Securing Azure: Hunting with AzureHound

We are back again!

So I have been doing a lot of research lately and been playing around with a lot of stuff, this one interested me so you all know what’s next:

This is gonna be a short one, let’s get right into it!

This is intended for my Red Teamers, Pentesters, Cloud Enthusiasts, and even inquisitive readers. When it comes to internal penetration tests, obtaining access to Domain Admin privileges is often one of those crucial goals. There are various methods to achieve this, one of which involves utilizing the combination of SharpHound and BloodHound to enumerate and or map out a path that can be looking for machines with active Domain Admin sessions or identifying the shortest path to Domain Admin. But what happens when we switch to Azure? Is it possible to achieve the same results in this environment? How do we go about it?

In comes AzureHound. So what is AzureHound? It’s literally just the BloodHound data collector for Azure. Yeah, that’s pretty much it. Well..yeah let’s get it up and running, shall we?

First things first we will be cloning the repo:

git clone https://github.com/BloodHoundAD/AzureHound.git

Once we do that, let’s go into that directory and run the necessary command to get the azurehound binary:

go build .

Building AzureHound to produce the azurehound binary

Now, let’s get started. There are various methods for executing the commands required for AzureHound, however, in this instance, we will concentrate on the scenario where Multi-Factor Authentication (MFA) is enabled, as this is likely a prevalent setup in your tenant. While JSON Web Token (JWT) is another useful option, let’s stick with MFA for now.

Okay, here we go, pull up PowerShell and enter the following commands:

$body = @{
    "client_id" =     "1950a258-227b-4e31-a9cf-717495945fc2"
    "resource" =      "https://graph.microsoft.com"
}
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
$Headers=@{}
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$authResponse

The output should show a user_code:

user_code generation

Let’s pull up our browser and navigate to the below link:

https://microsoft.com/devicelogin

You should be brought here, enter the user code, click on next, and confirm that you are logged in:

Entering our user_code

Let’s go back to PowerShell and enter this additional information:

$body=@{
    "client_id" =  "1950a258-227b-4e31-a9cf-717495945fc2"
    "grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
    "code" =       $authResponse.device_code
}
$Tokens = Invoke-RestMethod `
    -UseBasicParsing `
    -Method Post `
    -Uri "https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0" `
    -Headers $Headers `
    -Body $body
$Tokens

You should have gotten a refresh token. This is what we will use in AzureHound to collect the data we need to import into BloodHound:

refresh_token generation

With that accomplished, it’s time to launch AzureHound. The format should look like this:

./azurehound -r "0.ARwA4R8..." list --tenant "<domain name>" -o output.json

NB. the -r flag is where you would pass the refresh token value

azurehound in action

Now, with that finished, let us find and import that JSON file into BloodHound:

Importing the JSON file

Progress of JSON import

Import has been completed. Let us scroll through the database objects listing and you will see the Azure objects.

Overview of BloodHound with Azure data

As you can see, my data is pretty bare but that’s fine this isn’t an in-depth review. Let’s run one of the simplest commands below:

As demonstrated below, the overview provides you with the shortest path to this user’s account. This can be useful for mapping out attack paths or, from another perspective, for gaining an understanding of areas where security controls might need to be strengthened within your environment:

Overview of an actioned path

AzureHound is a tool that can be leveraged for both offensive and defensive purposes. As a red teamer, you can use it to gain a clearer understanding of the quickest path to high-value targets. For blue teams, it acts as a roadmap for securing your Azure Cloud environment. Its versatility makes it an invaluable resource. I intend to explore the full capabilities of AzureHound by establishing a more detailed lab environment setup in the near future. For now, consider this a brief overview.

If you found this blog informative and enjoyable, please give it a clap and follow me for more content like this. Until next time!

References:

AzureHound - BloodHound 4.2.0 documentation