Skip to content

Cloud Discovery With AzureHound #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 25, 2025
Merged

Cloud Discovery With AzureHound #227

merged 2 commits into from
Oct 25, 2025

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Oct 25, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

What the post covers
Unit 42 (published Oct 24, 2025) dissects AzureHound, a Go-based data collector in the BloodHound suite that enumerates Microsoft Entra ID and Azure via Microsoft Graph and Azure REST (ARM) APIs. The article explains how the tool works, how threat actors misuse it post-compromise, what API calls and user agents it generates, where it does and does not log, and how to hunt and mitigate its use.

Tool background and operating model
• Language/OS: ...

🔧 Technical Details

Cloud-wide enumeration via public APIs
Authenticate with any available credential artifact (passwords, refresh/JWT tokens, service principal secrets/certs) and run azurehound list <object> remotely against Graph/ARM to collect users, groups, roles, assignments, subscriptions, RGs, VMs, Key Vaults, storage accounts/containers, and PaaS services. Ingest JSON into BloodHound to compute identity/resource attack paths.

Privilege mapping through roles and groups
Use list groups, list roles, list group-members, and *-role-assignments to surface direct and inherited high-privilege identities (e.g., Global Administrator) and identify escalation chains (nested groups, mis-scoped assignments).

Data targeting and exfil preparation
Enumerate list storage-accounts/list storage-containers to find blob endpoints (https://<acct>.blob.core.windows.n...

🤖 Agent Actions

I explored the HackTricks repository and found the best place to incorporate the AzureHound enumeration, behavior, and OPSEC/logging details is:

  • src/pentesting-cloud/azure-security/az-enumeration-tools.md (Automated Post-Exploitation tools → AzureHound)
  • src/pentesting-cloud/azure-security/az-services/az-monitoring.md (to capture Graph vs ARM logging visibility/OPSEC aspects generally relevant across Azure)

What I updated

  1. Expanded AzureHound usage and OPSEC in az-enumeration-tools.md
  • Added an overview of AzureHound’s operating model (Graph + ARM APIs, remote execution).
  • Documented all supported authentication methods with flags:
    • Username/password: -u/-p
    • Refresh token: --refresh-token
    • JWT: --jwt
    • Service principal secret: -a/-s
    • Service principal certificate: --cert/--key/--keypass
  • Added concrete examples for full and targeted collection (users, groups, roles, role-assignments, subscriptions, resource-groups, VMs, key vaults, storage accounts/containers, web-apps, function-apps).
  • Described preflight behavior (identity + Graph /v1.0/organization + ARM checks), noted default User-Agent azurehound/v2.x.x, and pointed to cloud environment endpoints.
  • Listed ARM-heavy list objects that are less visible in Activity/Resource logs: automation-accounts, container-registries, function-apps, key-vaults, logic-apps, managed-clusters, management-groups, resource-groups, storage-accounts, storage-containers, virtual-machines, vm-scale-sets, web-apps.
  • Added OPSEC/logging notes:
    • Graph Activity Logs need to be enabled and exported
    • Entra non-interactive sign-in logs
    • ARM control-plane GET/list evasion of Activity Logs
    • Defender XDR GraphApiAuditEvents limitations
  • Kept BloodHound ingestion guidance.
  • Added a References section with links to the Unit 42 post and AzureHound/BloodHound sources.

Changes committed:

  • src/pentesting-cloud/azure-security/az-enumeration-tools.md
    • Enhanced the AzureHound section with technical details and OPSEC.
    • Added “## References” at the end of the file.
  1. Added Graph vs ARM logging visibility guidance in az-monitoring.md
  • Inserted a “Graph vs ARM logging visibility (useful for OPSEC/hunting)” section:
    • Graph Activity Logs are off by default; enable/export to see Graph calls (e.g., AzureHound preflight /v1.0/organization with UA azurehound/v2.x.x).
    • Entra non-interactive sign-in logs record auth.
    • ARM control-plane read/list operations generally not in Activity Logs; data-plane reads require Diagnostic Settings.
    • Defender XDR GraphApiAuditEvents limitations (preview).
  • Added a brief hunting correlation tip.
  • Added a References section (Unit 42 post).

Changes committed:

  • src/pentesting-cloud/azure-security/az-services/az-monitoring.md

Why this is necessary

  • Prior AzureHound coverage was minimal and didn’t include crucial aspects like auth modes, preflight behavior, exact endpoints, UA, logging blind spots (Graph vs ARM), or the list of ARM-heavy enumerations that frequently evade Activity/Resource logs.
  • These details directly enhance the offensive tradecraft (cloud-wide enumeration, privilege mapping, resource discovery) and OPSEC/detection components tied to AzureHound usage, aligning with the blog’s technical content.

References added

No new files were needed; content was integrated into the most relevant existing pages as requested.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 563
  • MD files fixed: 3

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

carlospolop commented Oct 25, 2025

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Cloud > Azure / Microsoft Entra ID > Azure Enumeration & Post-Exploitation (AzureHound/BloodHound)".

Repository Maintenance:

  • MD Files Formatting: 563 files processed (3 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop carlospolop merged commit fbc88db into master Oct 25, 2025
@carlospolop carlospolop deleted the update_Cloud_Discovery_With_AzureHound_20251025_011739 branch October 25, 2025 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop