*Test at your own risk
1.In an Az PowerShell module-authenticated PowerShell session on your machine, download PowerZure using the following commands:
PS C:\> cd C:\Users\$env:USERNAME PS C:\> git clone https://github.com/hausec/PowerZure.git
3.If you installed the Azure AD module, open a new PowerShell session and use the following commands to re-import PowerZure into the PowerShell console.
PS C:\> cd C:\Users\$env:USERNAME\PowerZure PS C:\> Import-Module .\PowerZure.ps1
After the module is imported, it will list your current role (Reader) and available subscription. This is useful reconnaissance information.
- AADRoles: Shows the role that the current user is assigned in Azure AD
- AzureRoles: Shows the Azure RBAC role assignments and scopes for the user.
- Available Subscriptions: Shows the subscriptions that the user has some level of permission to. This information is useful to see whether there are opportunities to move laterally to other subscriptions using this user account.
5.Part of enumerating the attack surface area is determining the actual access that a credential had and its level of access(read/write/execute). PowerZure had a function called Get-AzureTargets that we can use for this purpose. This function compared the user role to the Azure scope to make this determination. You can run the function using the following command.
While the Get-AzTargets function of PowerZure is a great way to understand the scope of access that a user has, and the resources that they have access to, MicroBurst also collects this information into flat files for the review of an entire subscription. Each tool has its own benefits, and different situations will call for different tools.