AzureHound

AzureHound uses the “Az” Azure PowerShell module and “Azure AD” PowerShell module for gathering data within Azure and Azure AD.

If the modules are not installed, you can use the the following commands to installed them. The modules require PowerShell version 5.1 and greater. To check your PowerShell version, use “$PSVersionTable.PSVersion”.

Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
Install-Module -Name AzureAD -Scope CurrentUser -Repository PSGallery -Force

You then need to import the modules

Import-Module Az
Import-Module Azuread

It’s also recommended to first set your TLS version to 1.2 with this command to prevent any issues while installing these modules:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Once the Az module is installed, you can import AzureHound by using the command:

Import-Module C:\path\to\AzureHound.ps1

Next, you must login to Azure PowerShell using the command:

Connect-AzAccount

This will bring up an interactive page to login into Azure. Once successfully logged into Azure, it will print your active subscription, account name, and Tenant ID.

You must also do the same for connecting to Azure AD:

Connect-AzureAD

It is also possible to steal the access tokens from a compromised machine if that machine has been used to login to Azure PowerShell before. Copy the existing files:

C:\users\[Username]\.azure\AzureRmContextSettings.json
C:\users\[Username]\.azure\TokenCache.dat

And place them in your own .azure folder. Re-launch PowerShell and the token will now be used.

For stealing AzureAD tokens, the tokens are cached in one of the module’s DLL files and requires the PowerShell process context in order to access the tokens. They can be stolen using the command:

$token = [Microsoft.Open.Azure.AD.CommonLibrary.AzureSession]::AccessTokens['AccessToken']
$token.AccessToken

You can then decode this JWT token to gather the UserPrincipalName and TenantID by copy and pasting it into the JWT decoder.

To use AzureHound, you can invoke it using the command “Invoke-AzureHound”

By default, AzureHound will output the results to a file called “[timestamp]-azurecollection.zip” in the directory that AzureHound is run from. This can be changed using the “-OutputDirectory” switch, e.g. “Invoke-AzureHound -OutputDirectory “C:tempresults””

AzureHound supports a few switches, as shown below:

-Install | Installs the PowerShell modules
-TenantId xxxx-xxxx-xxxx-xxxx | Gather using a specific tenant Id instead of using the current one
-OutputDirectory “C:\path\to\destination\folder” | Outputs the results to a custom directory