AzureHound BloodHound Collecteur de données Feuille de chaleur
Aperçu général
AzureHound est un collecteur de données pour BloodHound développé par SpecterOps qui recueille des informations de Azure Active Directory et Azure Resource Manager. Il cartographie les relations et les trajectoires d'attaque d'Azure AD, fournissant des capacités de visualisation pour les environnements d'Azure similaires à l'analyse Active Directory sur site de BloodHound.
C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.
Installation
Binaires précompilés
# Download latest release for Linux
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-linux-amd64.zip
unzip azurehound-linux-amd64.zip
chmod +x azurehound
# Download for Windows
# Download azurehound-windows-amd64.zip from GitHub releases
# Download for macOS
wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-darwin-amd64.zip
unzip azurehound-darwin-amd64.zip
chmod +x azurehound
Construire à partir de la source
# Install Go (version 1.19+)
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
go build -o azurehound ./cmd/azurehound
```_
### Installation Docker
```bash
# Build Docker image
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
docker build -t azurehound .
# Run AzureHound in Docker
docker run -it -v $(pwd):/data azurehound
```_
## Utilisation de base
### Méthodes d'authentification
```bash
# Interactive authentication
./azurehound -u user@domain.com -p password
# Device code authentication
./azurehound --device-code
# Service principal authentication
./azurehound --client-id <client-id> --client-secret <secret> --tenant-id <tenant-id>
# Certificate authentication
./azurehound --client-id <client-id> --cert-path cert.pem --key-path key.pem --tenant-id <tenant-id>
# Managed identity authentication (Azure VM)
./azurehound --managed-identity
Collecte de données de base
# Collect all available data
./azurehound list all
# Collect specific data types
./azurehound list users,groups,applications
# Output to specific file
./azurehound list all -o azure_data.json
# Collect with specific tenant
./azurehound list all --tenant-id <tenant-id>
Référence de commande
Options d'authentification
| Option | Description |
|---|---|
-u, --username |
Username for authentication |
-p, --password |
Password for authentication |
--device-code |
Use device code flow |
--client-id |
Service principal client ID |
--client-secret |
Service principal secret |
--cert-path |
Certificate file path |
--tenant-id |
Azure AD tenant ID |
Options de recouvrement
| Option | Description |
|---|---|
list |
Collect specified data types |
-o, --output |
Output file path |
--threads |
Number of concurrent threads |
--delay |
Delay between requests (ms) |
--jitter |
Random jitter percentage |
--timeout |
Request timeout (seconds) |
Types de données
| Type | Description |
|---|---|
users |
Azure AD users |
groups |
Azure AD groups |
applications |
App registrations |
service-principals |
Service principals |
devices |
Azure AD devices |
roles |
Directory roles |
subscriptions |
Azure subscriptions |
resource-groups |
Resource groups |
Stratégies de collecte de données
Collection complète
# Collect all Azure AD data
./azurehound list users,groups,applications,service-principals,devices,roles -o azuread_complete.json
# Collect all Azure Resource Manager data
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults,storage-accounts -o azure_resources.json
# Collect everything
./azurehound list all -o azure_full_dump.json
Collecte ciblée
# Focus on privileged accounts
./azurehound list users,groups,roles --filter "privileged" -o privileged_accounts.json
# Application and service principal focus
./azurehound list applications,service-principals -o applications.json
# Device and compliance focus
./azurehound list devices,conditional-access-policies -o device_compliance.json
Collecte des vols
# Low and slow collection
./azurehound list all --threads 1 --delay 5000 --jitter 50 -o stealth_collection.json
# Randomized collection order
./azurehound list users,groups,applications --random-order --delay 2000 -o random_collection.json
# Time-based collection
./azurehound list all --start-time "09:00" --end-time "17:00" -o business_hours.json
Techniques de collection avancées
Collection multi-tendants
# Collect from multiple tenants
tenants=("tenant1-id" "tenant2-id" "tenant3-id")
for tenant in "$\\\\{tenants[@]\\\\}"; do
./azurehound list all --tenant-id $tenant -o "tenant_$\\\\{tenant\\\\}.json"
done
# Merge tenant data
jq -s 'add' tenant_*.json > multi_tenant_data.json
Énumération des abonnements
# List all accessible subscriptions
./azurehound list subscriptions -o subscriptions.json
# Collect data from specific subscription
./azurehound list resource-groups,virtual-machines --subscription-id <sub-id> -o subscription_data.json
# Iterate through all subscriptions
for sub_id in $(jq -r '.data[].properties.subscriptionId' subscriptions.json); do
./azurehound list all --subscription-id $sub_id -o "sub_$\\\\{sub_id\\\\}.json"
done
Demandes et filtres personnalisés
# Filter by specific attributes
./azurehound list users --filter "department eq 'IT'" -o it_users.json
# Search for specific patterns
./azurehound list applications --search "admin" -o admin_apps.json
# Collect only enabled accounts
./azurehound list users --filter "accountEnabled eq true" -o active_users.json
Intégration de BloodHound
Importation de données à BloodHound
# Start BloodHound Community Edition
docker run -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/bloodhound specterops/bloodhound
# Import AzureHound data
# Use BloodHound GUI to import the JSON files
# File -> Import Data -> Select AzureHound JSON files
Demandes de renseignements personnalisées sur le chiffre
-- Find all Global Administrators
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: "Global Administrator"\\\\})
RETURN u.displayname, u.userprincipalname
-- Find applications with high privileges
MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole)
WHERE role.value CONTAINS "All"
RETURN app.displayname, role.value
-- Find users with direct role assignments
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole)
WHERE NOT (u)-[:AZMemberOf]->()-[:AZHasRole]->(r)
RETURN u.displayname, r.displayname
-- Find privilege escalation paths
MATCH p = (u:AZUser)-[:AZMemberOf*1..3]->(g:AZGroup)-[:AZHasRole]->(r:AZRole)
WHERE r.displayname CONTAINS "Administrator"
RETURN p
-- Find applications owned by users
MATCH (u:AZUser)-[:AZOwns]->(app:AZApp)
RETURN u.displayname, app.displayname
-- Find service principals with secrets
MATCH (sp:AZServicePrincipal)-[:AZHasSecret]->(s:AZSecret)
RETURN sp.displayname, s.displayname
Demandes de renseignements personnalisées sur BloodHound
\\\\{
"queries": [
\\\\{
"name": "Azure Global Admins",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\}) RETURN u"
\\\\}
]
\\\\},
\\\\{
"name": "High Privilege Applications",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole) WHERE role.value CONTAINS 'All' RETURN app"
\\\\}
]
\\\\},
\\\\{
"name": "Privilege Escalation Paths to Global Admin",
"category": "Azure",
"queryList": [
\\\\{
"final": true,
"query": "MATCH p = shortestPath((u:AZUser)-[*1..6]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\})) RETURN p"
\\\\}
]
\\\\}
]
\\\\}
Analyse et traitement des données
JSON Traitement des données
# Extract user information
jq '.data[]|select(.kind == "AZUser")|\\\\{name: .properties.displayName, upn: .properties.userPrincipalName, enabled: .properties.accountEnabled\\\\}' azure_data.json
# Find privileged users
jq '.data[]|select(.kind == "AZUser" and (.properties.assignedRoles // [])|length > 0)' azure_data.json
# Extract application permissions
jq '.data[]|select(.kind == "AZApp")|\\\\{name: .properties.displayName, permissions: .properties.requiredResourceAccess\\\\}' azure_data.json
# Count objects by type
jq '.data|group_by(.kind)|map(\\\\{kind: .[0].kind, count: length\\\\})' azure_data.json
Analyse PowerShell
# Load and analyze AzureHound data
$azureData = Get-Content -Path "azure_data.json"|ConvertFrom-Json
# Find users with administrative roles
$adminUsers = $azureData.data|Where-Object \\\\{
$_.kind -eq "AZUser" -and
$_.properties.assignedRoles -contains "Global Administrator"
\\\\}
# Find applications with high privileges
$highPrivApps = $azureData.data|Where-Object \\\\{
$_.kind -eq "AZApp" -and
$_.properties.requiredResourceAccess.resourceAppId -contains "00000003-0000-0000-c000-000000000000"
\\\\}
# Generate summary report
$report = @\\\\{
TotalUsers = ($azureData.data|Where-Object \\\\{$_.kind -eq "AZUser"\\\\}).Count
TotalGroups = ($azureData.data|Where-Object \\\\{$_.kind -eq "AZGroup"\\\\}).Count
TotalApps = ($azureData.data|Where-Object \\\\{$_.kind -eq "AZApp"\\\\}).Count
AdminUsers = $adminUsers.Count
HighPrivApps = $highPrivApps.Count
\\\\}
$report|ConvertTo-Json|Out-File "azure_summary.json"
Analyse Python
import json
import pandas as pd
# Load AzureHound data
with open('azure_data.json', 'r') as f:
azure_data = json.load(f)
# Convert to DataFrame for analysis
df = pd.json_normalize(azure_data['data'])
# Analyze user distribution
users_df = df[df['kind'] == 'AZUser']
user_stats = \\\\{
'total_users': len(users_df),
'enabled_users': len(users_df[users_df['properties.accountEnabled'] == True]),
'guest_users': len(users_df[users_df['properties.userType'] == 'Guest']),
'admin_users': len(users_df[users_df['properties.assignedRoles'].notna()])
\\\\}
# Analyze applications
apps_df = df[df['kind'] == 'AZApp']
app_stats = \\\\{
'total_apps': len(apps_df),
'apps_with_secrets': len(apps_df[apps_df['properties.passwordCredentials'].notna()]),
'apps_with_certs': len(apps_df[apps_df['properties.keyCredentials'].notna()])
\\\\}
print(f"User Statistics: \\\\{user_stats\\\\}")
print(f"Application Statistics: \\\\{app_stats\\\\}")
Sécurité opérationnelle
Techniques de vol
# Use legitimate user agent
./azurehound list all --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
# Randomize request timing
./azurehound list all --delay 3000 --jitter 75
# Use proxy for requests
./azurehound list all --proxy http://proxy:8080
# Limit concurrent requests
./azurehound list all --threads 2
Limite de taux Évitement
# Implement exponential backoff
./azurehound list all --retry-count 5 --retry-delay 30
# Spread collection over time
./azurehound list users --delay 10000
sleep 300
./azurehound list groups --delay 10000
sleep 300
./azurehound list applications --delay 10000
Évasion du journal
# Use service principal instead of user account
./azurehound list all --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
# Perform collection during business hours
current_hour=$(date +%H)
if [ $current_hour -ge 9 ] && [ $current_hour -le 17 ]; then
./azurehound list all -o business_hours_collection.json
fi
Automatisation et écriture
Script de la collection automatisée
#!/bin/bash
# AzureHound automated collection script
TENANT_ID="your-tenant-id"
CLIENT_ID="your-client-id"
CLIENT_SECRET="your-client-secret"
OUTPUT_DIR="./azurehound_output"
# Create output directory
mkdir -p $OUTPUT_DIR
# Collect Azure AD data
echo "Collecting Azure AD data..."
./azurehound list users,groups,applications,service-principals,devices,roles \
--client-id $CLIENT_ID \
--client-secret $CLIENT_SECRET \
--tenant-id $TENANT_ID \
--threads 3 \
--delay 2000 \
-o "$OUTPUT_DIR/azuread_$(date +%Y%m%d_%H%M%S).json"
# Collect Azure Resource data
echo "Collecting Azure Resource data..."
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults \
--client-id $CLIENT_ID \
--client-secret $CLIENT_SECRET \
--tenant-id $TENANT_ID \
--threads 2 \
--delay 3000 \
-o "$OUTPUT_DIR/azure_resources_$(date +%Y%m%d_%H%M%S).json"
echo "Collection completed. Files saved to $OUTPUT_DIR"
Automatisation PowerShell
# PowerShell automation script
param(
[string]$TenantId,
[string]$ClientId,
[string]$ClientSecret,
[string]$OutputPath = ".\azurehound_output"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force
# Define collection types
$collections = @(
@\\\\{Name = "users"; Types = "users,groups,roles"\\\\},
@\\\\{Name = "applications"; Types = "applications,service-principals"\\\\},
@\\\\{Name = "devices"; Types = "devices,conditional-access-policies"\\\\},
@\\\\{Name = "resources"; Types = "subscriptions,resource-groups,virtual-machines"\\\\}
)
# Perform collections
foreach ($collection in $collections) \\\\{
$outputFile = Join-Path $OutputPath "$($collection.Name)_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"
Write-Host "Collecting $($collection.Name) data..."
& .\azurehound.exe list $collection.Types `
--client-id $ClientId `
--client-secret $ClientSecret `
--tenant-id $TenantId `
--threads 2 `
--delay 2000 `
-o $outputFile
Start-Sleep -Seconds 30
\\\\}
Write-Host "Collection completed. Files saved to $OutputPath"
Dépannage
Questions d'authentification
# Test authentication
./azurehound auth test --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
# Debug authentication
./azurehound list users --debug --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
# Check token validity
./azurehound auth token --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
Questions relatives à la permission
# Check required permissions
./azurehound permissions check --client-id $CLIENT_ID --tenant-id $TENANT_ID
# List current permissions
./azurehound permissions list --client-id $CLIENT_ID --tenant-id $TENANT_ID
# Test specific permission
./azurehound permissions test --permission "User.Read.All" --client-id $CLIENT_ID --tenant-id $TENANT_ID
Problèmes de limitation des taux
# Handle rate limiting
./azurehound list all --retry-count 10 --retry-delay 60 --threads 1
# Monitor rate limit headers
./azurehound list users --debug|grep -i "rate\|limit\|throttle"
# Use exponential backoff
./azurehound list all --backoff-strategy exponential --max-delay 300
Problèmes de collecte de données
# Validate output
jq empty azure_data.json && echo "Valid JSON"||echo "Invalid JSON"
# Check data completeness
jq '.data|group_by(.kind)|map(\\\\{kind: .[0].kind, count: length\\\\})' azure_data.json
# Verify specific data types
jq '.data[]|select(.kind == "AZUser")|length' azure_data.json
Intégration avec d'autres outils
Intégration de ROADtools
# Convert AzureHound data for ROADtools
jq '.data[]|select(.kind == "AZUser")' azure_data.json > users_for_roadtools.json
# Use with ROADtools database
roadrecon import --file azure_data.json
roadrecon gui
Intégration AADInternals
# Use AzureHound data with AADInternals
$azureHoundData = Get-Content -Path "azure_data.json"|ConvertFrom-Json
# Extract user information for AADInternals
$users = $azureHoundData.data|Where-Object \\\\{$_.kind -eq "AZUser"\\\\}
foreach ($user in $users) \\\\{
# Use AADInternals to get additional information
$additionalInfo = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName $user.properties.userPrincipalName
\\\\}
Intégration d'outils personnalisés
# Python integration example
import json
import requests
def process_azurehound_data(file_path):
with open(file_path, 'r') as f:
data = json.load(f)
# Process users
users = [item for item in data['data'] if item['kind'] == 'AZUser']
# Process groups
groups = [item for item in data['data'] if item['kind'] == 'AZGroup']
# Process applications
apps = [item for item in data['data'] if item['kind'] == 'AZApp']
return \\\\{
'users': users,
'groups': groups,
'applications': apps
\\\\}
# Usage
processed_data = process_azurehound_data('azure_data.json')
Ressources
- [Résistoire GitHub d'AzureHound] (LINK_5)
- [Documentation relative à la soute] (LINK_5)
- [SpecterOps Blog] (LINK_5)
- [Attaque et défense contre Azure AD] (LINK_5)
- [Édition communautaire BloodHound] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation d'AzureHound. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des évaluations de sécurité Azure AD. *