home.social

#cortexxsiam — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #cortexxsiam, aggregated by home.social.

  1. 🛠️ Tool
    ===================

    Executive summary: AzureHound is an open-source Go-based data collection tool (distributed precompiled for Windows, Linux and macOS) that enumerates Entra ID and Azure resources using the Microsoft Graph and Azure REST APIs. It produces JSON output consumable by BloodHound to visualize relationships and potential attack paths for privilege escalation.

    Key features:
    • Automated enumeration of identities, groups, role assignments and Azure resources via Microsoft Graph and Azure REST API.
    • JSON export format compatible with BloodHound for graph-based analysis of potential attack paths.
    • Focus on discovering indirect escalation vectors across Entra ID and ARM-managed resources.

    Technical implementation:
    • Written in Go and uses authenticated queries to both Microsoft Graph (identity plane) and Azure Resource Manager (control plane).
    • Collects data points such as users, service principals, role assignments, subscriptions, resource groups and permissions relationships, then normalizes them to JSON for downstream graph analysis.
    • Does not require execution from within the target tenant because the APIs it queries are externally accessible given appropriate credentials.

    Use cases:
    • Red teams and penetration testers use AzureHound to map attack surface and privilege paths in preparation for controlled assessments.
    • Adversaries with initial access can run AzureHound to accelerate discovery of high-value principals and misconfigurations enabling lateral movement or escalation.

    Limitations:
    • Requires credentials or tokens that grant API access; the scope of data returned is limited by the permissions associated with those credentials.
    • Enumerated data quality depends on API rate limits and permission scoping; not all environmental context (e.g., private artifacts outside ARM) may be captured.

    Detection and logging notes:
    • Activities appear as Microsoft Graph and ARM API calls in Azure control-plane logs; monitoring API call patterns, unusual service principal usage, and large-scale enumeration queries can surface misuse.
    • The article highlights mapping of AzureHound behaviors to the MITRE ATT&CK framework and notes how Cortex XSIAM and related products can enhance detection and incident response.

    References and tags:
    • Tool: AzureHound; Integration: BloodHound; Data sources: Microsoft Graph, Azure REST API

    🔹 AzureHound #BloodHound #MicrosoftGraph #CortexXSIAM #tool

    🔗 Source: unit42.paloaltonetworks.com/th