AzureHound

BloodHound's AzureHound (https://github.com/BloodHoundAD/AzureHound) supports Azure and Entra ID too to map attack paths. It uses Azure AD and Az PowerShell modules for gathering the data through its collectors.

Run the collector to gather data

$passwd = ConvertTo-SecureString "SuperVeryEasytoGuessPassword@1234" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("test@defcorphq.onmicrosoft.com", $passwd)

Connect-AzAccount -Credential $creds
Import-Module C:\AzAD\Tools\AzureAD\AzureAD.psd1
Connect-AzureAD -Credential $creds

Run

C:\AzAD\Tools\AzureHound\AzureHound.ps1 
Invoke-AzureHound -Verbose

upload data to BloodHound UI

Upload the ZIP archive to BloodHound UI (drag and drop) and use built-in or custom Cypher queries to query the data. This is the normal BloodHound.

Some examples of Cypher queries are below:

• Find all users who have the Global Administrator role

MATCH p =(n)-[r:AZGlobalAdmin*1..]->(m) RETURN p

• Find all paths to an Azure VM

MATCH p = (n)-[r]->(g: AZVM) RETURN p

• Find all paths to an Azure KeyVault

MATCH p = (n)-[r]->(g:AZKeyVault) RETURN p

• Find all paths to an Azure Resource Group

MATCH p = (n)-[r]->(g:AZResourceGroup) RETURN p

• Find Owners of Entra ID Groups

MATCH p = (n)-[r:AZOwns]->(g:AZGroup) RETURN p

PreviousStormSpotter NextTransferring Files

Last updated 10 hours ago