BlueMap: An Interactive Exploitation Toolkit for Azure

by do son · Published December 8, 2022 · Updated December 8, 2022

BlueMap

The BlueMap is an interactive tool for identifying IAM misconfigurations, information gathering, abuse of managed identities, detection of user permissions, and much more. All are in interactive mode without ANY third-party dependencies (such as AzModule or Azure Powershell), so the tool leaves a minimum footprint on your customer’s network.

BlueMap helps penetration testers and red teamers to perform Azure auditing, discovery & enumeration, and exploitation in interactive mode that saves complex opsec and overhead that usually exists in Azure penetration testing engagements.

Features

Automatic generation tokens via Az Module (only if installed on the target machine) and token parser
Support automatic exploitation for Reading Vaults Secrets, Misconfigured Service Principal, Elevate Access, and utilities to support attack paths for Reader/Global Reader, Contributor, and Global Admin.
Built-in interactive mode for most of the exploits (aka “models” or “techniques”)
Integrated Permissions and Privileges analysis aims the detection of shadow admins and shadow permissions during the engagement
Minimal footprint on the network as there are no third-party dependencies of PowerShell modules (except the Automatic generation tokens feature)
Support data gathering capabilities in different modules via Runbook, App Service Deployments, ARM templates, Users, and more.

BlueMap uses two diffrent interfaces:

Non-Interactive
Interactive Mode

The Non-Interactive mode is used for token manipulation and user context evaluation (i.e. whoami commands), and it also refers to the auto-exploit method. Therefore no user interaction is required, and the exploitation is done behind the scenes. However, the interactive way is mainly for running different exploits. In contrast, some exploits execute automatically, while others may ask for future details about the target (i.e. which resource the exploit should run?).

List of the available exploits:

TYPE	Level	EXPLOIT	MODE
Information Gathering	Reader,Global Reader	Reader/ListAllUsers	Non-Interactive
Information Gathering	Reader,Global Reader	Reader/ExposedAppServiceApps	Non-Interactive
Information Gathering	Reader,Global Reader	Reader/ListAllAzureContainerRegistry	Non-Interactive
Information Gathering	Reader,Global Reader	Reader/ListAutomationAccounts	Non-Interactive
Discovery	Reader,Global Reader	Reader/DumpAllRunBooks	Interactive
Information Gathering	Reader,Global Reader	Reader/ListAllRunBooks	Non-Interactive
Information Gathering	Reader,Global Reader	Reader/ListAllVaults	Non-Interactive
Information Gathering	Reader,Global Reader	Reader/ListAppServiceSites	Non-Interactive
Information Gathering	Reader,Global Reader	Reader/ListVirtualMachines	Non-Interactive
Information Gathering	Reader,Global Reader	Reader/ListAllStorageAccounts	Non-Interactive
Discovery	Reader,Global Reader	Reader/ARMTemplatesDisclosure	Non-Interactive
Information Gathering	Reader,Global Reader	Reader/ListServicePrincipal	Non-Interactive
Discovery	Reader,Global Reader	Reader/abuseServicePrincipals	Interactive
Information Gathering	Contributor	Contributor/ListACRCredentials	Non-Interactive
Discovery	Contributor	Contributor/ReadVaultSecret	Interactive
RCE	Contributor	Contributor/RunCommandVM	Interactive
Lateral Movement	Contributor	Contributor/VMExtensionResetPwd	Interactive
RCE	Contributor	Contributor/VMExtensionExecution	Interactive
Information Gathering	Contributor	Contributor/VMDiskExport	Interactive
Discovery	Contributor	Contributor/DumpWebAppPublishProfile	Non-Interactive
Lateral Movement	GlobalAdministrator	GlobalAdministrator/elevateAccess	Interactive

Intrusive Actions

While most BlueMap has no third-party dependencies, some exploits might be noisy in the network as they perform actions such as opening/reading/modifying local files. Also, the auto-generation token method (Token/GenToken) uses an underlying Az Model, which may lead to flagging the tool.

List of the available intrusive commands: