AzureRT: Powershell module implementing various Azure Red Team tactics
AzureRT
Powershell module implementing various cmdlets to interact with Azure and Azure AD from an offensive perspective.
Helpful utilities dealing with access token-based authentication, switching from Az to AzureAD and az cli interfaces, easy-to-use pre-made attacks such as Runbook-based command execution, and more.
Use Cases
Cmdlets implemented in this module came helpful in the following use & attack scenarios:
- Juggling with access tokens from Az to AzureAD and back again.
- Nicely print authentication context (aka whoami) in Az, AzureAD, Microsoft.Graph and az cli at the same time
- Display available permissions granted to the user on a target Azure VM
- Display accessible Azure Resources along with permissions we have against them
- Easily read all accessible Azure Key Vault secrets
- Authenticate as a Service Principal to leverage the Privileged Role Administrator role assigned to that Service Principal
- Execute attack against Azure Automation via malicious Runbook
Batteries Included
The module will be gradually receiving the next tools and utilities, naturally categorised into subsequent kill chain phases.
Every cmdlet has a nice help message detailing parameters, description, and example usage:
PS C:\> Get-Help Connect-ART
Currently, the following utilities are included:
Authentication & Token mechanics
-
Get-ARTWhoami
– Displays and validates our authentication context onAzure
,AzureAD
,Microsoft.Graph
and onAZ CLI
interfaces. -
Connect-ART
– InvokesConnect-AzAccount
to authenticate the current session to the Azure Portal via provided Access Token or credentials. Skips the burden of providing Tenant ID and Account ID by automatically extracting those from provided Token. -
Connect-ARTAD
– InvokesConnect-AzureAD
(and optionallyConnect-MgGraph
) to authenticate the current session to the Azure Active Directory via provided Access Token or credentials. Skips the burden of providing Tenant ID and Account ID by automatically extracting those from provided Token. -
Connect-ARTADServicePrincipal
– InvokesConnect-AzAccount
to authenticate current session to the Azure Portal via provided Access Token or credentials. Skips the burden of providing Tenant ID and Account ID by automatically extracting those from provided Token. Then it creates self-signed PFX certificate and associates it with Service Principal for authentication. Afterwards, authenticates as that Service Principal to AzureAD and deassociates that certificate to cleanup -
Get-ARTAccessTokenAzCli
– Acquires access token from az cli, viaaz account get-access-token
-
Get-ARTAccessTokenAz
– Acquires access token from Az module, viaGet-AzAccessToken
. -
Get-ARTAccessTokenAzureAD
– Gets an access token from Azure Active Directory. Authored by Simon Wahlin, @SimonWahlin -
Get-ARTAccessTokenAzureADCached
– Attempts to retrieve locally cached AzureAD access token (https://graph.microsoft.com), stored afterConnect-AzureAD
occurred. -
Remove-ARTServicePrincipalKey
– Performs cleanup actions after runningConnect-ARTADServicePrincipal
Recon & Situational Awareness
-
Get-ARTAccess
– Performs Azure Situational Awareness. -
Get-ARTADAccess
– Performs Azure AD Situational Awareness. -
Get-ARTTenants
– List Tenants available for the currently authenticated user (or the one based on supplied Access Token) -
Get-ARTDangerousPermissions
– Analyzes accessible Azure Resources and associated permissions user has on them to find all the Dangerous ones that could be abused by an attacker. -
Get-ARTResource
– Authenticates to the https://management.azure.com using provided Access Token and pulls accessible resources and permissions that token Owner have against them. -
Get-ARTRoleAssignment
– Displays a bit easier to read representation of assigned Azure RBAC roles to the currently used Principal. -
Get-ARTADRoleAssignment
– Displays Azure AD Role assignments on a current user or on all Azure AD users. -
Get-ARTADScopedRoleAssignment
– Displays Azure AD Scoped Role assignments on a current user or on all Azure AD users, associated with Administrative Units -
Get-ARTRolePermissions
– Displays all granted permissions on a specified Azure RBAC role. -
Get-ARTADRolePermissions
– Displays all granted permissions on a specified Azure AD role. -
Get-ARTADDynamicGroups
– Displays Azure AD Dynamic Groups along with their user Membership Rules, members count and current user membership status -
Get-ARTApplication
– Lists Azure AD Enterprise Applications that current user is owner of (or all existing when -All used) along with their owners and Service Principals -
Get-ARTApplicationProxy
– Lists Azure AD Enterprise Applications that have Application Proxy setup. -
Get-ARTApplicationProxyPrincipals
– Displays users and groups assigned to the specified Application Proxy application. -
Get-ARTStorageAccountKeys
– Displays all the available Storage Account keys. -
Get-ARTKeyVaultSecrets
– Lists all available Azure Key Vault secrets. This cmdlet assumes that requesting user connected to the Azure AD with KeyVaultAccessToken (scoped to https://vault.azure.net) and has “Key Vault Secrets User” role assigned (or equivalent). -
Get-ARTAutomationCredentials
– Lists all available Azure Automation Account credentials and attempts to pull their values (unable to pull values!). -
Get-ARTAutomationRunbookCode
– Invokes REST API method to pull specified Runbook’s source code. -
Get-ARTAzVMPublicIP
– Retrieves Azure VM Public IP address -
Get-ARTResourceGroupDeploymentTemplate
– Displays Resource Group Deployment Template JSON based on input parameters, or pulls all of them at once. -
Get-ARTAzVMUserDataFromInside
– Retrieves Azure VM User Data from inside of a VM by reaching to Instance Metadata endpoint.
Privilege Escalation
-
Add-ARTADGuestUser
– Sends Azure AD Guest user invitation e-mail, allowing to expand access to AAD tenant for the external attacker & returns Invite Redeem URL used to easily accept the invitation. -
Set-ARTADUserPassword
– AbusesAuthentication Administrator
Role Assignment to reset other non-admin users password. -
Add-ARTUserToGroup
– Adds a specified Azure AD User to the specified Azure AD Group. -
Add-ARTUserToRole
– Adds a specified Azure AD User to the specified Azure AD Role. -
Add-ARTADAppSecret
– Add client secret to the Azure AD Applications. Authored by Nikhil Mittal, @nikhil_mitt
Lateral Movement
-
Invoke-ARTAutomationRunbook
– Creates an Automation Runbook under specified Automation Account and against selected Worker Group. That Runbook will contain Powershell commands to be executed on all the affected Azure VMs. -
Invoke-ARTRunCommand
– AbusesvirtualMachines/runCommand
permission against a specified Azure VM to run custom Powershell command. -
Update-ARTAzVMUserData
– Modifies Azure VM User Data script through a direct API invocation. -
Invoke-ARTCustomScriptExtension
– Creates new or modifies Azure VM Custom Script Extension leading to remote code execution.
Misc
-
Get-ARTTenantID
– Retrieves Current user’s Tenant ID or Tenant ID based on Domain name supplied. -
Get-ARTPRTToken
– Retrieves Current user’s PRT (Primary Refresh Token) value using Dirk-Jan Mollema’s ROADtoken -
Get-ARTPRTNonce
– Retrieves Current user’s PRT (Primary Refresh Token) nonce value -
Get-ARTUserId
– Acquires current user or user specified in parameter ObjectId viaAz
module -
Get-ARTSubscriptionId
– Helper that collects current Subscription ID. -
Parse-JWTtokenRT
– Parses input JWT token and prints it out nicely. -
Invoke-ARTGETRequest
– Takes Access Token and invokes GET REST method API request against a specified URI. It also verifies whether provided token has required audience set. -
Import-ARTModules
– Installs & Imports required & optional Powershell modules for Azure Red Team activities