/Awesome-Azure-Pentest

A collection of resources, tools and more for penetration testing and securing Microsofts cloud platform Azure.

GNU General Public License v3.0GPL-3.0

Awesome Azure Penetration Testing

A curated list of useful tools and resources for penetration testing and securing Microsofts cloud platform Azure.

Table of Contents

Tools

Enumeration

  • o365creeper - Enumerate valid email addresses
  • CloudBrute - Tool to find a cloud infrastructure of a company on top Cloud providers
  • cloud_enum - Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud
  • Azucar - Security auditing tool for Azure environments
  • CrowdStrike Reporting Tool for Azure (CRT) - Query Azure AD/O365 tenants for hard to find permissions and configuration settings
  • ScoutSuite - Multi-cloud security auditing tool. Security posture assessment of different cloud environments.
  • BlobHunter - A tool for scanning Azure blob storage accounts for publicly opened blobs
  • Grayhat Warfare - Open Azure blobs and AWS bucket search
  • Office 365 User Enumeration - Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover v1 or office.com login page
  • CloudFox - Automating situational awareness for cloud penetration tests
  • Monkey365 - Conduct Microsoft 365, Azure subscriptions and Azure Active Directory security configuration reviews
  • Azure-AccessPermissions - PowerShell script to enumerate access permissions in an Azure AD environment
  • Prowler - Perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness

Information Gathering

  • o365recon - Information gathering with valid credentials to Azure
  • Get-MsolRolesAndMembers.ps1 - Retrieve list of roles and associated role members
  • ROADtools - Framework to interact with Azure AD
  • PowerZure - PowerShell framework to assess Azure security
  • Azurite - Enumeration and reconnaissance activities in the Microsoft Azure Cloud
  • Sparrow.ps1 - Helps to detect possible compromised accounts and applications in the Azure/M365 environment
  • Hawk - Powershell based tool for gathering information related to O365 intrusions and potential breaches
  • Microsoft Azure AD Assessment - Tooling for assessing an Azure AD tenant state and configuration
  • Cloud Katana - Unlocking Serverless Computing to Assess Security Controls
  • SCuBA M365 Security Baseline Assessment Tool - Automation to assess the state of your M365 tenant against CISA's baselines

Lateral Movement

  • Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects
  • AzureADLateralMovement - Lateral Movement graph for Azure Active Directory
  • SkyArk - Discover, assess and secure the most privileged entities in Azure and AWS
  • omigood (OM I GOOD?) - Scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities

Exploitation

  • MicroBurst - A collection of scripts for assessing Microsoft Azure security
  • azuread_decrypt_msol_v2.ps1 - Decrypt Azure AD MSOL service account
  • Microsoft-Teams-GIFShell - Microsoft Teams can be leveraged by an attacker, to execute a reverse shell between an attacker and victim piped through malicious GIFs sent in Teams messages

Credential Attacks

  • MSOLSpray - A password spraying tool for Microsoft Online accounts (Azure/O365)
  • MSOLSpray.py - A Python version of the MSOLSpray password spraying tool for Microsoft Online accounts (Azure/O365)
  • o365spray - Username enumeration and password spraying tool aimed at Microsoft O365
  • MFASweep - A tool for checking if MFA is enabled on multiple Microsoft Services Resources
  • adconnectdump - Dump Azure AD Connect credentials for Azure AD and Active Directory

Resources

Articles

Lists and Cheat Sheets

Lab Exercises

Talks and Videos

Books

Tips and Tricks

  • Replace COMPANYNAME with the company name of your choice to check if they use Azure. If the NameSpaceType indicates "Managed", then the company is using Azure AD:
https://login.microsoftonline.com/getuserrealm.srf?login=username@COMPANYNAME.onmicrosoft.com&xml=1