Collection of Azure Tools to Pull down for Attacking an Environment + quick tips and other useful information

Collection of Azure Tools to Pull down for Attacking an Env from a windows machine or Cloudshell.


Git for Windows if you want to auto pull down the latest versions of everything via powershell.


To pull down all the modules you can run the following to pull the submodules:

git clone --recurse-submodules

Note there is a zipped version of all the submodules if you need it quickly called


Setup.ps1 contains the following lines to install the required modules to access azure and the various assocated modules. You may need to do powershell -ep bypass if scripts are disabled.

Install-Module Az -Force -Confirm:$false -AllowClobber -Scope CurrentUser
Install-Module AzureAD -Force -Confirm:$false -AllowClobber -Scope CurrentUser
Install-Module Microsoft.Graph -Force -Confirm:$false -AllowClobber -Scope CurrentUser
Install-Module MSOnline -Force -Confirm:$false -AllowClobber -Scope CurrentUser       
Install-Module AzureADPreview -Force -Confirm:$false -AllowClobber -Scope CurrentUser 
Install-Module AADInternals -Force -Confirm:$false -AllowClobber -Scope CurrentUser     

Import-Module Az
Import-Module AzureAD
Import-Module AADInternals
Import-Module .\MicroBurst-master\MicroBurst.psm1
Import-Module .\AzureRT-master\AzureRT.ps1
Import-Module .\PowerZure\PowerZure.psm1
Import-Module AADInternals

Once the modules are installed you will need to connect an Azure account using the following three commands (if you're on Cloudshell use Connect-AzAccount -UseDeviceAuthentication):

  • . .\Setup.ps1

  • Connect-ADandAZ

If the above fails run the following:


Included Tools

  • PowerZure + Cloudshell
  • AzureHound
  • AzureRT
  • MicroBurst
  • AADInternals

Quick Wins

Pull all the subscriptions you have access to then iterate through them, change Get-ARTAccess(Which uses AzureRT) to whatever tool you want to run across the subscription.

$enabledSubs = Get-AzSubscription |  Where-Object{$_.State -eq "Enabled"} | select Id
foreach ($SubName in $enabledSubs) {
    $IDOut = $
    Get-ARTAccess -SubscriptionID $IDOut | Out-File "$IDOut.txt"

Use PowerZure to pull runbook content for each sub:

$enabledSubs = Get-AzSubscription |  Where-Object{$_.State -eq "Enabled"} | select Id
foreach ($SubName in $enabledSubs) {    
    $IDOut = $
    Set-AzContext -Subscription "$IDOut"
    Get-AzureRunbookContent -All

Refer to Commands file for additonal quick wins. The tools notes also has some useful tips on tools to check out in addition to those linked in this repo.

Regexes for Searching Through Files

description = "Azure Service Principal Client Secret"
regex = '''(?i)(secret|key|password)\s*:?=?\s*['\"][0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}['\"]'''
description = "Azure DevOps Personal Access Token"
regex = '''(?i)(pat|token)\s*:?=?\s*['\"]([a-z0-9]{52})['\"]'''
description = "Azure Account Key"
regex = '''(?i)(secret|key)\s*:?=?\s*['\"]([a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]{88})['\"]'''
tags = ["Azure Storage Account", "Azure Cosmos DB"]
description = "Azure Storage Connection String"
regex = '''DefaultEndpointsProtocol=https;AccountName=[a-z0-9]{3,24};AccountKey=[a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]{88};EndpointSuffix=.+'''
description = "Azure Cosmos DB Connection String"
regex = '''AccountEndpoint=https:\/\/.+:443\/;AccountKey=[a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]{88};'''
description = "Generic Secret"
regex = '''(?i)secret\s*:?=?\s*['\"][0-9a-zA-Z-_/]{8,40}['\"]'''
# rules from trufflehog
description = "Amazon MWS Auth Token"
regex = '''amzn\\.mws\\.[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'''
description = "AWS AppSync GraphQL Key"
regex = '''da2-[a-z0-9]{26}'''
description = "Google OAuth"
regex = '''[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com'''
tags = ["Cloud Platform", "Drive", "Gmail", "YouTube"]
description = "Google API Key"
regex = '''AIza[0-9A-Za-z\\-_]{35}'''
tags = ["Cloud Platform", "Drive", "Gmail", "YouTube"]
description = "Google OAuth Access Token"
regex = '''ya29\\.[0-9A-Za-z\\-_]+'''
description = "MailChimp API Key"
regex = '''[0-9a-f]{32}-us[0-9]{1,2}'''
description = "Mailgun API Key"
regex = '''key-[0-9a-zA-Z]{32}'''
description = "Square Access Token"
regex = '''sq0atp-[0-9A-Za-z\\-_]{22}'''
description = "Square OAuth Secret"
regex = '''sq0csp-[0-9A-Za-z\\-_]{43}'''
description = "Telegram Bot API Key"
regex = '''[0-9]+:AA[0-9A-Za-z\\-_]{33}'''


Template for connecting with clientID and information

$tenantid = "<INSET TENANT ID>"
$subscription = "<INSERT SUBCRIPTION>"
$mycred = New-Object System.Management.Automation.PSCredential($clientid,(ConvertTo-SecureString $clientsecret -AsPlainText -Force))
Connect-AzAccount -Credential $mycred -Tenant $tenantid -ServicePrincipal -Subscription $subscription
# Below is if you need to also authenticate to Az as well
az login --service-principal -u $clientid -p $clientsecret --tenant $tenantid


  • Work in progress but I have started work on a snaffler-like tool for crawling storage accounts and using storage explorer to see what can be found.
  • Extract the various powershell scripts used for pulling info via AzureRT, PowerZure & MicroBurst and build a tool for quick wins, similar to AutoPwn


