This is an attempt to port Azbelt by Leron Gray from Nim to C#. It can be used to enumerate and pilfer Azure-related credentials from Windows boxes and Azure IaaS resources (VM, VMSS, WVD, etc).
When using Azbelt from the Sliver Armory it would crash and kill my implants, so I wanted to fix that. I'm definitely not great with C#, but I had no desire to work with Nim either, and I wanted to be able to use in-process execute-assembly to run it.
aadjoin- Gets info about machine AAD status viaNetGetAadJoinInformationcredman- Gets credentials from Credential Managerenv- Looks for Azure/AAD specific environment variables that may contain secretsmanaged- Calls IMDS endpoint to get info about machine with managed identitymsal- Looks in various MSAL caches for tokens. Tokens are parsed to display scope and validitysso- If machine is AAD joined, get signed PRT cookietbres- Gets tokens from Token Broker cacheall- Runs all enumeration except SSO
The project is a port of MC Ohm-I's azbelt. It makes use of code from:
- https://github.com/leechristensen/RequestAADRefreshToken
- https://github.com/xpn/WAMBam
- https://gist.github.com/benpturner/c7376718558bb118111c7cad651a25ce
Respect the licenses of any code used, adapted or otherwise from the original projects above.
For my own code, it's provided under #YOLO Public License