilege Escalation Paths to Global Admin",
      "category": "Azure",
      "queryList": [
        \\\\{
          "final": true,
          "query": "MATCH p = shortestPath((u:AZUser)-[*1..6]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\})) RETURN p"
        \\\\}
      ]
    \\\\}
  ]
\\\\}

Análisis y Procesamiento de Datos¶

Procesamiento de Datos JSON¶

# Extract user information
jq '.data[]|select(.kind == "AZUser")|\\\\{name: .properties.displayName, upn: .properties.userPrincipalName, enabled: .properties.accountEnabled\\\\}' azure_data.json

# Find privileged users
jq '.data[]|select(.kind == "AZUser" and (.properties.assignedRoles // [])|length > 0)' azure_data.json

# Extract application permissions
jq '.data[]|select(.kind == "AZApp")|\\\\{name: .properties.displayName, permissions: .properties.requiredResourceAccess\\\\}' azure_data.json

# Count objects by type
jq '.data|group_by(.kind)|map(\\\\{kind: .[0].kind, count: length\\\\})' azure_data.json

Análisis con PowerShell¶

Would you like me to continue with the remaining sections?```powershell

Load and analyze AzureHound data¶

$azureData = Get-Content -Path "azure_data.json"|ConvertFrom-Json

Find users with administrative roles¶

$adminUsers = $azureData.data|Where-Object \\{ $.kind -eq "AZUser" -and $.properties.assignedRoles -contains "Global Administrator" \\}

Find applications with high privileges¶

$highPrivApps = $azureData.data|Where-Object \\{ $.kind -eq "AZApp" -and $.properties.requiredResourceAccess.resourceAppId -contains "00000003-0000-0000-c000-000000000000" \\}

Generate summary report¶

$report = @\\\\{ TotalUsers = ($azureData.data|Where-Object \\{$_.kind -eq "AZUser"\\\\}).Count TotalGroups = ($azureData.data|Where-Object \\{$_.kind -eq "AZGroup"\\\\}).Count TotalApps = ($azureData.data|Where-Object \\{$_.kind -eq "AZApp"\\}).Count AdminUsers = $adminUsers.Count HighPrivApps = $highPrivApps.Count \\}

$report|ConvertTo-Json|Out-File "azure_summary.json" ### Análisis de Pythonpython import json import pandas as pd

Load AzureHound data¶

with open('azure_data.json', 'r') as f: azure_data = json.load(f)

Convert to DataFrame for analysis¶

df = pd.json_normalize(azure_data['data'])

Analyze user distribution¶

users_df = df[df['kind'] == 'AZUser'] user_stats = \\{ 'total_users': len(users_df), 'enabled_users': len(users_df[users_df['properties.accountEnabled'] == True]), 'guest_users': len(users_df[users_df['properties.userType'] == 'Guest']), 'admin_users': len(users_df[users_df['properties.assignedRoles'].notna()]) \\}

Analyze applications¶

apps_df = df[df['kind'] == 'AZApp'] app_stats = \\{ 'total_apps': len(apps_df), 'apps_with_secrets': len(apps_df[apps_df['properties.passwordCredentials'].notna()]), 'apps_with_certs': len(apps_df[apps_df['properties.keyCredentials'].notna()]) \\}

print(f"User Statistics: \\{user_stats\\}") print(f"Application Statistics: \\{app_stats\\}") ```## Seguridad Operacional

Técnicas de Sigilo¶

```bash

Use legitimate user agent¶

./azurehound list all --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

Randomize request timing¶

./azurehound list all --delay 3000 --jitter 75

Use proxy for requests¶

./azurehound list all --proxy http://proxy:8080

Limit concurrent requests¶

./azurehound list all --threads 2 ### Evasión de Límites de Tasabash

Implement exponential backoff¶

./azurehound list all --retry-count 5 --retry-delay 30

Spread collection over time¶

./azurehound list users --delay 10000 sleep 300 ./azurehound list groups --delay 10000 sleep 300 ./azurehound list applications --delay 10000 ### Evasión de Registrosbash

Use service principal instead of user account¶

./azurehound list all --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

Perform collection during business hours¶

current_hour=$(date +%H) if [ $current_hour -ge 9 ] && [ $current_hour -le 17 ]; then ./azurehound list all -o business_hours_collection.json fi ```## Automatización y Scripting

Script de Recolección Automatizada¶

```bash

!/bin/bash¶

AzureHound automated collection script¶

TENANT_ID="your-tenant-id" CLIENT_ID="your-client-id" CLIENT_SECRET="your-client-secret" OUTPUT_DIR="./azurehound_output"

Create output directory¶

mkdir -p $OUTPUT_DIR

Collect Azure AD data¶

echo "Collecting Azure AD data..." ./azurehound list users,groups,applications,service-principals,devices,roles \ --client-id $CLIENT_ID \ --client-secret $CLIENT_SECRET \ --tenant-id \(TENANT_ID \ --threads 3 \ --delay 2000 \ -o "$OUTPUT_DIR/azuread_\)(date +%Y%m%d_%H%M%S).json"

Collect Azure Resource data¶

echo "Collecting Azure Resource data..." ./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults \ --client-id $CLIENT_ID \ --client-secret $CLIENT_SECRET \ --tenant-id \(TENANT_ID \ --threads 2 \ --delay 3000 \ -o "$OUTPUT_DIR/azure_resources_\)(date +%Y%m%d_%H%M%S).json"

echo "Collection completed. Files saved to $OUTPUT_DIR" ### Automatización de PowerShellpowershell

PowerShell automation script¶

param( [string]$TenantId, [string]$ClientId, [string]$ClientSecret, [string]$OutputPath = ".\azurehound_output" )

Create output directory¶

New-Item -ItemType Directory -Path $OutputPath -Force

Define collection types¶

$collections = @( @\\{Name = "users"; Types = "users,groups,roles"\\}, @\\{Name = "applications"; Types = "applications,service-principals"\\}, @\\{Name = "devices"; Types = "devices,conditional-access-policies"\\}, @\\{Name = "resources"; Types = "subscriptions,resource-groups,virtual-machines"\\} )

Perform collections¶

foreach ($collection in $collections) \\\\{ (outputFile = Join-Path \(OutputPath "$(\)collection.Name)_\)(Get-Date -Format 'yyyyMMdd_HHmmss').json"

Write-Host "Collecting $($collection.Name) data..."

& .\azurehound.exe list $collection.Types `
    --client-id $ClientId `
    --client-secret $ClientSecret `
    --tenant-id $TenantId `
    --threads 2 `
    --delay 2000 `
    -o $outputFile

Start-Sleep -Seconds 30

\\}

Write-Host "Collection completed. Files saved to $OutputPath" ```## Resolución de Problemas

Problemas de Autenticación¶

```bash

Test authentication¶

./azurehound auth test --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

Debug authentication¶

./azurehound list users --debug --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

Check token validity¶

./azurehound auth token --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID ### Problemas de Permisosbash

Check required permissions¶

./azurehound permissions check --client-id $CLIENT_ID --tenant-id $TENANT_ID

List current permissions¶

./azurehound permissions list --client-id $CLIENT_ID --tenant-id $TENANT_ID

Test specific permission¶

./azurehound permissions test --permission "User.Read.All" --client-id $CLIENT_ID --tenant-id $TENANT_ID ### Problemas de Límites de Tasabash

Handle rate limiting¶

./azurehound list all --retry-count 10 --retry-delay 60 --threads 1

Monitor rate limit headers¶

./azurehound list users --debug|grep -i "rate|limit|throttle"

Use exponential backoff¶

./azurehound list all --backoff-strategy exponential --max-delay 300 ### Problemas de Recolección de Datosbash

Validate output¶

jq empty azure_data.json && echo "Valid JSON"||echo "Invalid JSON"

Check data completeness¶

jq '.data|group_by(.kind)|map(\\{kind: .[0].kind, count: length\\})' azure_data.json

Verify specific data types¶

jq '.data[]|select(.kind == "AZUser")|length' azure_data.json ```## Integración con Otras Herramientas

Integración de ROADtools¶

```bash

Convert AzureHound data for ROADtools¶

jq '.data[]|select(.kind == "AZUser")' azure_data.json > users_for_roadtools.json

Use with ROADtools database¶

roadrecon import --file azure_data.json roadrecon gui ### Integración de AADInternalspowershell

Use AzureHound data with AADInternals¶

$azureHoundData = Get-Content -Path "azure_data.json"|ConvertFrom-Json

Extract user information for AADInternals¶

$users = \(azureHoundData.data|Where-Object \\\\{$_.kind -eq "AZUser"\\\\} foreach (\)user in $users) \\{ # Use AADInternals to get additional information $additionalInfo = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName $user.properties.userPrincipalName \\} ### Integración de Herramientas Personalizadaspython

Python integration example¶

import json import requests

def process_azurehound_data(file_path): with open(file_path, 'r') as f: data = json.load(f)

# Process users
users = [item for item in data['data'] if item['kind'] == 'AZUser']

# Process groups
groups = [item for item in data['data'] if item['kind'] == 'AZGroup']

# Process applications
apps = [item for item in data['data'] if item['kind'] == 'AZApp']

return \\\\{
    'users': users,
    'groups': groups,
    'applications': apps
\\\\}

Usage¶

processed_data = process_azurehound_data('azure_data.json') ```## Recursos

Esta hoja de referencia proporciona una referencia completa para el uso de AzureHound. Siempre asegúrese de tener la autorización adecuada antes de realizar evaluaciones de seguridad de Azure AD.