AzureHound

Threat actors also run the tool after obtaining initial access to the victim environment... AzureHound supports multiple means of authentication, including: Username and password Refresh tokens JSON web tokens (JWT) Service principal secrets Service principal certificates... Threat actors will use whatever means of authentication is available.

“the infection chain begins when threat actors gain initial access… using stolen credentials or authentication tokens… refresh tokens, or JSON Web Tokens (JWTs), threat actors authenticate to the Azure environment.”

Let's authorize a Microsoft public client application using Python. In this example, we will complete an device authorization grant flow as the Azure CLI public client application.

Threat actors also run the tool after obtaining initial access to the victim environment... AzureHound supports multiple means of authentication, including: Username and password Refresh tokens JSON web tokens (JWT) Service principal secrets Service principal certificates... Threat actors will use whatever means of authentication is available.

“the infection chain begins when threat actors gain initial access… using stolen credentials or authentication tokens… refresh tokens, or JSON Web Tokens (JWTs), threat actors authenticate to the Azure environment.”

Threat actors also run the tool after obtaining initial access to the victim environment... AzureHound supports multiple means of authentication, including: Username and password Refresh tokens JSON web tokens (JWT) Service principal secrets Service principal certificates... Threat actors will use whatever means of authentication is available.

Threat actors also run the tool after obtaining initial access to the victim environment... AzureHound supports multiple means of authentication, including: Username and password Refresh tokens JSON web tokens (JWT) Service principal secrets Service principal certificates... Threat actors will use whatever means of authentication is available.

Infostealers such as Raccoon Stealer or Redline can extract cookies, credentials and session tokens from a user's browser. Researchers from Flare found that session tokens acquired from infostealers have exposed tokens from Azure.

AzureHound supports multiple means of authentication, including... Service principal certificates

"AD Explorer for Active Directory environment mapping"; "AzureHound and Roadtools for Azure AD reconnaissance"

The threat actor has also in some cases enumerated the compromised organization's Microsoft Entra ID configuration using the publicly available AzureHound tool to gain information about the users, roles, groups, applications, and devices belonging to that tenant.

Detect AzureHound Command-Line Arguments ... Local Groups ... Detect SharpHound Usage ... Local Groups ... Group Discovery Via Net ... Local Groups

Detect AzureHound Command-Line Arguments ... Domain Groups ... Detect SharpHound Usage ... Domain Groups ... Group Discovery Via Net ... Domain Groups

T1069.003: Permission Groups Discovery: Cloud Groups Once threat actors know the identities within the target environment, they need to understand the relationships between the identities by discovering permission structures... For Permissions Groups Discovery: Cloud Accounts, AzureHound has the following capabilities: list groups list roles list group-members list group-owners list role-assignments list app-role-assignments list key-vault-access-policies list management-group-role-assignments list resource-group-role-assignments list subscription-role-assignments list virtual-machine-role-assignments

Tokens are needed not only for manual enumeration via APIs but also for tools like AzureHound or GraphRunner, which require a valid refresh token.

Detect AzureHound Command-Line Arguments ... Local Account ... Detect SharpHound Usage ... Local Account ... Windows SOAPHound Binary Execution ... Local Account

Step 2 - Reconnaissance T1087.002, T1482, T1518.001, T1057, T1082 | Affiliate Domain enumeration via obfuscated ADRecon.ps1, nltest, net group, tasklist, sc query.

T1087.004: Account Discovery: Cloud To establish a foundational understanding of the target environment, a threat actor might first locate the identities operating within it... AzureHound parameters that facilitate the MITRE technique Account Discovery: Cloud Account include the following: list users list devices list device-owners list service-principals list service-principal-owners

Detect AzureHound Command-Line Arguments ... Domain Trust Discovery ... Detect SharpHound Usage ... Domain Trust Discovery ... Windows SOAPHound Binary Execution ... Domain Trust Discovery

T1526: Cloud Service Discovery Beyond storage and identities, an actor will seek to understand what platform services are in use... For Cloud Service Discovery, AzureHound has the following capabilities: list apps list web-apps list function-apps list logic-apps list automation-accounts list managed-clusters list vm-scale-sets list container-registries

T1580: Cloud Infrastructure Discovery To fully grasp the architecture of the target environment, a threat actor must discover the foundational infrastructure components... For Cloud Infrastructure Discovery, AzureHound has the following capabilities: list tenants list subscriptions list resource-groups list management-groups list virtual-machines list key-vaults

T1619: Cloud Storage Object Discovery A primary objective for many threat actors is data exfiltration, making it critical to identify where data is stored... AzureHound has two options for storage object discovery, covering both Azure storage accounts and containers: list storage-accounts list storage-containers