azurehound
Bloodhound for azure, graph theory bla bla bla
Ingestor:
azurehound -r "<refreshtoken>" list --tenant "domain.com" -o out.jsonor
azurehound -j "<accesstoken>" list --tenant "domain.com" -o out.jsonor
azurehound -u "<username>" -p "<password>" list --tenant "domain.com" -o out.jsonCyphers
identify and return all relationships involving Azure Service Principals
MATCH p = (g:AZServicePrincipal)-[r]->(n) RETURN pdisplay shortest path to managed identity
MATCH (u:AZUser), (m:AZServicePrincipal {serviceprincipaltype: 'ManagedIdentity'}) MATCH p = shortestPath((u)-[*..]->(m)) RETURN pBloodHound blind spots
Azure role assignments that have been assigned at a subscription, management group, resource group, or individual resource level. Role memberships are not supported if scoped to an administrative unit. You CAN see these with the az cli, powershell Az, graph api https://github.com/SpecterOps/BloodHound-Legacy/issues/677
^^ or use ROADRecon (still wont show admin roles scoped to admin unit)
Work around this with shell:
List administrative units
Get-MgDirectoryAdministrativeUnit | f1List scoped role members
Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId <ObjectID> | Select-Object rolememberjInfo, roleId -ExpandProperty roleMemberInfoGrab the object id and run
Get-MgDirectoryAdministrativeUnitScopedRoleMember -AdministrativeUnitId <ObjectID> | f1Next? role_abuse
ROADRecon
pipx install roadreconROADRecon as a million auth methods:
roadrecon auth -hOPSEC
ROADRecon lets you specify a US with
--user-agentto easily match a target environment
Gather info
roadrecon gather --user-agent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.3'Access UI
http://127.0.0.1:5000