Azure Tools Update

Methodology and Resources/Cloud - AWS Pentest.md

@@ -1,4 +1,4 @@
-# AWS 
+# Cloud - AWS 
 
 > Amazon Web Services offers reliable, scalable, and inexpensive cloud computing services.
 

Methodology and Resources/Cloud - Azure Pentest.md

@@ -1,4 +1,4 @@
-# Azure Active Directory
+# Cloud - Azure
 
 ## Summary
 
@@ -59,7 +59,7 @@
 
 ## Azure Recon Tools
 
-* **ROADTool** 
+* [**ROADTool**](https://github.com/dirkjanm/ROADtools) - The Azure AD exploration framework.
     ```powershell
     pipenv shell
     roadrecon auth [-h] [-u USERNAME] [-p PASSWORD] [-t TENANT] [-c CLIENT] [--as-app] [--device-code] [--access-token ACCESS_TOKEN] [--refresh-token REFRESH_TOKEN] [-f TOKENFILE] [--tokens-stdout]
@@ -68,10 +68,8 @@
     roadrecon gather
     roadrecon gui
     ```
-* **StormSpotter**
+* [**Azure/StormSpotter**](https://github.com/Azure/Stormspotter) - Azure Red Team tool for graphing Azure and Azure Active Directory objects
     ```powershell
-    # https://github.com/Azure/Stormspotter
-
     # session 1 - backend
     pipenv shell
     python ssbackend.pyz
@@ -90,44 +88,45 @@
     Password: BloodHound
     Server: bolt://localhost:7687
     ```
-* **Azure Hound**
+* [**BloodHoundAD/AzureHound**](https://github.com/BloodHoundAD/AzureHound) - Azure Data Exporter for BloodHound
     ```powershell
-    # https://github.com/BloodHoundAD/AzureHound
-
-    . C:\Tools\AzureHound\AzureHound.ps1
-    Invoke-AzureHound -Verbose
+    ./azurehound configure
+    ./azurehound -u "MattNelson@contoso.onmicrosoft.com" -p "MyVerySecurePassword123" --tenant "contoso.onmicrosoft.com" list
+    ./azurehound -u "phisheduser@contoso.onmicrosoft.com" -p "Password1" list -o initial-scan.json --tenant "contoso.onmicrosoft.com"
+    ./azurehound -a "6b5adee8-..." -s "<secret>" --tenant "contoso.onmicrosoft.com" list
+    ./azurehound -j "ey..." --tenant "contoso.onmicrosoft.com" list az-ad
+    ./azurehound -r "0.ARwA6Wg..." --tenant "contoso.onmicrosoft.com" list
 
     # GUI access
     bolt://localhost:7687
     Username: neo4j
     Password: BloodHound
 
-    # Cypher query example:
-    MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
-
-    # Change object ID's to names in Bloodhound
-    MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
-
     # Custom Queries : https://hausec.com/2020/11/23/azurehound-cypher-cheatsheet/
+    # Cypher query examples:
+    MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p
+    MATCH (n) WHERE n.azname IS NOT NULL AND n.azname <> "" AND n.name IS NULL SET n.name = n.azname
     ```
-* List of Microsoft portals: https://msportals.io/
-* **Azucar** : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
+* [BloodHoundAD/BARK](https://github.com/BloodHoundAD/BARK) - BloodHound Attack Research Kit
+    ```ps1
+    . .\BARK.ps1
+    $MyRefreshTokenRequest = Get-AZRefreshTokenWithUsernamePassword -username "user@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
+    $MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
+    $MyAADUsers = Get-AllAzureADUsers -Token $MyMSGraphToken.access_token -ShowProgress
+    ```
+* [**Microsoft Portals**](https://msportals.io/) - Microsoft Administrator Sites
+* [**nccgroup/Azucar**](https://github.com/nccgroup/azucar.git) : Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.
     ```powershell
     # You should use an account with at least read-permission on the assets you want to access
-    git clone https://github.com/nccgroup/azucar.git
     PS> Get-ChildItem -Recurse c:\Azucar_V10 | Unblock-File
-
     PS> .\Azucar.ps1 -AuthMode UseCachedCredentials -Verbose -WriteLog -Debug -ExportTo PRINT
     PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
     PS> .\Azucar.ps1 -ExportTo CSV,JSON,XML,EXCEL -AuthMode Certificate_Credentials -Certificate C:\AzucarTest\server.pfx -CertFilePassword MySuperP@ssw0rd! -ApplicationId 00000000-0000-0000-0000-000000000000 -TenantID 00000000-0000-0000-0000-000000000000
-
     # resolve the TenantID for an specific username
     PS> .\Azucar.ps1 -ResolveTenantUserName user@company.com
     ```
-* **Azurite Explorer** and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
+* [**FSecureLABS/Azurite Explorer**](https://github.com/FSecureLABS/Azurite) and **Azurite Visualizer** : Enumeration and reconnaissance activities in the Microsoft Azure Cloud.
     ```powershell
-    git clone https://github.com/mwrlabs/Azurite.git
-    git clone https://github.com/FSecureLABS/Azurite
     git submodule init
     git submodule update
     PS> Import-Module AzureRM
@@ -135,33 +134,27 @@
     PS> Review-AzureRmSubscription
     PS> Review-CustomAzureRmSubscription
     ```
-* **MicroBurst** - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
+* [**NetSPI/MicroBurst**](https://github.com/NetSPI/MicroBurst) - MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping
     ```powershell
-    $ git clone https://github.com/NetSPI/MicroBurst
     PS C:> Import-Module .\MicroBurst.psm1
     PS C:> Import-Module .\Get-AzureDomainInfo.ps1
     PS C:> Get-AzureDomainInfo -folder MicroBurst -Verbose
     ```
-* **SkyArk** - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.   
+* [**cyberark/SkyArk**](https://github.com/cyberark/SkyArk) - Discover the most privileged users in the scanned Azure environment - including the Azure Shadow Admins.   
     Require:
     - Read-Only permissions over Azure Directory (Tenant)
     - Read-Only permissions over Subscription
     - Require AZ and AzureAD module or administrator right
 
     ```powershell
-    $ git clone https://github.com/cyberark/SkyArk
     $ powershell -ExecutionPolicy Bypass -NoProfile
     PS C> Import-Module .\SkyArk.ps1 -force
     PS C> Start-AzureStealth
-
-    or in the Cloud Console
-
     PS C> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cyberark/SkyArk/master/AzureStealth/AzureStealth.ps1')  
     PS C> Scan-AzureAdmins  
-* **PowerZure** - 
+* [**hausec/PowerZure**](https://github.com/hausec/PowerZure) - PowerShell framework to assess Azure security
     ```powershell
-    require az module !
-    $ git clone https://github.com/hausec/PowerZure
+    # Require az module !
     $ ipmo .\PowerZure
     $ Set-Subscription -Id [idgoeshere]