Using AzureHound - SethBodine/audit-tools GitHub Wiki

Using AzureHound

AzureHound is a data collector for BloodHound that enumerates Azure Active Directory (Entra ID) and Azure Resource Manager objects. It collects relationships between users, groups, service principals, roles, subscriptions, and resources, and outputs a JSON file that can be ingested by BloodHound CE for attack path analysis.

  • Collects Entra ID and Azure Resource Manager data
  • Outputs BloodHound-compatible JSON for attack path analysis
  • Uses device code authentication (no stored credentials required)
  • Built at container start-up so may take a few minutes to be available

Prepare the Environment

No setup required. Run from the shell. AzureHound is built at container image start-up and may take a few minutes to be available after the container starts.

cd /opt/AzureHound/

Gather Data

Step 1 - Authenticate via Device Code

# Paste the following code to perfrom device authentication

azdevcode=$(curl -X POST \
    https://login.microsoftonline.com/common/oauth2/devicecode?api-version=1.0 \
    -H "User-Agent: Mozilla/5.0" \
    -d "client_id=1950a258-227b-4e31-a9cf-717495945fc2&resource=https://graph.microsoft.com")

az_user_code=$(echo ${azdevcode} | jq -rc '.user_code')
az_device_code=$(echo ${azdevcode} | jq -rc '.device_code')
az_message=$(echo ${azdevcode} | jq -rc '.message')

echo -e "\n\n${az_message}\n\nOnce authenticated press Enter to continue."
read

aztoken=$(curl -X POST \
    https://login.microsoftonline.com/Common/oauth2/token?api-version=1.0 \
    -H "User-Agent: Mozilla/5.0" \
    -d "client_id=1950a258-227b-4e31-a9cf-717495945fc2&grant_type=urn:ietf:params:oauth:grant-type:device_code&code=${az_device_code}")

az_refresh_token=$(echo ${aztoken} | jq -rc '.refresh_token')

Step 2 - Collect Data

read -p "Tenant Name: " tenantname
AzureHound -r ${az_refresh_token} list \
    --tenant "${tenantname}.onmicrosoft.com" \
    -o azurehound_${tenantname}.json

The output JSON can be ingested into BloodHound CE via the File Ingest interface. See Using BloodHound for import instructions.

Known Issues

TBC

Additional Information