PowerZure – PowerShell script to interact with Azure

superior_hosting_service

PowerZure is a PowerShell script written to assist in assessing Azure security. Functions are broken out into their context as well as the role needed to run them.

Help

FunctionDescriptionRole
PowerZure -hDiplays the help menuAny

Mandatory

FunctionDescriptionRole
Set-SubscriptionSets the default Subscription to operate inReader

Operational

FunctionDescriptionRole
Create-BackdoorCreates a Runbook that creates an Azure account and generates a Webhook to that RunbookAdministrator
Execute-BackdoorExecutes the backdoor that is created with “Create-Backdoor”. Needs the URI generated from Create-BackdoorAdministrator
Execute-CommandExecutes a command on a specified VMContributor
Execute-MSBuildExecutes MSBuild payload on a specified VM. By default, Azure VMs have .NET 4.0 installed. Will run as SYSTEM.Contributor
Execute-ProgramExecutes a supplied program.Contributor
Upload-StorageContentUploads a supplied file to a storage share.Contributor
Stop-VMStops a VMContributor
Start-VMStarts a VMContributor
Restart-VMRestarts a VMContributor
Start-RunbookStarts a specific RunbookContributor
Set-RoleSets a role for a specific user on a specific resource or subscriptionOwner
Remove-RoleRemoves a user from a role on a specific resource or subscriptionOwner
Set-GroupAdds a user to a groupAdministrator

Information Gathering

FunctionDescriptionRole
Get-CurrentUserReturns the current logged in user name, their role + groups, and any owned objectsReader
Get-AllUsersLists all users in the subscriptionReader
Get-UserGathers info on a specific userReader
Get-AllGroupsLists all groups + info within Azure ADReader
Get-ResourcesLists all resources in the subscriptionReader
Get-AppsLists all applications in the subscriptionReader
Get-GroupMembersGets all the members of a specific group. Group does NOT mean role.Reader
Get-AllGroupMembersGathers all the group members of all the groups.Reader
Get-AllRoleMembersGets all the members of all roles. Roles does not mean groups.Reader
Get-RolesLists the roles in the subscriptionReader
Get-RoleMembersGets the members of a roleReader
Get-SpsReturns all service principalsReader
Get-SpReturns all info on a specified service principalReader
Get-AppsGets all applications and their IdsReader
Get-AppPermissionsReturns the permissions of an appReader
Get-WebAppsGets running web appsReader
Get-WebAppDetailsGets running webapps detailsReader

Secret Gathering

FunctionDescriptionRole
Get-KeyVaultsLists the Key VaultsReader
Get-KeyVaultContentsGet the secrets from a specific Key VaultContributor
Get-AllKeyVaultContentsGets ALL the secrets from all Key Vaults.Contributor
Get-AppSecretsReturns the application passwords or certificate credentialsContributor
Get-AllAppSecretsReturns all application passwords or certificate credentials (If accessible)Contributor
Get-AllSecretsGets ALL the secrets from all Key Vaults and applications.Contributor
Get-AutomationCredentialsGets the credentials from any Automation AccountsContributor

Data Exfiltration

FunctionDescriptionRole
Get-StorageAccountsGets all storage accountsReader
Get-StorageAccountKeysGets the account keys for a storage accountContributor
Get-StorageContentsGets the contents of a storage container or file shareReader
Get-RunbooksLists all the RunbooksReader
Get-RunbookContentReads content of a specific RunbookReader
Get-AvailableVMDisksLists the VM disks available.Reader
Get-VMDiskGenerates a link to download a Virtual Machiche’s disk. The link is only available for an hour.Contributor
Get-VMsLists available VMsReader