Azure

Table of contents

1. Before to start
2. Recon
3. Without an account
4. Privilege escalation
5. Useful links

---

Before to start

Install AADInternals as it provides useful cmdlets to interact with Azure.

Import-Module AADInternals

Recon

First, check if the Azure domain exists.

wget https://login.microsoftonline.com/$DomainName/.well-known/openid-configuration

# This one does not validate the username exists, only the domain.
wget https://login.microsoftonline.com/getuserrealm.srf?login=$Username@$DomainName

# Using AADInternals.
Get-AADIntTenantID -Domain $DomainName

Without an account

• Password Spraying
• Subdomains Enumeration
• Synchronization Credentials Extraction
• User Spraying

Privilege escalation

Once you are authenticated on an Azure tenant, start by enumerating it before going through following attacks.

• Applications Rights Abuse

Useful links

• MSPortals.io to get the list of Microsoft administrator sites, training, and licensing resources.