gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-29 14:13:20 -08:00
Code Issues Packages Projects Releases Wiki Activity

Y

Browse Source
This commit is contained in:
Jimmy
2025-02-10 12:22:24 +01:00
parent 3f01e5e4fa
commit 3757efbd43
34 changed files with 238 additions and 387 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md
View File

@@ -10,7 +10,7 @@ For more information about storage check:
../az-services/az-storage.md
{{#endref}}
### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read
### `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read`
A principal with this permission will be able to **list** the blobs (files) inside a container and **download** the files which might contain **sensitive information**.
@@ -26,7 +26,7 @@ az storage blob download \
-n file.txt --auth-mode login
```
### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write
### `Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write`
A principal with this permission will be able to **write and overwrite files in containers** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a blob):

55
src/pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md
View File

@@ -5,27 +5,24 @@
## CosmosDB Post Exploitation
For more information about SQL Database check:
{% content-ref url="../az-services/az-cosmosDB.md" %}
[az-cosmosDB.md](../az-services/az-cosmosDB.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-cosmosDB.md
{{#endref}}
### "Microsoft.DocumentDB/databaseAccounts/read" && "Microsoft.DocumentDB/databaseAccounts/write"
### `Microsoft.DocumentDB/databaseAccounts/read` && `Microsoft.DocumentDB/databaseAccounts/write`
With this permission, you can create or update Azure Cosmos DB accounts. This includes modifying account-level settings, adding or removing regions, changing consistency levels, and enabling or disabling features like multi-region writes.
{% code overflow="wrap" %}
```bash
az cosmosdb update \
--name <account_name> \
--resource-group <resource_group_name> \
--public-network-access ENABLED
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write`
With this permission, you can create or modify containers (collections) within a SQL database of an Azure Cosmos DB account. Containers are used to store data, and changes to them can impact the database's structure and access patterns.
{% code overflow="wrap" %}
```bash
# Create
az cosmosdb sql container create \
@@ -43,25 +40,21 @@ az cosmosdb sql container update \
--name <container_name> \
--ttl 3600
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read`
With this permission, you can create or modify SQL databases within an Azure Cosmos DB account. This allows for managing the database structure and adding new databases to the account. While this permission enables database creation, improper or unauthorized use could result in unnecessary resource consumption, increased costs, or operational inefficiencies.
{% code overflow="wrap" %}
```bash
az cosmosdb sql database create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--name <database_name>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action"
### `Microsoft.DocumentDB/databaseAccounts/failoverPriorityChange/action`
With this permission, you can change the failover priority of regions for an Azure Cosmos DB database account. This action determines the order in which regions become primary during a failover event. Improper use of this permission can disrupt the high availability of the database or lead to unintended operational impacts.
{% code overflow="wrap" %}
```bash
az cosmosdb failover-priority-change \
--name <database_account_name> \
@@ -69,12 +62,10 @@ az cosmosdb failover-priority-change \
--failover-policies <region1=priority1> <region2=priority2>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/regenerateKey/action"
### `Microsoft.DocumentDB/databaseAccounts/regenerateKey/action`
With this permission, you can regenerate the primary or secondary keys for an Azure Cosmos DB account. This is typically used to enhance security by replacing old keys, but it can disrupt access for services or applications that rely on the current keys.
{% code overflow="wrap" %}
```bash
az cosmosdb keys regenerate \
--name <account_name> \
@@ -82,13 +73,11 @@ az cosmosdb keys regenerate \
--key-kind <primary|secondary>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read`
With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations.
{% code overflow="wrap" %}
```bash
az cosmosdb sql trigger create \
--account-name <account_name> \
@@ -100,12 +89,10 @@ az cosmosdb sql trigger create \
--type Pre \
--operation All
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read`
With this permission, you can create or modify stored procedures within a container of a SQL database in an Azure Cosmos DB account. Stored procedures in Cosmos DB are server-side JavaScript functions that allow you to encapsulate logic for processing data or performing operations directly within the database.
{% code overflow="wrap" %}
```bash
az cosmosdb sql stored-procedure create \
--account-name <account_name> \
@@ -115,12 +102,10 @@ az cosmosdb sql stored-procedure create \
--name <stored_procedure_name> \
--body 'function sample() { return "Hello, Cosmos!"; }'
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write" && "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read"
### `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write` && `Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read`
With this permission, you can create or modify triggers within a container of a SQL database in an Azure Cosmos DB account. Triggers allow you to execute server-side logic in response to operations like inserts, updates, or deletes.
{% code overflow="wrap" %}
```bash
az cosmosdb sql trigger create \
--account-name <account_name> \
@@ -132,12 +117,10 @@ az cosmosdb sql trigger create \
--type Pre \
--operation All
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read" && "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write"
### `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read` && `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write`
With this permission, you can create or modify collections within MongoDB databases in an Azure Cosmos DB account. Collections are used to store documents and define the structure and partitioning for data.
{% code overflow="wrap" %}
```bash
az cosmosdb mongodb collection create \
--account-name <account_name> \
@@ -145,24 +128,20 @@ az cosmosdb mongodb collection create \
--database-name <mongodb_database_name> \
--name <collection_name>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read"
### `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read`
With this permission, you can create new MongoDB databases within an Azure Cosmos DB account. This allows for provisioning new databases to store and manage collections and documents.
{% code overflow="wrap" %}
```bash
az cosmosdb mongodb database create \
--account-name <account_name> \
--resource-group <resource_group_name> \
--name <database_name>
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read"
### `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/read`
With this permission, you can create new MongoDB role definitions within an Azure Cosmos DB account. This allows defining custom roles with specific permissions for MongoDB users.
{% code overflow="wrap" %}
```bash
az cosmosdb mongodb role definition create \
--account-name <account_name> \
@@ -188,11 +167,10 @@ az cosmosdb mongodb role definition create \
"Roles": []
}'
```
{% endcode %}
### "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write" && "Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read"
### `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write` && `Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/read`
With this permission, you can create new MongoDB user definitions within an Azure Cosmos DB account. This allows the provisioning of users with specific roles and access levels to MongoDB databases.
{% code overflow="wrap" %}
```bash
az cosmosdb mongodb user definition create \
--account-name <account_name> \
@@ -212,7 +190,6 @@ az cosmosdb mongodb user definition create \
]
}'
```
{% endcode %}
{{#include ../../../banners/hacktricks-training.md}}

4
src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md
View File

@@ -10,7 +10,7 @@ For more information about file shares check:
../az-services/az-file-shares.md
{{#endref}}
### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read
### `Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read`
A principal with this permission will be able to **list** the files inside a file share and **download** the files which might contain **sensitive information**.
@@ -30,7 +30,7 @@ az storage file download \
--auth-mode login --enable-file-backup-request-intent
```
### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write, Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action
### `Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write`, `Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action`
A principal with this permission will be able to **write and overwrite files in file shares** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a file share):

42
src/pentesting-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md
View File

@@ -5,14 +5,13 @@
## Logic Apps Database Post Exploitation
For more information about logic apps check:
{% content-ref url="../az-services/az-logic-apps.md" %}
[az-logic-apps.md](../az-services/az-logic-apps.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-logic-apps.md
{{#endref}}
### "Microsoft.Logic/workflows/read", "Microsoft.Logic/workflows/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
### `Microsoft.Logic/workflows/read`, `Microsoft.Logic/workflows/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With these permissions, you can modify Logic App workflows and manage their identities. Specifically, you can assign or remove system-assigned and user-assigned managed identities to workflows, which allows the Logic App to authenticate and access other Azure resources without explicit credentials.
{% code overflow="wrap" %}
```bash
az logic workflow identity remove/assign \
--name <workflow_name> \
@@ -20,49 +19,41 @@ az logic workflow identity remove/assign \
--system-assigned true \
--user-assigned "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>"
```
{% endcode %}
### "Microsoft.Web/sites/read", "Microsoft.Web/sites/write"
### `Microsoft.Web/sites/read`, `Microsoft.Web/sites/write`
With these permissions, you can create or update Logic Apps hosted on an App Service Plan. This includes modifying settings such as enabling or disabling HTTPS enforcement.
{% code overflow="wrap" %}
```bash
az logicapp update \
--resource-group <resource_group_name> \
--name <logic_app_name> \
--set httpsOnly=false
```
{% endcode %}
### "Microsoft.Web/sites/stop/action", "Microsoft.Web/sites/start/action" || "Microsoft.Web/sites/restart/action"
### `Microsoft.Web/sites/stop/action`, `Microsoft.Web/sites/start/action` || `Microsoft.Web/sites/restart/action`
With this permission, you can start/stop/restart a web app, including Logic Apps hosted on an App Service Plan. This action ensures that a previously stopped app is brought online and resumes its functionality. This can disrupt workflows, trigger unintended operations, or cause downtime by starting, stopping, or restarting Logic Apps unexpectedly.
{% code overflow="wrap" %}
```bash
az webapp start/stop/restart \
--name <logic_app_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "Microsoft.Web/sites/config/list/action", "Microsoft.Web/sites/read" && "Microsoft.Web/sites/config/write"
### `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/read` && `Microsoft.Web/sites/config/write`
With this permission, you can configure or modify settings for web apps, including Logic Apps hosted on an App Service Plan. This allows changes to app settings, connection strings, authentication configurations, and more.
{% code overflow="wrap" %}
```bash
az logicapp config appsettings set \
--name <logic_app_name> \
--resource-group <resource_group_name> \
--settings "<key>=<value>"
```
{% endcode %}
### "Microsoft.Logic/integrationAccounts/write"
### `Microsoft.Logic/integrationAccounts/write`
With this permission, you can create, update, or delete Azure Logic Apps integration accounts. This includes managing integration account-level configurations like maps, schemas, partners, agreements, and more.
{% code overflow="wrap" %}
```bash
az logic integration-account create \
--resource-group <resource_group_name> \
@@ -71,13 +62,11 @@ az logic integration-account create \
--sku <Standard|Free> \
--state Enabled
```
{% endcode %}
### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/batchConfigurations/write"
### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/batchConfigurations/write`
With this permission, you can create or modify batch configurations within an Azure Logic Apps integration account. Batch configurations define how Logic Apps process and group incoming messages for batch processing.
{% code overflow="wrap" %}
```bash
az logic integration-account batch-configuration create \
--resource-group <resource_group_name> \
@@ -88,12 +77,10 @@ az logic integration-account batch-configuration create \
"batchSize": 1048576,
}'
```
{% endcode %}
### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/maps/write"
### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/maps/write`
With this permission, you can create or modify maps within an Azure Logic Apps integration account. Maps are used to transform data from one format to another, enabling seamless integration between different systems and applications.
{% code overflow="wrap" %}
```bash
az logic integration-account map create \
--resource-group <resource_group_name> \
@@ -103,12 +90,10 @@ az logic integration-account map create \
--content-type application/xml \
--map-content map-content.xslt
```
{% endcode %}
### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/partners/write"
### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/partners/write`
With this permission, you can create or modify partners in an Azure Logic Apps integration account. Partners represent entities or systems that participate in business-to-business (B2B) workflows.
{% code overflow="wrap" %}
```bash
az logic integration-account partner create \
--resource-group <resource_group_name> \
@@ -126,12 +111,10 @@ az logic integration-account partner create \
}
}'
```
{% endcode %}
### "Microsoft.Resources/subscriptions/resourcegroups/read" && "Microsoft.Logic/integrationAccounts/sessions/write"
### `Microsoft.Resources/subscriptions/resourcegroups/read` && `Microsoft.Logic/integrationAccounts/sessions/write`
With this permission, you can create or modify sessions within an Azure Logic Apps integration account. Sessions are used in B2B workflows to group messages and track related transactions over a defined period.
{% code overflow="wrap" %}
```bash
az logic integration-account session create \
--resource-group <resource_group_name> \
@@ -147,7 +130,6 @@ az logic integration-account session create \
}
}'
```
{% endcode %}
### "*/delete"
With this permissions you can delete resources related to Azure Logic Apps

44
src/pentesting-cloud/azure-security/az-post-exploitation/az-mysql-post-exploitation.md
View File

@@ -5,54 +5,47 @@
## MySQL Database Post Exploitation
For more information about MySQL Database check:
{% content-ref url="../az-services/az-mysql.md" %}
[az-mysql.md](../az-services/az-mysql.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-mysql.md
{{#endref}}
### "Microsoft.DBforMySQL/flexibleServers/databases/write" && "Microsoft.DBforMySQL/flexibleServers/databases/read"
### `Microsoft.DBforMySQL/flexibleServers/databases/write` && `Microsoft.DBforMySQL/flexibleServers/databases/read`
With this permission, you can create new databases within a MySQL Flexible Server instance on Azure. While this action itself does not modify existing resources, excessive or unauthorized creation of databases could lead to resource consumption, or potential misuse of the server.
{% code overflow="wrap" %}
```bash
az mysql flexible-server db create \
--server-name <server_name> \
--resource-group <resource_group_name> \
--database-name <database_name>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/backups/write"
### `Microsoft.DBforMySQL/flexibleServers/backups/write`
With this permission, you can initiate the creation of backups for a MySQL Flexible Server instance on Azure. This allows users to generate on-demand backups, which can be useful for preserving data at specific points in time.
{% code overflow="wrap" %}
```bash
az mysql flexible-server backup create \
--name <server_name> \
--resource-group <resource_group_name>
--backup-name <backup_name>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/write"
### `Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings/write`
With this permission, you can configure or update the Advanced Threat Protection (ATP) settings for a MySQL Flexible Server instance on Azure. This allows enabling or diabling security features designed to detect and respond to anomalous activities and potential threats.
{% code overflow="wrap" %}
```bash
az mysql flexible-server threat-protection-policy update \
--name <server_name> \
--resource-group <resource_group_name> \
--state <Enabled|Disabled>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/firewallRules/write"
### `Microsoft.DBforMySQL/flexibleServers/firewallRules/write`
With this permission, you can create or modify firewall rules for a MySQL Flexible Server instance on Azure. This allows control over which IP addresses or ranges can access the server. Unauthorized or improper use of this permission could expose the server to unwanted or malicious access.
{% code overflow="wrap" %}
```bash
# Create Rule
az mysql flexible-server firewall-rule create \
@@ -70,71 +63,60 @@ az mysql flexible-server firewall-rule update \
--start-ip-address <start_ip> \
--end-ip-address <end_ip>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/resetGtid/action"
### `Microsoft.DBforMySQL/flexibleServers/resetGtid/action`
With this permission, you can reset the GTID (Global Transaction Identifier) for a MySQL Flexible Server instance on Azure. Resetting GTID will invalidate all the automated, on-demand backups and geo-backups that were taken before the reset action. After GTID reset, you will not be able to perform PITR (point-in-time-restore) using fastest restore point or by custom restore point if the selected restore time is before the GTID reset time. And successful geo-restore will be possible only after 5 days.
{% code overflow="wrap" %}
```bash
az mysql flexible-server reset-gtid \
--name \
--resource-group <resource_group_name> \
--gtid-set <gtid>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/updateConfigurations/action"
### `Microsoft.DBforMySQL/flexibleServers/updateConfigurations/action`
With this permission, you can update the configuration settings of a MySQL Flexible Server instance on Azure. This allows customization of server parameters such as performance tuning, security configurations, or operational settings. You can update the following parameters together in a batch: audit_log_enabled, audit_log_events, binlog_expire_logs_seconds, binlog_row_image, character_set_server, collation_server, connect_timeout, enforce_gtid_consistency, gtid_mode, init_connect, innodb_buffer_pool_size, innodb_io_capacity, innodb_io_capacity_max, innodb_purge_threads, innodb_read_io_threads, innodb_thread_concurrency, innodb_write_io_threads, long_query_time, max_connect_errors, and max_connections.
{% code overflow="wrap" %}
```bash
az mysql flexible-server parameter set-batch \
--resource-group <resource_group_name> \
--server-name <server_name> \
--args max_connections=<value>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
### `Microsoft.DBforMySQL/flexibleServers/read`, `Microsoft.DBforMySQL/flexibleServers/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With this permission, you can assign a user-assigned managed identity to MySQL flexible servers.
{% code overflow="wrap" %}
```bash
az mysql flexible-server identity assign \
--resource-group <ResourceGroupName> \
--server-name <ServerName> \
--identity <IdentityName>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/stop/action"
### `Microsoft.DBforMySQL/flexibleServers/stop/action`
With this permission, you can stop a PostgreSQL Flexible Server instance on Azure. Stopping a server can lead to temporary service disruption, affecting applications and users dependent on the database.
{% code overflow="wrap" %}
```bash
az mysql flexible-server stop \
--name <server_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "Microsoft.DBforMySQL/flexibleServers/start/action"
### `Microsoft.DBforMySQL/flexibleServers/start/action`
With this permission, you can start a stopped PostgreSQL Flexible Server instance on Azure. Starting a server restores its availability, enabling applications and users to reconnect and access the database.
{% code overflow="wrap" %}
```bash
az mysql flexible-server start \
--name <server_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "*/delete"
### `*/delete`
With this permissions you can delete resources related to mysql server in Azure such as server, firewalls, managed identities or configurations

40
src/pentesting-cloud/azure-security/az-post-exploitation/az-postgresql-post-exploitation.md
View File

@@ -5,54 +5,47 @@
## PostgreSQL Database Post Exploitation
For more information about PostgreSQL Database check:
{% content-ref url="../az-services/az-postgresql.md" %}
[az-postgresql.md](../az-services/az-postgresql.md)
{% endcontent-ref %}
{{#ref}}
../az-services/az-postgresql.md
{{#endref}}
### "Microsoft.DBforPostgreSQL/flexibleServers/databases/write" && "Microsoft.DBforPostgreSQL/flexibleServers/databases/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/databases/write` && `Microsoft.DBforPostgreSQL/flexibleServers/databases/read`
With this permission, you can create new databases within a Postgres Flexible Server instance on Azure. While this action itself does not modify existing resources, excessive or unauthorized creation of databases could lead to resource consumption, or potential misuse of the server.
{% code overflow="wrap" %}
```bash
az postgres flexible-server db create \
--server-name <server_name> \
--resource-group <resource_group_name> \
--database-name <database_name>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/backups/write"
### `Microsoft.DBforPostgreSQL/flexibleServers/backups/write`
With this permission, you can initiate the creation of backups for a Postgres Flexible Server instance on Azure. This allows users to generate on-demand backups, which can be useful for preserving data at specific points in time.
{% code overflow="wrap" %}
```bash
az postgres flexible-server backup create \
--name <server_name> \
--resource-group <resource_group_name>
--backup-name <backup_name>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/write" && "Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/write` && `Microsoft.DBforPostgreSQL/flexibleServers/advancedThreatProtectionSettings/read`
With this permission, you can configure or update the Advanced Threat Protection (ATP) settings for a Postgres Flexible Server instance on Azure. This allows enabling or diabling security features designed to detect and respond to anomalous activities and potential threats.
{% code overflow="wrap" %}
```bash
az postgres flexible-server threat-protection-policy update \
--name <server_name> \
--resource-group <resource_group_name> \
--state <Enabled|Disabled>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write", "Microsoft.DBforPostgreSQL/flexibleServers/read" && "Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/write`, `Microsoft.DBforPostgreSQL/flexibleServers/read` && `Microsoft.DBforPostgreSQL/flexibleServers/firewallRules/read`
With this permission, you can create or modify firewall rules for a Postgres Flexible Server instance on Azure. This allows control over which IP addresses or ranges can access the server. Unauthorized or improper use of this permission could expose the server to unwanted or malicious access.
{% code overflow="wrap" %}
```bash
# Create Rule
az postgres flexible-server firewall-rule create \
@@ -70,13 +63,11 @@ az postgres flexible-server firewall-rule update \
--start-ip-address <start_ip> \
--end-ip-address <end_ip>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/configurations/write" && "Microsoft.DBforPostgreSQL/flexibleServers/configurations/read"
### `Microsoft.DBforPostgreSQL/flexibleServers/configurations/write` && `Microsoft.DBforPostgreSQL/flexibleServers/configurations/read`
With this permission, you can update the configuration settings of a Postgres Flexible Server instance on Azure. This allows customization of server parameters such as performance tuning, security configurations, or operational settings.
{% code overflow="wrap" %}
```bash
az postgres flexible-server parameter set \
--resource-group <resource_group_name> \
@@ -84,45 +75,38 @@ az postgres flexible-server parameter set \
--name <parameter_name> \
--value <parameter_value>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/stop/action"
### `Microsoft.DBforPostgreSQL/flexibleServers/stop/action`
With this permission, you can stop a PostgreSQL Flexible Server instance on Azure. Stopping a server can lead to temporary service disruption, affecting applications and users dependent on the database.
{% code overflow="wrap" %}
```bash
az postgres flexible-server stop \
--name <server_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/start/action"
### `Microsoft.DBforPostgreSQL/flexibleServers/start/action`
With this permission, you can start a stopped PostgreSQL Flexible Server instance on Azure. Starting a server restores its availability, enabling applications and users to reconnect and access the database.
{% code overflow="wrap" %}
```bash
az postgres flexible-server start \
--name <server_name> \
--resource-group <resource_group_name>
```
{% endcode %}
### "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforPostgreSQL/flexibleServers/write" && "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"
### `Microsoft.DBforPostgreSQL/flexibleServers/read`, `Microsoft.DBforPostgreSQL/flexibleServers/write` && `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
With this permission, you can assign a user-assigned managed identity to postgres flexible servers.
{% code overflow="wrap" %}
```bash
az postgres flexible-server identity assign \
--resource-group <ResourceGroupName> \
--server-name <ServerName> \
--identity <IdentityName>
```
{% endcode %}
### "*/delete"
### `*/delete`
With this permissions you can delete resources related to postgres server in Azure such as server, firewalls, managed identities or configurations

14
src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md
View File

@@ -10,7 +10,7 @@ For more information about SQL Database check:
../az-services/az-sql.md
{{#endref}}
### "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/databases/write"
### `Microsoft.Sql/servers/databases/read`, `Microsoft.Sql/servers/read` && `Microsoft.Sql/servers/databases/write`
With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.
@@ -22,7 +22,7 @@ az sql db create --resource-group <resource-group> --server <server-name> --name
az sql db update --resource-group <resource-group> --server <server-name> --name <database-name> --max-size <max-size-in-bytes>
```
### "Microsoft.Sql/servers/elasticPools/write" && "Microsoft.Sql/servers/elasticPools/read"
### `Microsoft.Sql/servers/elasticPools/write` && `Microsoft.Sql/servers/elasticPools/read`
With these permissions, an attacker can create and update elasticPools within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions.
@@ -44,7 +44,7 @@ az sql elastic-pool update \
--tags <key=value>
```
### "Microsoft.Sql/servers/auditingSettings/read" && "Microsoft.Sql/servers/auditingSettings/write"
### `Microsoft.Sql/servers/auditingSettings/read` && `Microsoft.Sql/servers/auditingSettings/write`
With this permission, you can modify or enable auditing settings on an Azure SQL Server. This could allow an attacker or authorized user to manipulate audit configurations, potentially covering tracks or redirecting audit logs to a location under their control. This can hinder security monitoring or enable it to keep track of the actions. NOTE: To enable auditing for an Azure SQL Server using Blob Storage, you must attach a storage account where the audit logs can be saved.
@@ -57,7 +57,7 @@ az sql server audit-policy update \
--retention-days 7
```
### "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read", "Microsoft.Sql/servers/connectionPolicies/read" && "Microsoft.Sql/servers/connectionPolicies/write"
### `Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read`, `Microsoft.Sql/servers/connectionPolicies/read` && `Microsoft.Sql/servers/connectionPolicies/write`
With this permission, you can modify the connection policies of an Azure SQL Server. This capability can be exploited to enable or change server-level connection settings
@@ -68,7 +68,7 @@ az sql server connection-policy update \
--connection-type <Proxy|Redirect|Default>
```
### "Microsoft.Sql/servers/databases/export/action"
### `Microsoft.Sql/servers/databases/export/action`
With this permission, you can export a database from an Azure SQL Server to a storage account. An attacker or authorized user with this permission can exfiltrate sensitive data from the database by exporting it to a location they control, posing a significant data breach risk. It is important to know the storage key to be able to perform this.
@@ -84,7 +84,7 @@ az sql db export \
```
### "Microsoft.Sql/servers/databases/import/action"
### `Microsoft.Sql/servers/databases/import/action`
With this permission, you can import a database into an Azure SQL Server. An attacker or authorized user with this permission can potentially upload malicious or manipulated databases. This can lead to gaining control over sensitive data or by embedding harmful scripts or triggers within the imported database. Additionaly you can import it to your own server in azure. Note: The server must allow Azure services and resources to access the server.
@@ -96,7 +96,7 @@ az sql db import --admin-user <admin-user> \
--resource-group <resource-group-name> \
--storage-key-type SharedAccessKey \
--storage-key <storage-account-key> \
--storage-uri "https://<storage-account-name>.blob.core.windows.net/bacpac-container/MyDatabase.bacpac"
--storage-uri `https://<storage-account-name>.blob.core.windows.net/bacpac-container/MyDatabase.bacpac`
```
{{#include ../../../banners/hacktricks-training.md}}