A curated list of awesome Microsoft Azure Security tools, guides, blogs, and other resources.
Contributions welcome! Read the contribution guidelines first.
- Azucar: Security auditing tool for Azure environments. Windows only.
- BloodHound: BloodHound uses graph theory to reveal hidden relationships and attack paths in an Active Directory environment that would otherwise be impossible to quickly identify.
- ScoutSuite: Multi-Cloud Security auditing tool.
- Steampipe: Instantly query your cloud, code, logs & more with SQL. Build on thousands of open-source benchmarks & dashboards for security & insights.
- StormSpotter: Azure Red Team tool for graphing Azure and Azure Active Directory objects.
- MicroBurst: a PowerShell Toolkit for Attacking Azure.
- PowerZure: a PowerShell project created to perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.
- ROADrecon: a tool for exploring information in Azure AD from both a Red Team and Blue Team perspective.
- Checkov: Terraform, Cloudformation and Kubernetes static analysis written in python.
- Terraform Compliance for Azure: Steampipe module to check compliance of Terraform configurations to Azure security best practices.
- tfsec: Provides static analysis of your terraform templates to spot potential security issues.
- DumpsterDiver: Tool to search secrets in various filetypes like keys (e.g. AWS Access Key Azure Share Key or SSH keys) or passwords.
- Azure security logging and auditing: Azure provides a wide array of configurable security auditing and logging options to help you identify gaps in your security policies and mechanisms.
- Azure Security Center - Alerts Reference Guide: This article lists the security alerts you might get from Azure Security Center and any Azure Defender plans you've enabled.
- Attacking Azure Cloud Shell by Karl Fosaaen: Leveraging Azure Cloud Shell storage files with subscription contributor permissions to perform cross-account command execution and privilege escalation.
- Nuking all Azure Resource Groups under all Azure Subscriptions by Kinnaird McQuade(@kmcquade3): How to abuse Azure Resource hierarchy and tenant-wide god-mode Service Principals to nuke an entire Azure environment.
- Privilege Escalation and Lateral Movement on Azure by Hila Cohen (@hilaco10): some techniques for how a red team can gain a foothold in an Azure environment, escalate their privileges, and move laterally inside Azure infrastructure by using the Azure RBAC module and common Azure misconfigurations.
- Privilege Escalation in Azure AD by Jan Geisbauer (@janvonkirchheim): a breakdown of how Azure security principals (aka Enterprise applications) vs application objects (aka application registrations) and their associated permissions can be abused to impersonate an application.
- Privilege Escalation and Lateral Movement on Azure: some techniques for how a red team can gain a foothold in an Azure environment, escalate their privileges, and move laterally inside Azure infrastructure by using the Azure RBAC module and common Azure misconfigurations.
- Abusing Azure AD SSO with the Primary Refresh Token: Most corporate devices have Primary Refresh Tokens - long term tokens stored on your laptop or other AD connected resources - for Single Sign On (SSO) against on-prem and Azure AD connected resources. See Dirk-jan Mollema's blog goes over abusing these tokens, which you can access if you have code execution on a target or on your laptop that is Azure AD joined.
- Detect Azure network configuration mistakes with visualization using Flow Logs and Traffic Analytics by Leo Visser (@AutoSysOps): Use Traffic Analytics and Flow Logs in Azure to spot network configuration mistakes by visualizing your flows. This tool gives you multiple different visual graphs to spot mistakes and malicious behavior.
- Use Azure API Management and Keyvault to authorize based on API body values by Leo Visser (@AutoSysOps): There are times where you want to limit certain values in a POST request to specific teams/people. This could be build into the API itself, but you can also use serverless techniques in Azure to manage this for you and keep your overall API less complex. This will reduce the attack vector of your overall API.
- Awesome Azure Learning: numerous references for Azure learning, especially for the Azure Certs, Azure Architecture, and any other learning materials e.g. Security topics.
- Azure AZ 500 Study Guide: Study Guide for the Microsoft Azure Security Technologies Exam.
- Azure AZ 500 Labs by Microsoft: Study Guide for the Microsoft Azure Security Technologies Exam.
- Breaking and Pwning Apps and Servers on AWS and Azure: Course content, lab setup instructions and documentation of our very popular Breaking and Pwning Apps and Servers on AWS and Azure hands on training.