A curated list of awesome Microsoft Azure Security tools, guides, blogs, and other resources.
Contributions welcome! Read the contribution guidelines first.
- Threat Detection and Response
- Blog Posts
- Other key resources
Security Assessment Tools
- Azucar: Security auditing tool for Azure environments. Windows only.
- BloodHound: BloodHound uses graph theory to reveal hidden relationships and attack paths in an Active Directory environment that would otherwise be impossible to quickly identify.
- ScoutSuite: Multi-Cloud Security auditing tool.
- StormSpotter: Azure Red Team tool for graphing Azure and Azure Active Directory objects.
- MicroBurst: a PowerShell Toolkit for Attacking Azure.
- PowerZure: a PowerShell project created to perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.
- ROADrecon: a tool for exploring information in Azure AD from both a Red Team and Blue Team perspective.
Infrastructure as Code Scanning Tools
- Checkov: Terraform, Cloudformation and Kubernetes static analysis written in python.
- tfsec: Provides static analysis of your terraform templates to spot potential security issues.
- DumpsterDiver: Tool to search secrets in various filetypes like keys (e.g. AWS Access Key Azure Share Key or SSH keys) or passwords.
Threat Detection and Response
- Azure security logging and auditing: Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms.
- Azure Security Center - Alerts Reference Guide: This article lists the security alerts you might get from Azure Security Center and any Azure Defender plans you've enabled.
Offensive blog posts
- Attacking Azure Cloud Shell by Karl Fosaaen: Leveraging Azure Cloud Shell storage files with subscription contributor permissions to perform cross-account command execution and privilege escalation.
- Nuking all Azure Resource Groups under all Azure Subscriptions by Kinnaird McQuade(@kmcquade3): How to abuse Azure Resource hierarchy and tenant-wide god-mode Service Principals to nuke an entire Azure environment.
- Privilege Escalation and Lateral Movement on Azure by Hila Cohen (@hilaco10): some techniques for how a red team can gain a foothold in an Azure environment, escalate their privileges, and move laterally inside Azure infrastructure by using the Azure RBAC module and common Azure misconfigurations.
- Privilege Escalation in Azure AD by Jan Geisbauer (@janvonkirchheim): a breakdown of how Azure security principals (aka Enterprise applications) vs application objects (aka application registrations) and their associated permissions can be abused to impersonate an application.
- Privilege Escalation and Lateral Movement on Azure: some techniques for how a red team can gain a foothold in an Azure environment, escalate their privileges, and move laterally inside Azure infrastructure by using the Azure RBAC module and common Azure misconfigurations.
- Abusing Azure AD SSO with the Primary Refresh Token: Most corporate devices have Primary Refresh Tokens - long term tokens stored on your laptop or other AD connected resources - for Single Sign On (SSO) against on-prem and Azure AD connected resources. See Dirk-jan Mollema's blog goes over abusing these tokens, which you can access if you have code execution on a target or on your laptop that is Azure AD joined.
Defensive blog posts
- Awesome Azure Learning: numerous references for Azure learning, especially for the Azure Certs, Azure Architecture, and any other learning materials e.g. Security topics.
- Azure AZ 500 Study Guide: Study Guide for the Microsoft Azure Security Technologies Exam.
- Azure AZ 500 Labs by Microsoft: Study Guide for the Microsoft Azure Security Technologies Exam.
- Breaking and Pwning Apps and Servers on AWS and Azure: Course content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training.