Azure

Manual Enum:

dork:

site:.blob.core.windows.net filetype:pdf CLIENT

MicroBurst

Domain Enumeration (passive):

file.core.windows.net	Storage Accounts – Files
blob.core.windows.net	Storage Accounts – Blobs
queue.core.windows.net	Storage Accounts – Queues
table.core.windows.net	Storage Accounts – Tables
azurewebsites.net	App Services and Function app
scm.azurewebsites.net	App Services – Management
database.windows.net	Databases – MSSQL
documents.azure.com	Databases – Cosmos DB
azurecontainer.io	Container Instances
azurecr.io	Container Registry
redis.cache.windows.net	Redis
azureedge.net	CDN
search.windows.net	Search Appliance
azure-api.net	API Services
cloudapp.azure.com	Customer-assigned public IP DNS
vault.azure.net	Key Vault

Active testing:

authenicate:

Manual enumeration:

• endpoint.microsoft.com

• portal.azure.com

• myapplications.microsoft.com

• https://myaccount.microsoft.com

• https://myapps.microsoft.com/

• https://myaccess.microsoft.com

Microsoft Portals SiteMicrosoft Portals

Blobhunter:

python.exe .\BlobHunter.py

MicroBurst

Get-AzVM | Format-Table -Wrap -AutoSize -Property ResourceGroupName,Name,Location
Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
Invoke-AzHybridWorkerExtraction -Verbose

Enumeration:

Get-AzureADAppOwner
Get-AzureADDeviceOwner #get domain computers
Get-AzureADGroupMember -Group '[Name of Group]'
Get-AzureADRoleMember -Role 'Global Administrator'
Get-AzureADRoleMember -All
Get-AzureADUser -Username [Usename]
Get-AzureADUser -All
Get-AzureInTuneScript
Get-AzureLogicAppConnector
Get-AzureManagedIdentity
Get-AzurePIMAssignment
Get-AzureRole -All
Get-AzureRole -Role Reader
Get-AzureRunAsAccount
Get-AzureRolePermission -Permission [role definition]Get-AzureSQLDB -All