Update az-file-shares.md

2025-12-05 20:40:18 -08:00 · 2024-12-13 01:34:19 +01:00
parent b860fa520c
commit 08bb01e093
1 changed files with 31 additions and 0 deletions
--- a/pentesting-cloud/azure-security/az-services/az-file-shares.md
+++ b/pentesting-cloud/azure-security/az-services/az-file-shares.md
@@ -43,6 +43,9 @@ Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2) (1).p

 ## Enumeration

+
+{% tabs %}
+{% tab title="az cli" %}
 {% code overflow="wrap" %}
 ```bash
 # Get storage accounts
@@ -50,6 +53,7 @@ az storage account list #Get the account name from here

 # List file shares
 az storage share list --account-name <name>
+az storage share-rm list --storage-account <name> # To see the deleted ones too --include-deleted
 # Get dirs/files inside the share
 az storage file list --account-name <name> --share-name <share-name>
 ## If type is "dir", you can continue enumerating files inside of it
@@ -65,6 +69,33 @@ az storage file list --account-name <name> --share-name <share-name> --snapshot
 az storage file download-batch -d . --account-name <name> --source <share-name> --snapshot <snapshot-version>
 ```
 {% endcode %}
+{% endtab %}
+
+{% tab title="Az PowerShell" %}
+{% code overflow="wrap" %}
+```powershell
+Get-AzStorageAccount
+
+# List File Shares
+Get-AzStorageShare -Context (Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>").Context
+
+# Get Directories/Files Inside the Share
+Get-AzStorageFile -ShareName "<share-name>" -Context (Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>").Context
+Get-AzStorageFile -ShareName "<share-name>" -Path "<share-directory-path>" -Context (Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>").Context
+
+# Download a Complete Share
+Get-AzStorageFileContent -ShareName "<share-name>" -Destination "C:\Download" -Path "<share-directory-path>" -Context (Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>").Context
+
+# Get Snapshots/Backups
+Get-AzStorageShare -Context (Get-AzStorageAccount -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>").Context | Where-Object { $_.SnapshotTime -ne $null }
+
+# List Contents of a Snapshot/Backup
+Get-AzStorageFile -ShareName "<share-name>" -Context (New-AzStorageContext -StorageAccountName "<storage-account-name>" -StorageAccountKey (Get-AzStorageAccountKey -ResourceGroupName "<resource-group-name>" -Name "<storage-account-name>" | Select-Object -ExpandProperty Value) -SnapshotTime "<snapshot-version>")
+
+```
+{% endcode %}
+{% endtab %}
+{% endtabs %}

 {% hint style="info" %}
 By default `az` cli will use an account key to sign a key and perform the action. To use the Entra ID principal privileges use the parameters `--auth-mode login --enable-file-backup-request-intent`.