Az PowerShell.md

Az PowerShell Module

Az Powershell can enumerate both Azure AD and Azure Resources. Replaced the AzureRM and Azure Module to manage Azure Resources

• Install
• Enumeration AAD Users
• Enumeration AAD Groups
• Enumeration AAD Apps
• Enumeration AAD Service Principals
• Using Tokens With Az PowerShell
• Stealing Tokens From Az PowerShell
• Runbook

Install

Needs Internet Connection

Get-Command *azad*

Install-Module Az
Connect-AzAccount

$creds = Get-Credential
Connect-AzAccount -Credential $creds


$passwd = ConvertTo-SecureString "SuperVeryEasytoGuessPassword@1234" - AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("[email protected]",$passwd)
Connect-AzAccount -Credential $creds

• All the Azure AD cmdlets have the format -AzAD

Get-Command *azad*
Get-AzADUser

• Cmdlets for other Azure resources have the format AZ

Get-Command *az*
Get-AzResource

• Find cmdlets for a particular resource. For example, VMs

Get-Command *azvm*
Get-Command -Noun *vm* -Verb Get
Get-Command *vm*

• Get the information about the current context (Account, Tenant, Subscription etc.)

Get-AzContext

• List all available contexts

Get-AzContext -ListAvailable

• Enumerate subscriptions accessible by the current user

Get-AzSubscription

• Enumerate all resources visible to the current user

Get-AzResource

• Azure RBAC role assignments

Get-AzRoleAssignment
Get-AzRoleAssignment -Scope /subscriptions/b413826f-108d4049-8c11-
d52d5d388768/resourceGroups/Engineering/providers/Microsoft.Automation/automa
tionAccounts/HybridAutomation
Get-AzAutomationHybridWorkerGroup -AutomationAccountName HybridAutomation -ResourceGroupName Engineering

Enumearation_AAD_Users

• Enumerate all users

Get-AzADUser

• Enumerate a specific user

Get-AzADUser -UserPrincipalName test@defcorphq.onmicrosoft.com

• Search for a user based on string in first characters of DisplayName

Get-AzADUser -SearchString "admin"

• Search for users who contain the word "admin" in their DisplayName;

Get-AzADUser | ?{$_.DisplayName -match "admin"}

Enumearation_AAD_Groups

• List all groups

Get-AZADGroup

• Enumerate a specific group

Get-AZADGroup -ObjectId 783a312d-0de2-4490-92e4-539b0e4ee03e

• Search for a group based on string in first characters of DisplayName

Get-AzADGroup -SearchString "admin" | fl *

• Search for groups which contain the word "admin" in their name:

Get-AzADGroup | ?{$_.DisplayName -match "admin"}

• Get members of a group

Get-AzADGroupMember -ObjectId 783a312d-0de2-4490-92e4- 539b0e4ee03e

Enumearation_AAD_Apps

• List all app objects

Get-AzADApplication

• Get all details about an application

Get-AzADApplication -ObjectId a1333e88-1278-41bf-8145-155a069ebed0

• Get an application based on the display name

Get-AzADApplication | ?{$_.DisplayName -match "app"}

• Show the applications with an application password

Get-AzADAppCredential

Enumearation_AAD_Service_Principals

• Get all service principals

Get-AzADServicePrincipal

• Get all details about a service principal

Get-AzADServicePrincipal -ObjectId cdddd16e-2611-4442-8f45- 053e7c37a264

• Get an service principal based on the display name

Get-AzADServicePrincipal | ?{$_.DisplayName -match "app"}

Using_Tokens_With_Az_Powershell

• Already connected to a tenant, request an access token for resource manager (ARM)

Get-AzAccessToken
(Get-AzAccessToken).Token

• Request an access token for AAD Graph to access Azure AD. Supported tokens AadGraph AnalysisServices Arm Attestation Batch DataLabe KeyVault OperationalInsights ResourceManager Synapse

Get-AzAccessToken -ResourceTypeName AadGraph

• For Microsoft Graph

(Get-AzAccessToken -Resource "https://graph.microsoft.com").Token

• Use the Access token

Connect-AzAccount -AccountId test@defcorphq@onmicrosoft.com -AccessToken eyj0eXA....

• Use other access tokens. Use the one for AAD Graph (access token is still required) for accessing Azure AD

Connect-AzAccount -AccountId test@defcorphq.onmicrosoft.com -AccessToken eyJ0eXA... -GraphAccessToken eyJ0eXA......

Stealing_Tokens_From_Az_PowerShell

• Az PowerShell (older versions) stores access tokens in clear text in TokenCache.dat in the directory;

C:\Users\[username]\.Azure

• In this folder stores ServicePrincipalSecret in clear-text in AzureRmContext.json if a service principal secret is used to authenticate.
• Another way to steal token, process dump of PowerShell and looking for tokens in it!
• Users can save tokens using Save-AzContext. Search it in PowerShell console history!
• Always use Disconnect-AzAccount

Runbook

Import-AzAutomationRunbook -Name studentx -Path C:\AzAD\Tools\studentx.ps1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Type PowerShell -Force -Verbose
Publish-AzAutomationRunbook -RunbookName studentx -AutomationAccountName HybridAutomation -ResourceGroupName Enfineering -Verbose
Start-AzAutomationRunbook -RunbookName studentx -RunOn Workergroup1 -AutomationAccountName HybridAutomation -ResourceGroupName Engineering -Verbose