Salta ai contenuti
1337skills 1337skills - Cheat Sheet

Foglio Informativo di AzureHound per la Raccolta Dati di BloodHound

Panoramica

AzureHound è un raccoglitore di dati per BloodHound sviluppato da SpecterOps che raccoglie informazioni da Azure Active Directory e Azure Resource Manager. Mappa le relazioni di Azure AD e i percorsi di attacco, fornendo funzionalità di visualizzazione per ambienti Azure simili all’analisi di Active Directory in sede di BloodHound.

⚠️ Avvertenza: Questo strumento è destinato esclusivamente a test di penetrazione autorizzati e valutazioni di sicurezza. Assicurarsi di avere l’autorizzazione prima di utilizzarlo in qualsiasi ambiente.

Would you like me to continue with the remaining sections? Please confirm the specific texts for each numbered section, and I’ll translate them accordingly.```bash

Download latest release for Linux

wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-linux-amd64.zip unzip azurehound-linux-amd64.zip chmod +x azurehound

Download for Windows

Download azurehound-windows-amd64.zip from GitHub releases

Download for macOS

wget https://github.com/BloodHoundAD/AzureHound/releases/latest/download/azurehound-darwin-amd64.zip unzip azurehound-darwin-amd64.zip chmod +x azurehound


### Build from Source
```bash
# Install Go (version 1.19+)
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
go build -o azurehound ./cmd/azurehound

Docker Installation

# Build Docker image
git clone https://github.com/BloodHoundAD/AzureHound.git
cd AzureHound
docker build -t azurehound .

# Run AzureHound in Docker
docker run -it -v $(pwd):/data azurehound

Basic Usage

Authentication Methods

# Interactive authentication
./azurehound -u user@domain.com -p password

# Device code authentication
./azurehound --device-code

# Service principal authentication
./azurehound --client-id <client-id> --client-secret <secret> --tenant-id <tenant-id>

# Certificate authentication
./azurehound --client-id <client-id> --cert-path cert.pem --key-path key.pem --tenant-id <tenant-id>

# Managed identity authentication (Azure VM)
./azurehound --managed-identity

Basic Data Collection

# Collect all available data
./azurehound list all

# Collect specific data types
./azurehound list users,groups,applications

# Output to specific file
./azurehound list all -o azure_data.json

# Collect with specific tenant
./azurehound list all --tenant-id <tenant-id>

Command Reference

Authentication Options

OpzioneDescrizione
-u, --usernameNome utente per l’autenticazione
-p, --passwordPassword per l’autenticazione
--device-codeUtilizzare il flusso del codice del dispositivo
--client-idID client del service principal
--client-secretSegreto del service principal
--cert-pathPercorso del file del certificato
--tenant-idID tenant di Azure AD

Collection Options

OpzioneDescrizione
listRaccogli tipi di dati specificati
-o, --outputPercorso del file di output
--threadsNumero di thread concorrenti
--delayRitardo tra richieste (ms)
--jitterPercentuale di jitter casuale
--timeoutTimeout richiesta (secondi)

Data Types

TipoDescrizione
usersUtenti Azure AD
groupsGruppi di Azure AD
applicationsRegistrazioni app
service-principalsService principal
devicesDispositivi Azure AD
rolesRuoli di directory
subscriptionsSottoscrizioni Azure
resource-groupsGruppi di risorse

Data Collection Strategies

Comprehensive Collection

# Collect all Azure AD data
./azurehound list users,groups,applications,service-principals,devices,roles -o azuread_complete.json

# Collect all Azure Resource Manager data
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults,storage-accounts -o azure_resources.json

# Collect everything
./azurehound list all -o azure_full_dump.json

Targeted Collection

# Focus on privileged accounts
./azurehound list users,groups,roles --filter "privileged" -o privileged_accounts.json

# Application and service principal focus
./azurehound list applications,service-principals -o applications.json

# Device and compliance focus
./azurehound list devices,conditional-access-policies -o device_compliance.json

Stealth Collection

# Low and slow collection
./azurehound list all --threads 1 --delay 5000 --jitter 50 -o stealth_collection.json

# Randomized collection order
./azurehound list users,groups,applications --random-order --delay 2000 -o random_collection.json

# Time-based collection
./azurehound list all --start-time "09:00" --end-time "17:00" -o business_hours.json

Advanced Collection Techniques

Multi-Tenant Collection

# Collect from multiple tenants
tenants=("tenant1-id" "tenant2-id" "tenant3-id")
for tenant in "$\\\\{tenants[@]\\\\}"; do
    ./azurehound list all --tenant-id $tenant -o "tenant_$\\\\{tenant\\\\}.json"
done

# Merge tenant data
jq -s 'add' tenant_*.json > multi_tenant_data.json

Subscription Enumeration

# List all accessible subscriptions
./azurehound list subscriptions -o subscriptions.json

# Collect data from specific subscription
./azurehound list resource-groups,virtual-machines --subscription-id <sub-id> -o subscription_data.json

# Iterate through all subscriptions
for sub_id in $(jq -r '.data[].properties.subscriptionId' subscriptions.json); do
    ./azurehound list all --subscription-id $sub_id -o "sub_$\\\\{sub_id\\\\}.json"
done

Custom Queries and Filters

# Filter by specific attributes
./azurehound list users --filter "department eq 'IT'" -o it_users.json

# Search for specific patterns
./azurehound list applications --search "admin" -o admin_apps.json

# Collect only enabled accounts
./azurehound list users --filter "accountEnabled eq true" -o active_users.json

BloodHound Integration

Data Import to BloodHound

# Start BloodHound Community Edition
docker run -p 7474:7474 -p 7687:7687 -e NEO4J_AUTH=neo4j/bloodhound specterops/bloodhound

# Import AzureHound data
# Use BloodHound GUI to import the JSON files
# File -> Import Data -> Select AzureHound JSON files

Custom Cypher Queries

-- Find all Global Administrators
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: "Global Administrator"\\\\})
RETURN u.displayname, u.userprincipalname

-- Find applications with high privileges
MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole)
WHERE role.value CONTAINS "All"
RETURN app.displayname, role.value

-- Find users with direct role assignments
MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole)
WHERE NOT (u)-[:AZMemberOf]->()-[:AZHasRole]->(r)
RETURN u.displayname, r.displayname

-- Find privilege escalation paths
MATCH p = (u:AZUser)-[:AZMemberOf*1..3]->(g:AZGroup)-[:AZHasRole]->(r:AZRole)
WHERE r.displayname CONTAINS "Administrator"
RETURN p

-- Find applications owned by users
MATCH (u:AZUser)-[:AZOwns]->(app:AZApp)
RETURN u.displayname, app.displayname

-- Find service principals with secrets
MATCH (sp:AZServicePrincipal)-[:AZHasSecret]->(s:AZSecret)
RETURN sp.displayname, s.displayname

Custom BloodHound Queries

\\\\{
  "queries": [
    \\\\{
      "name": "Azure Global Admins",
      "category": "Azure",
      "queryList": [
        \\\\{
          "final": true,
          "query": "MATCH (u:AZUser)-[:AZHasRole]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\}) RETURN u"
        \\\\}
      ]
    \\\\},
    \\\\{
      "name": "High Privilege Applications",
      "category": "Azure",
      "queryList": [
        \\\\{
          "final": true,
          "query": "MATCH (app:AZApp)-[:AZHasAppRole]->(role:AZAppRole) WHERE role.value CONTAINS 'All' RETURN app"
        \\\\}
      ]
    \\\\},
    \\\\{
      "name": "Privilege Escalation Paths to Global Admin",
      "category": "Azure",
      "queryList": [
        \\\\{
          "final": true,
          "query": "MATCH p = shortestPath((u:AZUser)-[*1..6]->(r:AZRole \\\\{displayname: 'Global Administrator'\\\\})) RETURN p"
        \\\\}
      ]
    \\\\}
  ]
\\\\}

Data Analysis and Processing

JSON Data Processing

# Extract user information
jq '.data[]|select(.kind == "AZUser")|\\\\{name: .properties.displayName, upn: .properties.userPrincipalName, enabled: .properties.accountEnabled\\\\}' azure_data.json

# Find privileged users
jq '.data[]|select(.kind == "AZUser" and (.properties.assignedRoles // [])|length > 0)' azure_data.json

# Extract application permissions
jq '.data[]|select(.kind == "AZApp")|\\\\{name: .properties.displayName, permissions: .properties.requiredResourceAccess\\\\}' azure_data.json

# Count objects by type
jq '.data|group_by(.kind)|map(\\\\{kind: .[0].kind, count: length\\\\})' azure_data.json

PowerShell Analysis

# Load and analyze AzureHound data
$azureData = Get-Content -Path "azure_data.json"|ConvertFrom-Json

# Find users with administrative roles
$adminUsers = $azureData.data|Where-Object \\\\{
    $_.kind -eq "AZUser" -and
    $_.properties.assignedRoles -contains "Global Administrator"
\\\\}

# Find applications with high privileges
$highPrivApps = $azureData.data|Where-Object \\\\{
    $_.kind -eq "AZApp" -and
    $_.properties.requiredResourceAccess.resourceAppId -contains "00000003-0000-0000-c000-000000000000"
\\\\}

# Generate summary report
$report = @\\\\{
    TotalUsers = ($azureData.data|Where-Object \\\\{$_.kind -eq "AZUser"\\\\}).Count
    TotalGroups = ($azureData.data|Where-Object \\\\{$_.kind -eq "AZGroup"\\\\}).Count
    TotalApps = ($azureData.data|Where-Object \\\\{$_.kind -eq "AZApp"\\\\}).Count
    AdminUsers = $adminUsers.Count
    HighPrivApps = $highPrivApps.Count
\\\\}

$report|ConvertTo-Json|Out-File "azure_summary.json"
```### Analisi Python
```python
import json
import pandas as pd

# Load AzureHound data
with open('azure_data.json', 'r') as f:
    azure_data = json.load(f)

# Convert to DataFrame for analysis
df = pd.json_normalize(azure_data['data'])

# Analyze user distribution
users_df = df[df['kind'] == 'AZUser']
user_stats = \\\\{
    'total_users': len(users_df),
    'enabled_users': len(users_df[users_df['properties.accountEnabled'] == True]),
    'guest_users': len(users_df[users_df['properties.userType'] == 'Guest']),
    'admin_users': len(users_df[users_df['properties.assignedRoles'].notna()])
\\\\}

# Analyze applications
apps_df = df[df['kind'] == 'AZApp']
app_stats = \\\\{
    'total_apps': len(apps_df),
    'apps_with_secrets': len(apps_df[apps_df['properties.passwordCredentials'].notna()]),
    'apps_with_certs': len(apps_df[apps_df['properties.keyCredentials'].notna()])
\\\\}

print(f"User Statistics: \\\\{user_stats\\\\}")
print(f"Application Statistics: \\\\{app_stats\\\\}")
```## Sicurezza Operativa

### Tecniche di Stealth
```bash
# Use legitimate user agent
./azurehound list all --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"

# Randomize request timing
./azurehound list all --delay 3000 --jitter 75

# Use proxy for requests
./azurehound list all --proxy http://proxy:8080

# Limit concurrent requests
./azurehound list all --threads 2
```### Aggiramento del Rate Limiting
```bash
# Implement exponential backoff
./azurehound list all --retry-count 5 --retry-delay 30

# Spread collection over time
./azurehound list users --delay 10000
sleep 300
./azurehound list groups --delay 10000
sleep 300
./azurehound list applications --delay 10000
```### Evasione dei Log
```bash
# Use service principal instead of user account
./azurehound list all --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

# Perform collection during business hours
current_hour=$(date +%H)
if [ $current_hour -ge 9 ] && [ $current_hour -le 17 ]; then
    ./azurehound list all -o business_hours_collection.json
fi
```## Automazione e Scripting

### Script di Raccolta Automatizzata
```bash
#!/bin/bash

# AzureHound automated collection script
TENANT_ID="your-tenant-id"
CLIENT_ID="your-client-id"
CLIENT_SECRET="your-client-secret"
OUTPUT_DIR="./azurehound_output"

# Create output directory
mkdir -p $OUTPUT_DIR

# Collect Azure AD data
echo "Collecting Azure AD data..."
./azurehound list users,groups,applications,service-principals,devices,roles \
    --client-id $CLIENT_ID \
    --client-secret $CLIENT_SECRET \
    --tenant-id $TENANT_ID \
    --threads 3 \
    --delay 2000 \
    -o "$OUTPUT_DIR/azuread_$(date +%Y%m%d_%H%M%S).json"

# Collect Azure Resource data
echo "Collecting Azure Resource data..."
./azurehound list subscriptions,resource-groups,virtual-machines,key-vaults \
    --client-id $CLIENT_ID \
    --client-secret $CLIENT_SECRET \
    --tenant-id $TENANT_ID \
    --threads 2 \
    --delay 3000 \
    -o "$OUTPUT_DIR/azure_resources_$(date +%Y%m%d_%H%M%S).json"

echo "Collection completed. Files saved to $OUTPUT_DIR"
```### Automazione PowerShell
```powershell
# PowerShell automation script
param(
    [string]$TenantId,
    [string]$ClientId,
    [string]$ClientSecret,
    [string]$OutputPath = ".\azurehound_output"
)

# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force

# Define collection types
$collections = @(
    @\\\\{Name = "users"; Types = "users,groups,roles"\\\\},
    @\\\\{Name = "applications"; Types = "applications,service-principals"\\\\},
    @\\\\{Name = "devices"; Types = "devices,conditional-access-policies"\\\\},
    @\\\\{Name = "resources"; Types = "subscriptions,resource-groups,virtual-machines"\\\\}
)

# Perform collections
foreach ($collection in $collections) \\\\{
    $outputFile = Join-Path $OutputPath "$($collection.Name)_$(Get-Date -Format 'yyyyMMdd_HHmmss').json"

    Write-Host "Collecting $($collection.Name) data..."

    & .\azurehound.exe list $collection.Types `
        --client-id $ClientId `
        --client-secret $ClientSecret `
        --tenant-id $TenantId `
        --threads 2 `
        --delay 2000 `
        -o $outputFile

    Start-Sleep -Seconds 30
\\\\}

Write-Host "Collection completed. Files saved to $OutputPath"
```## Risoluzione dei Problemi

### Problemi di Autenticazione
```bash
# Test authentication
./azurehound auth test --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

# Debug authentication
./azurehound list users --debug --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID

# Check token validity
./azurehound auth token --client-id $CLIENT_ID --client-secret $CLIENT_SECRET --tenant-id $TENANT_ID
```### Problemi di Permessi
```bash
# Check required permissions
./azurehound permissions check --client-id $CLIENT_ID --tenant-id $TENANT_ID

# List current permissions
./azurehound permissions list --client-id $CLIENT_ID --tenant-id $TENANT_ID

# Test specific permission
./azurehound permissions test --permission "User.Read.All" --client-id $CLIENT_ID --tenant-id $TENANT_ID
```### Problemi di Rate Limiting
```bash
# Handle rate limiting
./azurehound list all --retry-count 10 --retry-delay 60 --threads 1

# Monitor rate limit headers
./azurehound list users --debug|grep -i "rate\|limit\|throttle"

# Use exponential backoff
./azurehound list all --backoff-strategy exponential --max-delay 300
```### Problemi di Raccolta Dati
```bash
# Validate output
jq empty azure_data.json && echo "Valid JSON"||echo "Invalid JSON"

# Check data completeness
jq '.data|group_by(.kind)|map(\\\\{kind: .[0].kind, count: length\\\\})' azure_data.json

# Verify specific data types
jq '.data[]|select(.kind == "AZUser")|length' azure_data.json
```## Integrazione con Altri Strumenti

### Integrazione con ROADtools
```bash
# Convert AzureHound data for ROADtools
jq '.data[]|select(.kind == "AZUser")' azure_data.json > users_for_roadtools.json

# Use with ROADtools database
roadrecon import --file azure_data.json
roadrecon gui
```### Integrazione con AADInternals
```powershell
# Use AzureHound data with AADInternals
$azureHoundData = Get-Content -Path "azure_data.json"|ConvertFrom-Json

# Extract user information for AADInternals
$users = $azureHoundData.data|Where-Object \\\\{$_.kind -eq "AZUser"\\\\}
foreach ($user in $users) \\\\{
    # Use AADInternals to get additional information
    $additionalInfo = Get-AADIntUser -AccessToken $accessToken -UserPrincipalName $user.properties.userPrincipalName
\\\\}
```### Integrazione con Strumenti Personalizzati
```python
# Python integration example
import json
import requests

def process_azurehound_data(file_path):
    with open(file_path, 'r') as f:
        data = json.load(f)

    # Process users
    users = [item for item in data['data'] if item['kind'] == 'AZUser']

    # Process groups
    groups = [item for item in data['data'] if item['kind'] == 'AZGroup']

    # Process applications
    apps = [item for item in data['data'] if item['kind'] == 'AZApp']

    return \\\\{
        'users': users,
        'groups': groups,
        'applications': apps
    \\\\}

# Usage
processed_data = process_azurehound_data('azure_data.json')
```## Risorse

- [Repository GitHub di AzureHound](https://github.com/BloodHoundAD/AzureHound)
- [Documentazione di BloodHound](https://bloodhound.readthedocs.io/)
- [Blog di SpecterOps](https://posts.specterops.io/)
- [Attacco e Difesa di Azure AD](https://cloudbrothers.info/en/azure-attack-defense/)
- [Edizione Community di BloodHound](https://github.com/SpecterOps/BloodHound)

---

*Questa guida di riferimento fornisce un'analisi completa per l'utilizzo di AzureHound. Assicurati sempre di avere l'autorizzazione prima di effettuare valutazioni di sicurezza di Azure AD.*