Microsoft Azure


  • AADInternals

  • Microsoft Azure PowerShell (MSOnline, AzureAD and AzureCLI)

  • Interacting Manually through the Azure Portal

  • PowerZure

  • ROADTools

  • 365-Stealer (Initial Access)

  • TREVORspray (Replaceable with any other Password Spraying Solution such as MSOLSpray)


  • Azure Web Service applications run with Managed Identity Permissions - capturing an access token may allow a user to enumerate the Azure tenant and potentially on-prem AD environment.

  • Identifying a vulnerability such as SQLi, RCE, or SSRF in a web application to obtain a shell and enumerate from there.

    • If the attacker drops into a container, they can check if the pod has access to something like AWS instance metadata (Searching for IAM credentials)

      • AssumeRole is an easy privilege escalation opportunity, allowing the user to impersonate others, potentially obtaining access to other resources.

      • An attacker can enumerate the Azure tenant by querying a users login information on a Microsoft endpoint. If it is managed, then we know AzureAD is in use.

  • Perform attacks such as password spraying, phishing for easy initial access.

  • We can utilize 365-Stealer to exploit an OpenRedirect vulnerability, send it to AzureAD users and potentially obtain the access token information of a user.

    • This is effective as it uses and sends the access token information by a POST method to the attacker.

  • Utilize MFASweep to see if there's any MFA or Conditional Access policies blocking us from accessing the domain with a specific user.

Enumerating Blobs

  • Enumerating Blobs for a specific tenant can be pretty hard, there is a tool called Blobhunter which can be used to look for open containers within an environment.

  • We can use MicroBurst to see if we can enumerate public Azure blobs that contain a specific key word such as the client name.



  • Azure by default will have .NET 4.0 installed.

  • Service Prinicpals in Azure are accounts linked to applications.

Authentication Types

  • Most likely Password Hash Synchronization (PHS) is in use, where passwords from on-prem are sent to the cloud (similar to a domain controller).

    • We can exploit this by compromising the Synchronization account as it essentially can replicate EVERY domain users password.

      • This can be found with an LDAP query, looking for the default description.

    • Once we retrieve the password, we can use a tool called ADConnectDump to retrieve credentials via the network.

  • Pass through Authentication allows for a user to have a single password for Azure and on-premise.

    • For example, a user logs into Outlook on the web which Azure then uses PKI to encrypt and send back to an on-prem agent and validates it against the DC.

    • This potentially allows for DLL Injection into the PTA agent and to intercept authentication requests.

  • If Single-Sign-On authentication is enabled, an attacker can craft a Silver Ticket (IF MFA IS DISABLED) and inject it into the current session to impersonate the targeted user on an Azure AD application.

  • Azure CMDLets (AADInternals)[]

  • Azure PowerShell (

    • Several interesting commands such as adding API permissions, groups, users, enumerate resources, policies, etc.

  • An attacker can query if a machine has a PRT or if the machine is AzureAD joined with the Dsregcmd.exe /status command.

  • PowerShell keeps the users session information in C:\Users\Parzival\Azure and is available in cleartext. If a user has not terminated their session, an attacker can steal this token.

Signing into Azure

  • After importing PowerZure, we can login to Azure either via an Interactive login which will spawn a new login windows or a Cached Token stored in the Users .Azure folder.

  • If MFA is not enabled, you can pass credentials in via the CLI.

Role Abuse

  • *READER - The reader role only has read-only access but cann gratn them access such as reading runbooks to see if there are any hard-coded credentials, or any other potentially interesting information.

  • CONTRIBUTOR - Allows you to manually edit resources in Azure, this means we can potentially execute arbitrary commands, an MSBuild Payload, or an arbitrary binary.

    • You can also return Key Vault contents to identify secret keys or certificates, application secrets, and automation account Run-as credentials.

    • Contributors can also download disks which can give them a significant amount of information.

  • Owner - Can do every a contributor can, as well as give permission to resources they own which may provide a backdoor opportunity.

  • Administrator - Administrators can assign roles and create backdoors - allowing for an attacker to create a runbook and execute it, ultimately creating a new user, assigning them to the Owner rople, and generating a webhook for an attacker to execute.

PRT (Primary Refresh Token)

  • Used to provie an SSO experience so that you can access Teams, Exchange Online, and AzureAD without re-authenticating.

  • When a user signs into a website with a browsow that supports SSO to Azure, the Cloud Authentication Provider will create a PRT cookie for a user.

  • As an attacker, if we can compromise a user's PRT and session key, we can arbitrarily create PRT cookies to gain access to web resources as that user from any device.

Pass the PRT

  1. Extract the PRT from LSASS using Mimikatz Sekurlsa::cloudap

  2. Extract the Session Key. If you remember this is issued and then re-encrypted by the local device, so we need to decrypt this using a DPAPI masterkey. We’ve learned about that in the Pass-the-Cookie attack and will use the same approach.

  3. Using the decrypted Session Key, we will obtain the derived key for the PRT and the context. This is needed to create our PRT cookie using Mimikatz. The derived key is what is used to sign the JWT for the cookie.

  1. Extract browser cookies from a user by utilizing Mimikatz

    1. We care about Azure authentication cookies here such as the ESTSAUTH, ESTSAUTHPERSISTENT, and ESTSAUTHLIGHT

  2. Now that we have the cookies, we can pass them into another session to take over the identified account, ultimately bypassing MFA.

  3. We do not need privileged access to a workstation to perform this attack as all users have access to read and decrypt their own browser cookies, regardless of privileged access to the workstation.

Post Exploitation

  • If you have compromised a Global Administrator or InTune Administrator you can run arbitrary scripts (Runbook Scripts in PowerShell or Python) against AzureAD joined machines.

    • This can allow an attacker to pivot from the cloud to on-prem or deploy persistence/ransomware across several machines.


  • If a tenant has been compromised, an attacker can modify conditional access policies, allowing for specific users to connect without any restrictions. This would be logged by Azure though.

  • Assign credentials to Service Principals. In Azure, any user has the rage to create and register applications.

    • Assigning high privileges to applications requires the consent of an Administrator.

  • Once a Global or Application administrator has been compromised, you can add privileges to any application via the Azure Portal. These credentials can then be associated to the Service Principal - it should be noted that Azure Principals do not require MFA.

Last updated