gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-05 03:16:37 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'HackTricks-wiki:master' into master

Browse Source
This commit is contained in:
Jaime Polop
2025-03-21 11:18:56 +01:00
committed by GitHub
parent 8d310c43f5 413635f6ed
commit ec902048e6
26 changed files with 408 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
searchindex.json
View File

File diff suppressed because one or more lines are too long

8
src/SUMMARY.md
View File

@@ -417,15 +417,18 @@
- [Az - Container Registry](pentesting-cloud/azure-security/az-services/az-container-registry.md)
- [Az - Container Instances, Apps & Jobs](pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md)
- [Az - CosmosDB](pentesting-cloud/azure-security/az-services/az-cosmosDB.md)
- [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
- [Az - Defender](pentesting-cloud/azure-security/az-services/az-defender.md)
- [Az - File Shares](pentesting-cloud/azure-security/az-services/az-file-shares.md)
- [Az - Function Apps](pentesting-cloud/azure-security/az-services/az-function-apps.md)
- [Az - Intune](pentesting-cloud/azure-security/az-services/intune.md)
- [Az - Key Vault](pentesting-cloud/azure-security/az-services/az-keyvault.md)
- [Az - Logic Apps](pentesting-cloud/azure-security/az-services/az-logic-apps.md)
- [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md)
- [Az - Monitoring](pentesting-cloud/azure-security/az-services/az-monitoring.md)
- [Az - MySQL](pentesting-cloud/azure-security/az-services/az-mysql.md)
- [Az - PostgreSQL](pentesting-cloud/azure-security/az-services/az-postgresql.md)
- [Az - Queue Storage](pentesting-cloud/azure-security/az-services/az-queue.md)
- [Az - Sentinel](pentesting-cloud/azure-security/az-services/az-sentinel.md)
- [Az - Service Bus](pentesting-cloud/azure-security/az-services/az-servicebus.md)
- [Az - SQL](pentesting-cloud/azure-security/az-services/az-sql.md)
- [Az - Static Web Applications](pentesting-cloud/azure-security/az-services/az-static-web-apps.md)
@@ -454,7 +457,7 @@
- [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
- [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
- [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
- [Az - CosmosDB](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
- [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
- [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
- [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
- [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
@@ -465,6 +468,7 @@
- [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
- [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
- [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md)
- [Az - Virtual Desktop Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md)
- [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md)
- [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
- [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)

BIN
src/images/vm_to_aa.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 142 KiB

53
src/pentesting-cloud/aws-security/aws-basic-information/README.md
View File

@@ -8,7 +8,7 @@
### Accounts
In AWS there is a **root account,** which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them.
In AWS, there is a **root account**, which is the **parent container for all the accounts** for your **organization**. However, you don't need to use that account to deploy resources, you can create **other accounts to separate different AWS** infrastructures between them.
This is very interesting from a **security** point of view, as **one account won't be able to access resources from other account** (except bridges are specifically created), so this way you can create boundaries between deployments.
@@ -70,6 +70,24 @@ SCP examples:
Find **JSON examples** in [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples.html)
### Resource Control Policy (RCP)
A **resource control policy (RCP)** is a policy that defines the **maximum permissions for resources within your AWS organization**. RCPs are similar to IAM policies in syntax but **dont grant permissions**—they only cap the permissions that can be applied to resources by other policies. When you attach an RCP to your organization root, an organizational unit (OU), or an account, the RCP limits resource permissions across all resources in the affected scope.
This is the ONLY way to ensure that **resources cannot exceed predefined access levels**—even if an identity-based or resource-based policy is too permissive. The only way to bypass these limits is to also modify the RCP configured by your organizations management account.
> [!WARNING]
> RCPs only restrict the permissions that resources can have. They dont directly control what principals can do. For example, if an RCP denies external access to an S3 bucket, it ensures that the buckets permissions never allow actions beyond the set limit—even if a resource-based policy is misconfigured.
RCP examples:
- Restrict S3 buckets so they can only be accessed by principals within your organization
- Limit KMS key usage to only allow operations from trusted organizational accounts
- Cap permissions on SQS queues to prevent unauthorized modifications
- Enforce access boundaries on Secrets Manager secrets to protect sensitive data
Find examples in [AWS Organizations Resource Control Policies documentation](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html)
### ARN
**Amazon Resource Name** is the **unique name** every resource inside AWS has, its composed like this:
@@ -228,7 +246,7 @@ A boundary is just a policy attached to a user which **indicates the maximum lev
A session policy is a **policy set when a role is assumed** somehow. This will be like an **IAM boundary for that session**: This means that the session policy doesn't grant permissions but **restrict them to the ones indicated in the policy** (being the max permissions the ones the role has).
This is useful for **security meassures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised.
This is useful for **security measures**: When an admin is going to assume a very privileged role he could restrict the permission to only the ones indicated in the session policy in case the session gets compromised.
```bash
aws sts assume-role \
@@ -309,20 +327,20 @@ AWS Identity and Access Management (IAM) provides **fine-grained access control*
In [**this page**](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) you can find the **IAM ID prefixe**d of keys depending on their nature:
| Identifier Code | Description |
| ---- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
| Identifier Code | Description |
| --------------- | ----------------------------------------------------------------------------------------------------------- |
| ABIA | [AWS STS service bearer token](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_bearer.html) |
| ACCA | Context-specific credential |
| AGPA | User group |
| AIDA | IAM user |
| AIPA | Amazon EC2 instance profile |
| AKIA | Access key |
| ANPA | Managed policy |
| ANVA | Version in a managed policy |
| APKA | Public key |
| AROA | Role |
| ASCA | Certificate |
| ACCA | Context-specific credential |
| AGPA | User group |
| AIDA | IAM user |
| AIPA | Amazon EC2 instance profile |
| AKIA | Access key |
| ANPA | Managed policy |
| ANVA | Version in a managed policy |
| APKA | Public key |
| AROA | Role |
| ASCA | Certificate |
| ASIA | [Temporary (AWS STS) access key IDs](https://docs.aws.amazon.com/STS/latest/APIReference/API_Credentials.html) use this prefix, but are unique only in combination with the secret access key and the session token. |
### Recommended permissions to audit accounts
@@ -384,9 +402,6 @@ If you are looking for something **similar** to this but for the **browser** you
- [https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html)
- [https://aws.amazon.com/iam/](https://aws.amazon.com/iam/)
- [https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)
- [https://aws.amazon.com/blogs/aws/introducing-resource-control-policies-rcps-a-new-authorization-policy/](https://aws.amazon.com/blogs/aws/introducing-resource-control-policies-rcps-a-new-authorization-policy/)
{{#include ../../../banners/hacktricks-training.md}}

29
src/pentesting-cloud/azure-security/README.md
View File

@@ -173,6 +173,9 @@ You should start finding out the **permissions you have** over the resources. Fo
1. **Find the resource you have some acecss to**:
> [!TIP]
> This doesn't require any special permission.
The Az PoswerShell command **`Get-AzResource`** lets you **know the resources your current user has visibility over**.
Moreover, you can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources" or executing:
@@ -180,11 +183,26 @@ Moreover, you can get the same info in the **web console** going to [https://por
az rest --method GET --url "https://management.azure.com/subscriptions/<subscription-id>/resources?api-version=2021-04-01"
```
2. **Find the permissions you have over the resources you have access to and find the roles assigned to you**:
2. **Find the permissions you have over the resources you can see**:
Note that you need the permission **`Microsoft.Authorization/roleAssignments/read`** to execute this action.
> [!TIP]
> This doesn't require any special permission.
Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in:
Talking to the API **`https://management.azure.com/{resource_id}/providers/Microsoft.Authorization/permissions?api-version=2022-04-01`** you can get the permissions you have over the specified resource in the **`resource_id`**.
Therefore, **checking each of the resources you have access to**, you can get the permissions you have over them.
> [!WARNING]
> You can automate this enumeration using the tool **[Find_My_Az_Management_Permissions](https://github.com/carlospolop/Find_My_Az_Management_Permissions)**.
<details>
<summary>Enumerate permissions with **`Microsoft.Authorization/roleAssignments/read`**</summary>
> [!TIP]
> Note that you need the permission **`Microsoft.Authorization/roleAssignments/read`** to execute this action.
- With enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in:
```bash
Get-AzRoleAssignment -Scope /subscriptions/<subscription-id>/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4
```
@@ -200,7 +218,7 @@ like in:
az rest --method GET --uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/vault-m3ww8ut4/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" | jq ".value"
```
Another option is to get the roles attached to you in azure with:
- Another option is to **get the roles attached to you in azure**. This also requires the permission **`Microsoft.Authorization/roleAssignments/read`**:
```bash
az role assignment list --assignee "<email>" --all --output table
@@ -213,7 +231,7 @@ az rest --method GET --uri 'https://management.azure.com/subscriptions/<subscrip
```
3. **Find the granular permissions of the roles attached to you**:
- **Find the granular permissions of the roles attached to you**:
Then, to get the granular permission you could run **`(Get-AzRoleDefinition -Id "<RoleDefinitionId>").Actions`**.
@@ -223,6 +241,7 @@ Or call the API directly with
az rest --method GET --uri "https://management.azure.com//subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<RoleDefinitionId>?api-version=2022-04-01" | jq ".properties"
```
</details>
In the following section you can find **information about the most common Azure services and how to enumerate them**:

1
src/pentesting-cloud/azure-security/az-persistence/az-logic-apps-persistence.md
View File

@@ -19,4 +19,3 @@ For more information check:
{{#include ../../../banners/hacktricks-training.md}}

1
src/pentesting-cloud/azure-security/az-persistence/az-queue-persistence.md
View File

@@ -31,4 +31,3 @@ az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-
{{#include ../../../banners/hacktricks-training.md}}

1
src/pentesting-cloud/azure-security/az-persistence/az-sql-persistence.md
View File

@@ -21,4 +21,3 @@ For more information check:
{{#include ../../../banners/hacktricks-training.md}}

3
src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md
View File

@@ -10,7 +10,8 @@ For more information about function apps check:
../az-services/az-function-apps.md
{{#endref}}
> [!CAUTION] > **Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there:
> [!CAUTION]
> **Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there:
{{#ref}}
../az-privilege-escalation/az-functions-app-privesc.md

24
src/pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md Normal file
View File

@@ -0,0 +1,24 @@
# Az - VMs & Network Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
## Virtual Desktop
For more info about Virtual Desktop check the following page:
{{#ref}}
../az-services/az-virtual-desktop.md
{{#endref}}
### Common techniques
- Overwrite a **MSIX package from the storage account** to get RCE in any VM using that app.
- In a remoteapp its possible to change the **path of the binary to execute**.
- **Escape from apps** to a shell to get RCE.
- Any post exploitation attack & persistence from **Azure VMs.**
- Its possible to **configure a script to be executed** in pool to apply custom configurations
{{#include ../../../banners/hacktricks-training.md}}

11
src/pentesting-cloud/azure-security/az-privilege-escalation/az-automation-accounts-privesc.md
View File

@@ -12,6 +12,8 @@ Fore more information check:
### Hybrid Workers Group
- **From the Automation Account to the VM**
Remember that if somehow an attacker can execute an arbitrary runbook (arbitrary code) in a hybrid worker, he will **pivot to the location of the VM**. This could be an on-premise machine, a VPC of a different cloud or even an Azure VM.
Moreover, if the hybrid worker is running in Azure with other Managed Identities attached, the runbook will be able to access the **managed identity of the runbook and all the managed identities of the VM from the metadata service**.
@@ -19,6 +21,15 @@ Moreover, if the hybrid worker is running in Azure with other Managed Identities
> [!TIP]
> Remember that the **metadata service** has a different URL (**`http://169.254.169.254`**) than the service from where get the managed identities token of the automation account (**`IDENTITY_ENDPOINT`**).
- **From the VM to the Automation Account**
Moreover, if someone compromise a VM where an automation account script is running, he will be able to locate the **Automation Account** metadata and access it from the VM to obtain tokens for the **Managed Identities** attached to the Automation Account.
As it's possible to see in the following image, having Administrator access over the VM it's possible to find in the **environment variables of the process** the URL and secret to access the automation account metadata service:
![](</images/vm_to_aa.jpg>)
### `Microsoft.Automation/automationAccounts/jobs/write`, `Microsoft.Automation/automationAccounts/runbooks/draft/write`, `Microsoft.Automation/automationAccounts/jobs/output/read`, `Microsoft.Automation/automationAccounts/runbooks/publish/action` (`Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.Automation/automationAccounts/runbooks/write`)
As summary these permissions allow to **create, modify and run Runbooks** in the Automation Account which you could use to **execute code** in the context of the Automation Account and escalate privileges to the assigned **Managed Identities** and leak **credentials** and **encrypted variables** stored in the Automation Account.

1
src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
View File

@@ -208,4 +208,3 @@ I haven't managed to make it work but according to the allowed parameters it sho

2
src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md
View File

@@ -106,7 +106,7 @@ curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
```
### Microsoft.Web/staticSites/config/write
### `Microsoft.Web/staticSites/config/write`
With this permission, it's possible to **modify the password** protecting a static web app or even unprotect every environment by sending a request such as the following:

25
src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
View File

@@ -4,6 +4,13 @@
## Azure Virtual Desktop Privesc
For more info about Azure Virtual Desktop check:
{{#ref}}
../az-services/az-virtual-desktop.md
{{#endref}}
### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
You can retrieve the registration token used to register virtual machines within an host pool.
@@ -11,9 +18,13 @@ You can retrieve the registration token used to register virtual machines within
az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
```
### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
### Microsoft.Authorization/roleAssignments/read, Microsoft.Authorization/roleAssignments/write
> [!WARNING]
> An attacker with these permissions could do things much more dangerous than this one.
With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop:
With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop.
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
@@ -25,14 +36,8 @@ az rest --method PUT \
}'
```
Additionally you can change the virtual machine user and password to access it
```bash
az vm user update \
--resource-group <RESOURCE_GROUP_NAME> \
--name <VM_NAME> \
--username <USERNAME> \
--password <NEW_PASSWORD>
```
Note that in order for a user to be able to access a Desktop or an app, he also needs the role `Virtual Machine User Login` or `Virtual Machine Administrator Login` over the VM.
{{#include ../../../banners/hacktricks-training.md}}

14
src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
View File

@@ -330,7 +330,7 @@ This permission allows a user to **login as user into a VM via SSH or RDP** (as
Login via **SSH** with **`az ssh vm --name <vm-name> --resource-group <rsc-group>`** and via **RDP** with your **regular Azure credentials**.
## `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
### `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
All those are the necessary permissions to **create a VM with a specific managed identity** and leaving a **port open** (22 in this case). This allows a user to create a VM and connect to it and **steal managed identity tokens** to escalate privileges to it.
@@ -375,6 +375,18 @@ Then the attacker needs to have **compromised somehow the VM** to steal tokens f
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm
{{#endref}}
### Microsoft.Compute/virtualMachines/read, Microsoft.Compute/virtualMachines/write, Microsoft.Compute/virtualMachines/extensions/read, Microsoft.Compute/virtualMachines/extensions/write
These permissions allow to change the virtual machine user and password to access it:
```bash
az vm user update \
--resource-group <RESOURCE_GROUP_NAME> \
--name <VM_NAME> \
--username <USERNAME> \
--password <NEW_PASSWORD>
```
### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), this permission lets you manage the OS of your resource via Windows Admin Center as an administrator. So it looks like this gives access to the WAC to control the VMs...

2
src/pentesting-cloud/azure-security/az-services/az-container-instances-apps-jobs.md
View File

@@ -117,5 +117,3 @@ az containerapp job start --name <job-name> --resource-group <res-group>
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

39
src/pentesting-cloud/azure-security/az-services/az-defender.md Normal file
View File

@@ -0,0 +1,39 @@
# Az - Defender
{{#include ../../../banners/hacktricks-training.md}}
## Microsoft Defender for Cloud
Microsoft Defender for Cloud is a comprehensive security management solution that spans Azure, on-premises, and multi-cloud environments. It is categorized as a Cloud-Native Application Protection Platform (CNAPP), combining Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWPP) capabilities. Its purpose is to help organizations find **misconfigurations and weak spots in cloud resources**, strengthen overall security posture, and protect workloads from evolving threats across Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), hybrid on-premises setups and more.
In practical terms, Defender for Cloud **continuously assesses your resources against security best practices and standards**, provides a unified dashboard for visibility, and uses advanced threat detection to alert you of attacks. Key benefits include a **unified view of security across clouds**, actionable recommendations to prevent breaches, and integrated threat protection that can reduce the risk of security incidents.
By supporting AWS and GCP and other SaaS platforms natively and using Azure Arc for on-premises servers, it ensures you can **manage security in one place** for all environments.
### Key Features
- **Recommendations**: This section presents a list of actionable security recommendations based on continuous assessments. Each recommendation explains identified misconfigurations or vulnerabilities and provides remediation steps, so you know exactly what to fix to improve your secure score.
- **Attack Path Analysis**: Attack Path Analysis visually maps potential attack routes across your cloud resources. By showing how vulnerabilities connect and could be exploited, it helps you understand and break these paths to prevent breaches.
- **Security Alerts**: The Security Alerts page notifies you of real-time threats and suspicious activities. Each alert includes details such as severity, affected resources, and recommended actions, ensuring you can respond quickly to emerging issues.
- Detection techniques are based on **threat intelligence, behavioral analytics and anomaly detection**.
- Its possible to find all the possible alerts in https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference. Based on the name and description its possible to know **what is the alert looking for** (to bypass it).
- **Inventory**: In the Inventory section, you find a comprehensive list of all monitored assets across your environments. It provides an at-a-glance view of each resources security status, helping you quickly spot unprotected or risky assets that need remediation.
- **Cloud Security Explorer**: Cloud Security Explorer offers a query-based interface to search and analyze your cloud environment. It allows you to uncover hidden security risks and explore complex relationships between resources, enhancing your overall threat-hunting capabilities.
- **Workbooks**: Workbooks are interactive reports that visualize your security data. Using pre-built or custom templates, they help you monitor trends, track compliance, and review changes in your secure score over time, making data-driven security decisions easier.
- **Community**: The Community section connects you with peers, expert forums, and best practice guides. Its a valuable resource for learning from others experiences, finding troubleshooting tips, and staying updated on the latest Defender for Cloud developments.
- **Diagnose and Solve Problems**: This troubleshooting hub helps you quickly identify and resolve issues related to Defender for Clouds configuration or data collection. It provides guided diagnostics and solutions to ensure the platform operates effectively.
- **Security Posture**: The Security Posture page aggregates your overall security status into a single secure score. It provides insights into which areas of your cloud are strong and where improvements are needed, serving as a quick health check of your environment.
- **Regulatory Compliance**: This dashboard evaluates how well your resources adhere to industry standards and regulatory requirements. It shows compliance scores against benchmarks like PCI DSS or ISO 27001, helping you pinpoint gaps and track remediation for audits.
- **Workload Protections**: Workload Protections focuses on securing specific resource types (like servers, databases, and containers). It indicates which Defender plans are active and provides tailored alerts and recommendations for each workload to enhance their protection. Its able to find malicious behaviours in specific resources.
- This is also the option to **`Enable Microsoft Defender for X`** you can find in certain services.
- **Data and AI Security (Preview)**: In this preview section, Defender for Cloud extends its protection to data stores and AI services. It highlights security gaps and monitors sensitive data, ensuring that both your data repositories and AI platforms are safeguarded against threats.
- **Firewall Manager**: The Firewall Manager integrates with Azure Firewall to give you a centralized view of your network security policies. It simplifies managing and monitoring firewall deployments, ensuring consistent application of security rules across your virtual networks.
- **DevOps Security**: DevOps Security integrates with your development pipelines and code repositories to embed security early in the software lifecycle. It helps identify vulnerabilities in code and configurations, ensuring that security is built into the development process.
## Microsoft Defender EASM
Microsoft Defender External Attack Surface Management (EASM) continuously **scans and maps your organizations internet-facing assets**—including domains, subdomains, IP addresses, and web applications—to provide a comprehensive, real-time view of your external digital footprint. It leverages advanced crawling techniques, starting from known discovery seeds, to automatically uncover both managed and shadow IT assets that might otherwise remain hidden. EASM identifies **risky configurations** such as exposed administrative interfaces, publicly accessible storage buckets and services vulnerable to different CVEs, enabling your security team to address these issues before they are exploited.
Moreover, the continuous monitoring can also show **changes in the exposed infrastructure** comparing different scan results so the admin can be aware of every change performed.
By delivering real-time insights and detailed asset inventories, Defender EASM empowers organizations to **continuously monitor and track changes to their external exposure**. It uses risk-based analysis to prioritize findings based on severity and contextual factors, ensuring that remediation efforts are focused where they matter most. This proactive approach not only helps in uncovering hidden vulnerabilities but also supports the continuous improvement of your overall security posture by alerting you to any new exposures as they emerge.
{{#include ../../../banners/hacktricks-training.md}}

109
src/pentesting-cloud/azure-security/az-services/az-monitoring.md Normal file
View File

@@ -0,0 +1,109 @@
# Az - Monitoring
{{#include ../../../banners/hacktricks-training.md}}
## Entra ID - Logs
There are 3 types of logs available in Entra ID:
- **Sign-in Logs**: Sign-in logs document every authentication attempt, whether successful or failed. They offer details such as IP addresses, locations, device information and applied conditional access policies, which are essential for monitoring user activity and detecting suspicious login behavior or potential security threats.
- **Audit Logs**: Audit logs provide a record of all changes made within your Entra ID environment. They capture updates to users, groups, roles, or policies for example. These logs are vital for compliance and security investigations, as they let you review who made what change and when.
- **Provisioning Logs**: Provisioning logs provide information about users provisioned in your tenant through a third-party service (such as on-premises directories or SaaS applications). These logs help you understand how identity information is synchronized.
> [!WARNING]
> Note that these logs are only stored for **7 days** in the free version, **30 days** in P1/P2 version and 60 additional days in security signals for risky signin activity. However, not even a global admin would be able to **modify or delete them earlier**.
## Entra ID - Log Systems
- **Diagnostic Settings**: A diagnostic setting specifies a list of categories of platform logs and/or metrics that you want to collect from a resource, and one or more destinations that you would stream them to. Normal usage charges for the destination will occur. Learn more about the different log categories and contents of those logs.
- **Destinations**:
- **Analytics Workspace**: Investigation through Azure Log Analytics and create alerts.
- **Storage account**: Static análysis and backup.
- **Event hub**: Stream data to external systems like third-party SIEMs.
- **Monitor partner solutions**: Special integrations between Azure Monitor and other non-Microsoft monitoring platforms.
- **Workbooks**: Workbooks combine text,log queries, metrics, and parameters into rich interactive reports.
- **Usage & Insights**: Useful to see the most common activities in Entra ID
## Azure Monitor
These are the main features of Azure Monitor:
- **Activity Logs**: Azure Activity Logs capture subscriptionlevel events and management operations, giving you an overview of changes and actions taken on your resources.
- **Activily logs** cannot be modified or deleted.
- **Change Analysis**: Change Analysis automatically detects and visualizes configuration and state changes across your Azure resources to help diagnose issues and track modifications over time.
- **Alerts**: Alerts from Azure Monitor are automated notifications triggered when specified conditions or thresholds are met in your Azure environment.
- **Workbooks**: Workbooks are interactive, customizable dashboards within Azure Monitor that enable you to combine and visualize data from various sources for comprehensive analysis.
- **Investigator**: Investigator helps you drill down into log data and alerts to conduct deep-rooted analysis and identify the cause of incidents.
- **Insights**: Insights provide analytics, performance metrics, and actionable recommendations (like those in Application Insights or VM Insights) to help you monitor and optimize the health and efficiency of your applications and infrastructure.
### Log Analytics Workspaces
Log Analytics workspaces are central repositories in Azure Monitor where you can **collect, analyze, and visualize log and performance data** from your Azure resources and on-premises environments. Here are the key points:
- **Centralized Data Storage**: They serve as the central location to store diagnostic logs, performance metrics, and custom logs generated by your applications and services.
- **Powerful Query Capabilities**: You can run queries using Kusto Query Language (KQL) to analyze the data, generate insights, and troubleshoot issues.
- **Integration with Monitoring Tools**: Log Analytics workspaces integrate with various Azure services (such as Azure Monitor, Azure Sentinel, and Application Insights) allowing you to create dashboards, set up alerts, and gain a comprehensive view of your environment.
In summary, a Log Analytics workspace is essential for advanced monitoring, troubleshooting, and security analysis in Azure.
You can configure a resource to send data to an analytics workspace from the **diagnostic settings** of the resource.
## Enumeration
### Entra ID
```bash
# Get last 10 sign-ins
az rest --method get --uri 'https://graph.microsoft.com/v1.0/auditLogs/signIns?$top=10'
# Get last 10 audit logs
az rest --method get --uri 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$top=10'
# Get last 10 provisioning logs
az rest --method get --uri https://graph.microsoft.com/v1.0/auditLogs/provisioning?$top=10
# Get EntraID Diagnostic Settings
az rest --method get --uri "https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings?api-version=2017-04-01-preview"
# Get Entra ID Workbooks
az rest \
--method POST \
--url "https://management.azure.com/providers/microsoft.resourcegraph/resources?api-version=2021-03-01" \
--headers '{"commandName": "AppInsightsExtension.GetWorkbooksListArg"}' \
--body '{
"subscriptions": ["9291ff6e-6afb-430e-82a4-6f04b2d05c7f"],
"query": "where type =~ \"microsoft.insights/workbooks\" \n| extend sourceId = tostring(properties.sourceId) \n| where sourceId =~ \"Azure Active Directory\" \n| extend DisplayName = tostring(properties.displayName) \n| extend WorkbookType = tostring(properties.category), LastUpdate = todatetime(properties.timeModified) \n| where WorkbookType == \"workbook\"\n| project DisplayName, name, resourceGroup, kind, location, id, type, subscriptionId, tags, WorkbookType, LastUpdate, identity, properties",
"options": {"resultFormat": "table"},
"name": "e4774363-5160-4c09-9d71-2da6c8e3b00a"
}' | jq '.data.rows'
```
### Azure Monitor
```bash
# Get last 10 activity logs
az monitor activity-log list --max-events 10
# Get Resource Diagnostic Settings
az rest --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.DocumentDb/databaseAccounts/<db-name>/providers/microsoft.insights/diagnosticSettings?api-version=2021-05-01-preview"
# Get Entra ID Workbooks
az rest \
--method POST \
--url "https://management.azure.com/providers/microsoft.resourcegraph/resources?api-version=2021-03-01" \
--headers '{"commandName": "AppInsightsExtension.GetWorkbooksListArg"}' \
--body '{
"content": {},
"commandName": "AppInsightsExtension.GetWorkbooksListArg"
}'
# List Log Analytic groups
az monitor log-analytics workspace list --output table
# List alerts
az monitor metrics alert list --output table
az monitor activity-log alert list --output table
```
{{#include ../../../banners/hacktricks-training.md}}

1
src/pentesting-cloud/azure-security/az-services/az-queue.md
View File

@@ -95,4 +95,3 @@ $queueMessage.Value
{{#include ../../../banners/hacktricks-training.md}}

46
src/pentesting-cloud/azure-security/az-services/az-sentinel.md Normal file
View File

@@ -0,0 +1,46 @@
# Az - Defender
{{#include ../../../banners/hacktricks-training.md}}
## Microsoft Sentinel
Microsoft Sentinel is a cloud-native **SIEM** (Security Information and Event Management) and **SOAR** (Security Orchestration, Automation, and Response) solution on Azure.
It aggregates security data from across an organization (on-premises and cloud) into a single platform and uses **built-in analytics and threat intelligence** to identify potential threats.
Sentinel leverages Azure services like Log Analytics (for massive log storage and query) and Logic Apps (for automated workflows) this means it can scale on demand and integrate with Azures AI and automation capabilities.
In essence, Sentinel collects and analyzes logs from various sources, **detects anomalies or malicious activities**, and allows security teams to investigate and respond to threats quickly, all through the Azure portal without needing on-premises SIEM infrastructure.
### Microsoft Sentinel Configuration
You start by enabling Sentinel on an Azure Log Analytics workspace (the workspace is where logs will be stored and analyzed). Below are the high-level steps to get started:
1. **Enable Microsoft Sentinel on a Workspace**: In the Azure portal, create or use an existing Log Analytics workspace and add Microsoft Sentinel to it. This deploys Sentinels capabilities to your workspace.
2. **Connect Data Sources (Data Connectors)**: Once Sentinel is enabled, connect your data sources using builtin data connectors. Whether its Entra ID logs, Office 365, or even firewall logs, Sentinel begins ingesting logs and alerts automatically. This is commonly done creating diagnostic settings to send logs into the log workspace being used.
3. **Apply Analytics Rules and Content**: With data flowing in, enable builtin analytics rules or create custom ones to detect threats. Use the Content Hub for prepackaged rule templates and workbooks that jumpstart your detection capabilities.
4. **(Optional) Configure Automation**: Set up automation with playbooks to respond automatically to incidents—such as sending alerts or isolating compromised accounts—enhancing your overall response.
## Main Features
- **Logs**: The Logs blade opens the Log Analytics query interface, where you can dive **deep into your data using Kusto Query Language (KQL)**. This area is crucial for troubleshooting, forensic analysis, and custom reporting. You can write and execute queries to filter log events, correlate data across different sources, and even create custom dashboards or alerts based on your findings. Its the raw data exploration center of Sentinel.
- **Search**: The Search tool offers a unified interface to **quickly locate security events, incidents, and even specific log entries**. Rather than manually navigating through multiple blades, you can type in keywords, IP addresses, or user names to instantly pull up all related events. This feature is particularly useful during an investigation when you need to quickly connect different pieces of information.
- **Incidents**: The Incidents section centralizes all **grouped alerts into manageable cases**. Sentinel aggregates related alerts into a single incident, providing context like severity, timeline, and affected resources. Within an incident, you can view a detailed investigation graph that maps out the relationship between alerts, making it easier to understand the scope and impact of a potential threat. Incident management also includes options to assign tasks, update statuses, and integrate with response workflows.
- **Workbooks**: Workbooks are customizable dashboards and reports that help you **visualize and analyze your security data**. They combine various charts, tables, and queries to offer a comprehensive view of trends and patterns. For instance, you might use a workbook to display a timeline of sign-in activities, geographic mapping of IP addresses, or the frequency of specific alerts over time. Workbooks are both pre-built and fully customizable to suit your organization's specific monitoring needs.
- **Hunting**: The Hunting feature provides a proactive approach to **finding threats that might not have triggered standard alerts**. It comes with pre-built hunting queries that align with frameworks like MITRE ATT&CK but also allows you to write custom queries. This tool is ideal for **advanced analysts looking to uncover stealthy or emerging threats** by exploring historical and real-time data, such as unusual network patterns or anomalous user behavior.
- **Notebooks**: With the Notebooks integration, Sentinel leverages **Jupyter Notebooks for advanced data analytics and automated investigations**. This feature allows you to run Python code directly against your Sentinel data, making it possible to perform machine learning analyses, build custom visualizations, or automate complex investigative tasks. It is particularly useful for data scientists or security analysts who need to conduct deep-dive analyses beyond standard queries.
- **Entity Behavior**: The Entity Behavior page uses **User and Entity Behavior Analytics (UEBA)** to establish baselines for normal activity across your environment. It displays detailed profiles for users, devices, and IP addresses, **highlighting deviations from typical behavior**. For example, if a normally low-activity account suddenly exhibits high-volume data transfers, this deviation will be flagged. This tool is critical for identifying insider threats or compromised credentials based on behavioral anomalies.
- **Threat Intelligence**: The Threat Intelligence section allows you to **manage and correlate external threat indicators**—such as malicious IP addresses, URLs, or file hashes—with your internal data. By integrating with external intelligence feeds, Sentinel can automatically flag events that match known threats. This helps you quickly detect and respond to attacks that are part of broader, known campaigns, adding another layer of context to your security alerts.
- **MITRE ATT&CK**: In the MITRE ATT&CK blade, Sentinel **maps your security data and detection rules to the widely recognized MITRE ATT&CK framework**. This view helps you understand which tactics and techniques are being observed in your environment, identify potential gaps in coverage, and align your detection strategy with recognized attack patterns. It provides a structured way to analyze how adversaries might be attacking your environment and helps in prioritizing defensive actions.
- **Content Hub**: The Content Hub is a centralized repository of **pre-packaged solutions, including data connectors, analytics rules, workbooks, and playbooks**. These solutions are designed to accelerate your deployment and improve your security posture by providing best-practice configurations for common services (like Office 365, Entra ID, etc.). You can browse, install, and update these content packs, making it easier to integrate new technologies into Sentinel without extensive manual setup.
- **Repositories**: The Repositories feature (currently in preview) enables version control for your Sentinel content. It integrates with source control systems such as GitHub or Azure DevOps, allowing you to **manage your analytics rules, workbooks, playbooks, and other configurations as code**. This approach not only improves change management and collaboration but also makes it easier to roll back to previous versions if necessary.
- **Workspace Management**: Microsoft Sentinel's Workspace manager enables users to **centrally manage multiple Microsoft Sentinel workspaces** within one or more Azure tenants. The Central workspace (with Workspace manager enabled) can consolidate content items to be published at scale to Member workspaces.
- **Data Connectors**: The Data Connectors page lists all available connectors that bring data into Sentinel. Each connector is **pre-configured for specific data sources** (both Microsoft and third-party) and shows its connection status. Setting up a data connector typically involves a few clicks, after which Sentinel begins to ingest and analyze logs from that source. This area is vital because the quality and breadth of your security monitoring depend on the range and configuration of your connected data sources.
- **Analytics**: In the Analytics blade, you **create and manage the detection rules that power Sentinels alerting**. These rules are essentially queries that run on a schedule (or near real-time) to identify suspicious patterns or threshold breaches in your log data. You can choose from built-in templates provided by Microsoft or craft your own custom rules using KQL. Analytics rules determine how and when alerts are generated, directly impacting how incidents are formed and prioritized.
- **Watchlist**: Microsoft Sentinel watchlist enables the **collection of data from external data sources for correlation against the events** in your Microsoft Sentinel environment. Once created, leverage watchlists in your search, detection rules, threat hunting, workbooks and response playbooks.
- **Automation**: Automation rules allow you to **centrally manage all the automation of incident handling**. Automation rules streamline automation use in Microsoft Sentinel and enable you to simplify complex workflows for your incident orchestration processes.
{{#include ../../../banners/hacktricks-training.md}}

1
src/pentesting-cloud/azure-security/az-services/az-sql.md
View File

@@ -351,4 +351,3 @@ sqlcmd -S <sql-server>.database.windows.net -U <server-user> -P <server-passwork

128
src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
View File

@@ -9,57 +9,101 @@ Virtual Desktop is a **desktop and app virtualization service**. It enables to d
### Host Pools
Host pools in Azure Virtual Desktop are collections of Azure virtual machines configured as session hosts, providing virtual desktops and apps to users. There are two main types:
- **Personal host pools**, where each virtual machine is dedicated to a single user, with its environments
- **Pooled host pools**, where multiple users share resources on any available session host. It has a configurable session limit and a session host configuration lets Azure Virtual Desktop automate the creation of session hosts based on a configuration
Every host pool has a **registration token** is used to register virtual machines within an host pool.
- **Personal host pools**, where each virtual machine is dedicated to a single user.
- It can be configured so the **admin can assign** specific users to VMs or having this done **automatically**.
- This is ideal for people with intensive workloads as each person will have its own VM. Moreover, they will be able to store files and configure settings in the OS disk and these will persist as **each user has its own VM (host)**.
### Application groups & Workspace
Application groups **control user access** to either a full desktop or specific sets of applications available on session hosts within a host pool. There are two types:
- **Desktop application groups**, which give users access to a complete Windows desktop (available with both personal and pooled host pools)
- **RemoteApp groups**, which allow users to access individual published applications (available only with pooled host pools).
A host pool can have one Desktop application group but multiple RemoteApp groups. Users can be assigned to multiple application groups across different host pools. If a user is assigned both desktop and RemoteApp groups within the same host pool, they only see resources from the preferred group type set by administrators.
- **Pooled host pools**, where multiple **users share resources** on available session hosts.
- Its possible to configure a **maximum number of users** (sessions) per host.
- Its possible to **add VMs manually** using a registration keys, or **allow Azure to automatically scale** the number of hosts without having the option of adding VMs using the registration key. Its not possible to automatically scale VMs for personal pools.
- To persist files in users sessions, its needed to use **FSlogix**.
A **workspace** is a **collection of application groups**, allowing users to access the desktops and application groups assigned to them. Each application group must be linked to a workspace, and it can only belong to one workspace at a time.
### Session Hosts
These are the **VMs that users will connect to.**
- If automated scaling was selected, a template will be created with the **characteristics of the hosts** that need to be created for the pool.
- If not, when creating the Host pool its possible to indicate the **characteristics and the number of VMs** you want to create and Azure will create and add them for you.
The main features to **configure the VMs** are:
- The **prefix** name of the new VMs
- The **VM type**: This can be “Azure virtual machine” (to use Azure VMs) or “Azure Local virtual machine” which allow hosts to be deployed on-premises or at the edge.
- The location, zones, VM security options, image, CPU, memory, Disk size…
- The **VNet, security group and ports** to expose to the internet
- Its possible to set credentials to automatically **join an AD domain**, or use Entra ID directory
- If Entra ID, Its possible to automatically **enroll the new VM in Intune**
- Its needed to set an **administrator username and password** unless Azure will scale the hosts, in that case a **secret must be configured with the username and another one with the password**
- Its possible to **configure a script to be executed** for custom configuration
### Application Groups
**Application groups** control user access to either a full desktop or specific sets of applications available on session hosts within a host pool.
There are two types of application groups:
- **Desktop application groups**, which give users access to a complete Windows desktops and attached apps.
- **RemoteApp groups**, which allow users to access individual applications.
- Its not possible to assign this kind of application group to a Personal Pool.
- Its needed to indicate the path to the binary to execute inside the VM.
A Pooled Pool can have **one Desktop application** group and **multiple RemoteApp groups** and users can be assigned to multiple application groups across different host pools.
When a user is **granted access** its given the role **`Desktop Virtualization User`** over the application group.
### Workspaces & Connections
A **workspace** is a collection of application groups.
In order to **connect** to the Desktop or apps assigned its possible to do so from [https://windows365.microsoft.com/ent#/devices](https://windows365.microsoft.com/ent#/devices)
And there are other methods described on [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client)
When a user access his account he is going to be **presented separated by workspaces everything he has access to**. Therefore, its needed to add **each application group to one workspace** in order for the defined accesses to be visible.
In order for a user to be able to access a Desktop or an app, he also needs the role **`Virtual Machine User Login`** or **`Virtual Machine Administrator Login`** over the VM.
### Managed Identities
Its not possible to assign managed identities to host pools so the created VMs inside a pool will have them.
However, its possible to **assign system and user managed identities to the VMs** and then access the tokens from the metadata. Actually, after launching the host pools form the web, the 2 generated VMs have the system assigned managed identity enabled (although it doesnt have any permissions).
### Key Features
- **Flexible VM Creation**: Create Azure virtual machines directly or add Azure Local virtual machines later.
- **Security Features**: Enable Trusted Launch (secure boot, vTPM, integrity monitoring) for advanced VM security (a virtual network is needed). Can integrate Azure Firewall and control traffic via Network Security Groups.
- **Domain Join**: Support for Active Directory domain joins with customizable configurations.
- **Diagnostics & Monitoring**: Enable Diagnostic Settings to stream logs and metrics to Log Analytics, storage accounts, or event hubs for monitoring.
- **Custom image templates**: Create and manage them to use when adding session hosts. Easily add common customizations or your own custom scripts.
- **Workspace Registration**: Easily register default desktop application groups to new or existing workspaces for simplified user access management.
### Enumeration
```bash
az extension add --name desktopvirtualization
# List HostPool of a Resource group
az desktopvirtualization hostpool list --resource-group <Resource_Group>
# List HostPools
az desktopvirtualization hostpool list
# List Workspaces
az desktopvirtualization workspace list
# List Application Groups
az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
# List Application Groups By Subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
az desktopvirtualization applicationgroup list
# List Applications in a Application Group
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
# Check if Desktops are enabled
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
# List Assigned Users to the Application Group
az rest \
--method GET \
--url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
| jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'
# List hosts
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
# List Workspace in a resource group
az desktopvirtualization workspace list --resource-group <Resource_Group>
# List Workspace in a subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"
# List App Attach Package By Resource Group
# List App Attach packages
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
# List App Attach Package By Subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
# List user sessions
az rest --method GET --url "https://management.azure.com/ssubscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostpools/{hostPoolName}/sessionhosts/{hostPoolHostName}/userSessions?api-version=2024-04-03"
# List Desktops
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
@@ -69,37 +113,29 @@ az rest --method GET --url "https://management.azure.com/subscriptions/{subscrip
# List private endpoint connections associated with hostpool.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
# List private endpoint connections associated By Workspace.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"
# List the private link resources available for a hostpool.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
# List the private link resources available for this workspace.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"
# List sessionHosts/virtual machines.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
# List start menu items in the given application group.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"
# List userSessions.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
# List userSessions By Host Pool
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"
```
### Connection
To connect to the virtual desktop via web you can access through https://client.wvd.microsoft.com/arm/webclient/ (most common), or https://client.wvd.microsoft.com/webclient/index.html (classic)
There are other methods that are described here [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows)
## Privesc
{{#ref}}
../az-privilege-escalation/az-virtual-desktop-privesc.md
{{#endref}}
## Post Exploitation & Persistence
{{#ref}}
../az-post-exploitation/az-virtual-desktop-post-exploitation.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}

1
src/pentesting-cloud/gcp-security/gcp-persistence/gcp-non-svc-persistence.md
View File

@@ -103,4 +103,3 @@ Some remediations for these techniques are explained in [https://www.netskope.co
{{#include ../../../banners/hacktricks-training.md}}

2
src/pentesting-cloud/gcp-security/gcp-privilege-escalation/gcp-storage-privesc.md
View File

@@ -65,7 +65,7 @@ gcloud config set pass_credentials_to_gsutil true
Another exploit script for this method can be found [here](https://github.com/RhinoSecurityLabs/GCP-IAM-Privilege-Escalation/blob/master/ExploitScripts/storage.hmacKeys.create.py).
## `storage.objects.create`, `storage.objects.delete` = Storage Write permissions
### `storage.objects.create`, `storage.objects.delete` = Storage Write permissions
In order to **create a new object** inside a bucket you need `storage.objects.create` and, according to [the docs](https://cloud.google.com/storage/docs/access-control/iam-permissions#object_permissions), you need also `storage.objects.delete` to **modify** an existent object.

1
src/pentesting-cloud/gcp-security/gcp-to-workspace-pivoting/README.md
View File

@@ -171,4 +171,3 @@ Abusing the **google groups privesc** you might be able to escalate to a group w
{{#include ../../../banners/hacktricks-training.md}}

1
src/pentesting-cloud/workspace-security/gws-google-platforms-phishing/README.md
View File

@@ -165,4 +165,3 @@ It's possible to do something using gcloud instead of the web console, check:
{{#include ../../../banners/hacktricks-training.md}}