Merge pull request #227 from HackTricks-wiki/update_Cloud_Discovery_With_AzureHound_20251025_011739

Cloud Discovery With AzureHound

Author: carlospolop

src/SUMMARY.md

@@ -283,9 +283,11 @@
       - [AWS - Lambda Steal Requests](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-warm-lambda-persistence.md)
       - [AWS - Lambda VPC Egress Bypass](pentesting-cloud/aws-security/aws-post-exploitation/aws-lambda-post-exploitation/aws-lambda-vpc-egress-bypass.md)
     - [AWS - Lightsail Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-lightsail-post-exploitation/README.md)
+    - [AWS - MWAA Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-mwaa-post-exploitation/README.md)
     - [AWS - Organizations Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-organizations-post-exploitation/README.md)
     - [AWS - RDS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-rds-post-exploitation/README.md)
     - [AWS - SageMaker Post-Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/README.md)
+      - [Feature Store Poisoning](pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md)
     - [AWS - S3 Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-s3-post-exploitation/README.md)
     - [AWS - Secrets Manager Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-secrets-manager-post-exploitation/README.md)
     - [AWS - SES Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ses-post-exploitation/README.md)
@@ -296,6 +298,7 @@
     - [AWS - SQS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation/README.md)
       - [AWS – SQS DLQ Redrive Exfiltration via StartMessageMoveTask](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation/aws-sqs-dlq-redrive-exfiltration.md)
       - [AWS – SQS Cross-/Same-Account Injection via SNS Subscription + Queue Policy](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation/aws-sqs-sns-injection.md)
+      - [Aws SQS Dlq Redrive Exfiltration](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-post-exploitation/aws-sqs-dlq-redrive-exfiltration.md)
     - [AWS - SSO & identitystore Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sso-and-identitystore-post-exploitation/README.md)
     - [AWS - Step Functions Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-stepfunctions-post-exploitation/README.md)
     - [AWS - STS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation/README.md)
@@ -577,5 +580,4 @@
 - [HackTricks Pentesting Network$$external:https://book.hacktricks.wiki/en/generic-methodologies-and-resources/pentesting-network/index.html$$]()
 - [HackTricks Pentesting Services$$external:https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-ssh.html$$]()
 
-    - [Feature Store Poisoning](pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md)
-  - [Aws Sqs Dlq Redrive Exfiltration](pentesting-cloud/aws-security/aws-post-exploitation/aws-sqs-dlq-redrive-exfiltration.md)
+    

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-bedrock-post-exploitation/README.md

@@ -1,6 +1,6 @@
 # AWS - Bedrock Post Exploitation
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}
 
 
 ## AWS - Bedrock Agents Memory Poisoning (Indirect Prompt Injection)
@@ -90,4 +90,4 @@ Notes:
 - [Track agent’s step-by-step reasoning process using trace – Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/trace-events.html)
 - [Amazon Bedrock Guardrails](https://aws.amazon.com/bedrock/guardrails/)
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-mwaa-post-exploitation/README.md

@@ -1,5 +1,7 @@
 # AWS MWAA Execution Role Account Wildcard Vulnerability
 
+{{#include ../../../../banners/hacktricks-training.md}}
+
 ## The Vulnerability
 
 MWAA's execution role (the IAM role that Airflow workers use to access AWS resources) requires this mandatory policy to function:
@@ -44,3 +46,4 @@ All attacks bypass network controls since they use AWS APIs, not direct internet
 This is an architectural flaw in MWAA with no IAM-based mitigation. Every MWAA deployment following AWS documentation has this vulnerability.
 
 **Network Control Bypass:** These attacks work even in private VPCs with no internet access. The SQS API calls use AWS's internal network and VPC endpoints, completely bypassing traditional network security controls, firewalls, and egress monitoring. Organizations cannot detect or block this data exfiltration path through network-level controls.
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sagemaker-post-exploitation/feature-store-poisoning.md

@@ -158,3 +158,4 @@ echo "Feature Group ready: $FG"
 ## References
 - [AWS SageMaker Feature Store Documentation](https://docs.aws.amazon.com/sagemaker/latest/dg/feature-store.html)
 - [Feature Store Security Best Practices](https://docs.aws.amazon.com/sagemaker/latest/dg/feature-store-security.html)
+{{#include ../../../../banners/hacktricks-training.md}}

src/pentesting-cloud/azure-security/az-enumeration-tools.md

@@ -302,17 +302,85 @@ roadrecon gui
 
 ### [**AzureHound**](https://github.com/BloodHoundAD/AzureHound)
 
+AzureHound is the BloodHound collector for Microsoft Entra ID and Azure. It is a single static Go binary for Windows/Linux/macOS that talks directly to:
+- Microsoft Graph (Entra ID directory, M365) and
+- Azure Resource Manager (ARM) control plane (subscriptions, resource groups, compute, storage, key vault, app services, AKS, etc.)
+
+Key traits
+- Runs from anywhere on the public internet against tenant APIs (no internal network access required)
+- Outputs JSON for BloodHound CE ingestion to visualize attack paths across identities and cloud resources
+- Default User-Agent observed: azurehound/v2.x.x
+
+Authentication options
+- Username + password: -u <upn> -p <password>
+- Refresh token: --refresh-token <rt>
+- JSON Web Token (access token): --jwt <jwt>
+- Service principal secret: -a <appId> -s <secret>
+- Service principal certificate: -a <appId> --cert <cert.pem> --key <key.pem> [--keypass <pass>]
+
+Examples
 ```bash
-# Launch AzureHound
-## Login with app secret
-azurehound -a "<client-id>" -s "<secret>" --tenant "<tenant-id>" list -o ./output.json
-## Login with user creds
-azurehound -u "<user-email>" -p "<password>" --tenant "<tenant-id>" list -o ./output.json
+# Full tenant collection to file using different auth flows
+## User creds
+azurehound list -u "<user>@<tenant>" -p "<pass>" -t "<tenant-id|domain>" -o ./output.json
+
+## Use an access token (JWT) from az cli for Graph
+JWT=$(az account get-access-token --resource https://graph.microsoft.com -o tsv --query accessToken)
+azurehound list --jwt "$JWT" -t "<tenant-id>" -o ./output.json
+
+## Use a refresh token (e.g., from device code flow)
+azurehound list --refresh-token "<refresh_token>" -t "<tenant-id>" -o ./output.json
+
+## Service principal secret
+azurehound list -a "<client-id>" -s "<secret>" -t "<tenant-id>" -o ./output.json
+
+## Service principal certificate
+azurehound list -a "<client-id>" --cert "/path/cert.pem" --key "/path/key.pem" -t "<tenant-id>" -o ./output.json
+
+# Targeted discovery
+azurehound list users -t "<tenant-id>" -o users.json
+azurehound list groups -t "<tenant-id>" -o groups.json
+azurehound list roles -t "<tenant-id>" -o roles.json
+azurehound list role-assignments -t "<tenant-id>" -o role-assignments.json
+
+# Azure resources via ARM
+azurehound list subscriptions -t "<tenant-id>" -o subs.json
+azurehound list resource-groups -t "<tenant-id>" -o rgs.json
+azurehound list virtual-machines -t "<tenant-id>" -o vms.json
+azurehound list key-vaults -t "<tenant-id>" -o kv.json
+azurehound list storage-accounts -t "<tenant-id>" -o sa.json
+azurehound list storage-containers -t "<tenant-id>" -o containers.json
+azurehound list web-apps -t "<tenant-id>" -o webapps.json
+azurehound list function-apps -t "<tenant-id>" -o funcapps.json
 ```
 
-Launch the **BloodHound** web with **`curl -L https://ghst.ly/getbhce | docker compose -f - up`** and import the `output.json` file.
+What gets queried
+- Graph endpoints (examples):
+  - /v1.0/organization, /v1.0/users, /v1.0/groups, /v1.0/roleManagement/directory/roleDefinitions, directoryRoles, owners/members
+- ARM endpoints (examples):
+  - management.azure.com/subscriptions/.../providers/Microsoft.Storage/storageAccounts
+  - .../Microsoft.KeyVault/vaults, .../Microsoft.Compute/virtualMachines, .../Microsoft.Web/sites, .../Microsoft.ContainerService/managedClusters
 
-Then, in the **EXPLORE** tab, in the **CYPHER** section you can see a **folder** icon that contains pre-built queries.
+Preflight behavior and endpoints
+- Each azurehound list <object> typically performs these test calls before enumeration:
+  1) Identity platform: login.microsoftonline.com
+  2) Graph: GET https://graph.microsoft.com/v1.0/organization
+  3) ARM: GET https://management.azure.com/subscriptions?api-version=...
+- Cloud environment base URLs differ for Government/China/Germany. See constants/environments.go in the repo.
+
+ARM-heavy objects (less visible in Activity/Resource logs)
+- The following list targets predominantly use ARM control plane reads: automation-accounts, container-registries, function-apps, key-vaults, logic-apps, managed-clusters, management-groups, resource-groups, storage-accounts, storage-containers, virtual-machines, vm-scale-sets, web-apps.
+- These GET/list operations are typically not written to Activity Logs; data-plane reads (e.g., *.blob.core.windows.net, *.vault.azure.net) are covered by Diagnostic Settings at the resource level.
+
+OPSEC and logging notes
+- Microsoft Graph Activity Logs are not enabled by default; enable and export to SIEM to gain visibility of Graph calls. Expect the Graph preflight GET /v1.0/organization with UA azurehound/v2.x.x.
+- Entra ID non-interactive sign-in logs record the identity platform auth (login.microsoftonline.com) used by AzureHound.
+- ARM control-plane read/list operations are not recorded in Activity Logs; many azurehound list operations against resources won’t appear there. Only data-plane logging (via Diagnostic Settings) will capture reads to service endpoints.
+- Defender XDR GraphApiAuditEvents (preview) can expose Graph calls and token identifiers but may lack UserAgent and have limited retention.
+
+Tip: When enumerating for privilege paths, dump users, groups, roles, and role assignments, then ingest in BloodHound and use prebuilt cypher queries to surface Global Administrator/Privileged Role Administrator and transitive escalation via nested groups and RBAC assignments.
+
+Launch the BloodHound web with `curl -L https://ghst.ly/getbhce | docker compose -f - up` and import the `output.json` file. Then, in the EXPLORE tab, in the CYPHER section you can see a folder icon that contains pre-built queries.
 
 ### [**MicroBurst**](https://github.com/NetSPI/MicroBurst)
 
@@ -429,5 +497,14 @@ python stormspotter\stormcollector\sscollector.pyz cli
 # This will generate a .zip file to upload in the frontend (127.0.0.1:9091)
 ```
 
+## References
+- [Cloud Discovery With AzureHound (Unit 42)](https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/)
+- [AzureHound repository](https://github.com/SpecterOps/AzureHound)
+- [BloodHound repository](https://github.com/SpecterOps/BloodHound)
+- [AzureHound Community Edition Flags](https://bloodhound.specterops.io/collect-data/ce-collection/azurehound-flags)
+- [AzureHound constants/environments.go](https://github.com/SpecterOps/AzureHound/blob/main/constants/environments.go)
+- [AzureHound client/storage_accounts.go](https://github.com/SpecterOps/AzureHound/blob/main/client/storage_accounts.go)
+- [AzureHound client/roles.go](https://github.com/SpecterOps/AzureHound/blob/main/client/roles.go)
+
 {{#include ../../banners/hacktricks-training.md}}
 

src/pentesting-cloud/azure-security/az-services/az-monitoring.md

@@ -48,6 +48,15 @@ In summary, a Log Analytics workspace is essential for advanced monitoring, trou
 
 You can configure a resource to send data to an analytics workspace from the **diagnostic settings** of the resource.
 
+## Graph vs ARM logging visibility (useful for OPSEC/hunting)
+
+- Microsoft Graph Activity Logs are not enabled by default. Enable and export them (Event Hubs/Log Analytics/SIEM) to see Graph read calls. Tools like AzureHound perform a preflight GET to /v1.0/organization that will appear here; default UA observed: azurehound/v2.x.x.
+- Entra ID non-interactive sign-in logs record the identity platform authentication (login.microsoftonline.<tld>) used by scripts/tools.
+- ARM control-plane read/list (HTTP GET) operations are generally not written to Activity Logs. Visibility of read operations comes from resource Diagnostic Settings for data-plane endpoints only (e.g., *.blob.core.windows.net, *.vault.azure.net) and not from ARM control-plane calls to management.azure.<tld>.
+- Microsoft Defender XDR Advanced Hunting GraphApiAuditEvents (preview) can expose Graph calls and token identifiers but may omit UserAgent and has limited default retention.
+
+When hunting for AzureHound, correlate Entra sign-in logs with Graph Activity Logs on session ID, IP, user/object IDs, and look for bursts of Graph requests plus ARM management calls that lack Activity Log coverage.
+
 ## Enumeration
 
 ### Entra ID
@@ -105,5 +114,8 @@ az monitor metrics alert list --output table
 az monitor activity-log alert list --output table
 ```
 
+## References
+- [Cloud Discovery With AzureHound (Unit 42)](https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/)
+
 {{#include ../../../banners/hacktricks-training.md}}