Merge branch 'master' into update_Breaking_MCP_Server_Hosting__Build-Context_Path_Tr_20251025_123530

Author: carlospolop

src/SUMMARY.md

@@ -284,9 +284,11 @@
       - [AWS - Lambda Steal Requests](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md)
       - [AWS - Lambda VPC Egress Bypass](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-vpc-egress-bypass.md)
     - [AWS - Lightsail Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation/README.md)
+    - [AWS - MWAA Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-mwaa-post-exploitation/README.md)
     - [AWS - Organizations Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation/README.md)
     - [AWS - RDS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation/README.md)
     - [AWS - SageMaker Post-Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/README.md)
+      - [Feature Store Poisoning](pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md)
     - [AWS - S3 Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation/README.md)
     - [AWS - Secrets Manager Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation/README.md)
     - [AWS - SES Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation/README.md)
@@ -577,7 +579,4 @@
 
 - [HackTricks Pentesting Network$$external:https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-network/index.html$$]()
 - [HackTricks Pentesting Services$$external:https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ssh.html$$]()
-
-    - [Feature Store Poisoning](pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md)
-  - [Aws Sqs Dlq Redrive Exfiltration](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-dlq-redrive-exfiltration.md)
-    - [Readme](pentesting-cloud/aws-security/aws-post-exploitation/aws-mwaa-post-exploitation/README.md)
+    

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-dlq-redrive-exfiltration.md

@@ -302,17 +302,85 @@ roadrecon gui
 
 ### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
 
+AzureHound is the BloodHound collector for Microsoft Entra ID and Azure. It is a single static Go binary for Windows/Linux/macOS that talks directly to:
+- Microsoft Graph (Entra ID directory, M365) and
+- Azure Resource Manager (ARM) control plane (subscriptions, resource groups, compute, storage, key vault, app services, AKS, etc.)
+
+Key traits
+- Runs from anywhere on the public internet against tenant APIs (no internal network access required)
+- Outputs JSON for BloodHound CE ingestion to visualize attack paths across identities and cloud resources
+- Default User-Agent observed: azurehound/v2.x.x
+
+Authentication options
+- Username + password: -u <upn> -p <password>
+- Refresh token: --refresh-token <rt>
+- JSON Web Token (access token): --jwt <jwt>
+- Service principal secret: -a <appId> -s <secret>
+- Service principal certificate: -a <appId> --cert <cert.pem> --key <key.pem> [--keypass <pass>]
+
+Examples
 ```bash
-# Launch AzureHound
-## Login with app secret
-azurehound -a "<client-id>" -s "<secret>" --tenant "<tenant-id>" list -o ./output.json
-## Login with user creds
-azurehound -u "<user-email>" -p "<password>" --tenant "<tenant-id>" list -o ./output.json
+# Full tenant collection to file using different auth flows
+## User creds
+azurehound list -u "<user>@<tenant>" -p "<pass>" -t "<tenant-id|domain>" -o ./output.json
+
+## Use an access token (JWT) from az cli for Graph
+JWT=$(az account get-access-token --resource https://graph.microsoft.com -o tsv --query accessToken)
+azurehound list --jwt "$JWT" -t "<tenant-id>" -o ./output.json
+
+## Use a refresh token (e.g., from device code flow)
+azurehound list --refresh-token "<refresh_token>" -t "<tenant-id>" -o ./output.json
+
+## Service principal secret
+azurehound list -a "<client-id>" -s "<secret>" -t "<tenant-id>" -o ./output.json
+
+## Service principal certificate
+azurehound list -a "<client-id>" --cert "/path/cert.pem" --key "/path/key.pem" -t "<tenant-id>" -o ./output.json
+
+# Targeted discovery
+azurehound list users -t "<tenant-id>" -o users.json
+azurehound list groups -t "<tenant-id>" -o groups.json
+azurehound list roles -t "<tenant-id>" -o roles.json
+azurehound list role-assignments -t "<tenant-id>" -o role-assignments.json
+
+# Azure resources via ARM
+azurehound list subscriptions -t "<tenant-id>" -o subs.json
+azurehound list resource-groups -t "<tenant-id>" -o rgs.json
+azurehound list virtual-machines -t "<tenant-id>" -o vms.json
+azurehound list key-vaults -t "<tenant-id>" -o kv.json
+azurehound list storage-accounts -t "<tenant-id>" -o sa.json
+azurehound list storage-containers -t "<tenant-id>" -o containers.json
+azurehound list web-apps -t "<tenant-id>" -o webapps.json
+azurehound list function-apps -t "<tenant-id>" -o funcapps.json
 ```
 
-Launch the **BloodHound** web with **`curl -L https://ghst.ly/getbhce | docker compose -f - up`** and import the `output.json` file.
+What gets queried
+- Graph endpoints (examples):
+  - /v1.0/organization, /v1.0/users, /v1.0/groups, /v1.0/roleManagement/directory/roleDefinitions, directoryRoles, owners/members
+- ARM endpoints (examples):
+  - management.azure.com/subscriptions/.../providers/Microsoft.Storage/storageAccounts
+  - .../Microsoft.KeyVault/vaults, .../Microsoft.Compute/virtualMachines, .../Microsoft.Web/sites, .../Microsoft.ContainerService/managedClusters
 
-Then, in the **EXPLORE** tab, in the **CYPHER** section you can see a **folder** icon that contains pre-built queries.
+Preflight behavior and endpoints
+- Each azurehound list <object> typically performs these test calls before enumeration:
+  1) Identity platform: login.microsoftonline.com
+  2) Graph: GET https://graph.microsoft.com/v1.0/organization
+  3) ARM: GET https://management.azure.com/subscriptions?api-version=...
+- Cloud environment base URLs differ for Government/China/Germany. See constants/environments.go in the repo.
+
+ARM-heavy objects (less visible in Activity/Resource logs)
+- The following list targets predominantly use ARM control plane reads: automation-accounts, container-registries, function-apps, key-vaults, logic-apps, managed-clusters, management-groups, resource-groups, storage-accounts, storage-containers, virtual-machines, vm-scale-sets, web-apps.
+- These GET/list operations are typically not written to Activity Logs; data-plane reads (e.g., *.blob.core.windows.net, *.vault.azure.net) are covered by Diagnostic Settings at the resource level.
+
+OPSEC and logging notes
+- Microsoft Graph Activity Logs are not enabled by default; enable and export to SIEM to gain visibility of Graph calls. Expect the Graph preflight GET /v1.0/organization with UA azurehound/v2.x.x.
+- Entra ID non-interactive sign-in logs record the identity platform auth (login.microsoftonline.com) used by AzureHound.
+- ARM control-plane read/list operations are not recorded in Activity Logs; many azurehound list operations against resources won’t appear there. Only data-plane logging (via Diagnostic Settings) will capture reads to service endpoints.
+- Defender XDR GraphApiAuditEvents (preview) can expose Graph calls and token identifiers but may lack UserAgent and have limited retention.
+
+Tip: When enumerating for privilege paths, dump users, groups, roles, and role assignments, then ingest in BloodHound and use prebuilt cypher queries to surface Global Administrator/Privileged Role Administrator and transitive escalation via nested groups and RBAC assignments.
+
+Launch the BloodHound web with `curl -L https://ghst.ly/getbhce | docker compose -f - up` and import the `output.json` file. Then, in the EXPLORE tab, in the CYPHER section you can see a folder icon that contains pre-built queries.
 
 ### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
 
@@ -429,5 +497,14 @@ python stormspotter\stormcollector\sscollector.pyz cli
 # This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
 ```
 
+## References
+- [Cloud Discovery With AzureHound (Unit 42)](https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/)
+- [AzureHound repository](https://github.com/SpecterOps/AzureHound)
+- [BloodHound repository](https://github.com/SpecterOps/BloodHound)
+- [AzureHound Community Edition Flags](https://bloodhound.specterops.io/collect-data/ce-collection/azurehound-flags)
+- [AzureHound constants/environments.go](https://github.com/SpecterOps/AzureHound/blob/main/constants/environments.go)
+- [AzureHound client/storage_accounts.go](https://github.com/SpecterOps/AzureHound/blob/main/client/storage_accounts.go)
+- [AzureHound client/roles.go](https://github.com/SpecterOps/AzureHound/blob/main/client/roles.go)
+
 {{#include ../../banners/hacktricks-training.md}}
 

src/pentesting-cloud/azure-security/az-enumeration-tools.md

@@ -48,6 +48,15 @@ In summary, a Log Analytics workspace is essential for advanced monitoring, trou
 
 You can configure a resource to send data to an analytics workspace from the **diagnostic settings** of the resource.
 
+## Graph vs ARM logging visibility (useful for OPSEC/hunting)
+
+- Microsoft Graph Activity Logs are not enabled by default. Enable and export them (Event Hubs/Log Analytics/SIEM) to see Graph read calls. Tools like AzureHound perform a preflight GET to /v1.0/organization that will appear here; default UA observed: azurehound/v2.x.x.
+- Entra ID non-interactive sign-in logs record the identity platform authentication (login.microsoftonline.<tld>) used by scripts/tools.
+- ARM control-plane read/list (HTTP GET) operations are generally not written to Activity Logs. Visibility of read operations comes from resource Diagnostic Settings for data-plane endpoints only (e.g., *.blob.core.windows.net, *.vault.azure.net) and not from ARM control-plane calls to management.azure.<tld>.
+- Microsoft Defender XDR Advanced Hunting GraphApiAuditEvents (preview) can expose Graph calls and token identifiers but may omit UserAgent and has limited default retention.
+
+When hunting for AzureHound, correlate Entra sign-in logs with Graph Activity Logs on session ID, IP, user/object IDs, and look for bursts of Graph requests plus ARM management calls that lack Activity Log coverage.
+
 ## Enumeration
 
 ### Entra ID
@@ -105,5 +114,8 @@ az monitor metrics alert list --output table
 az monitor activity-log alert list --output table
 ```
 
+## References
+- [Cloud Discovery With AzureHound (Unit 42)](https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/)
+
 {{#include ../../../banners/hacktricks-training.md}}