Skip to content

Latest commit

 

History

History
71 lines (59 loc) · 2.08 KB

post-exploitation.md

File metadata and controls

71 lines (59 loc) · 2.08 KB

Post exploitation

Index

Data harvesting

Email

Search through mailboxes

  • From the person itself
Invoke-SelfSearch -Mailbox <MAIL>

Search for open mailboxes

Invoke-OpenInboxFinder

Azure SQL

  • Azure Transparent Data Encryption (TDE) is enabled by default
  • Encrypts data at rest to prevent offline attacks (unless you export it…)
  • Azure SQL servers get a DNS name at .database.windows.net
  • Can run SQL queries in portal
  • Azure SQL BACPAC backup files are not encrypted… even when Transparent Data Encryption is enabled
    • Can restore BACPAC database backup to another Azure SQL Server
    • Search for bacpac’s on disk and in blob storage then restore in another Azure account to analyze

List SQL servers

Get-AzSQLServer

List databases

Get-AzSqlDatabase -ServerName <Server Name> -ResourceGroupName <Resource Group Name>

Check allow list to database

Get-AzSqlServerFirewallRule –ServerName <ServerName> -ResourceGroupName <ResourceGroupName>

List out SQL server AD Admins

Get-AzSqlServerActiveDirectoryAdminstrator -ServerName <ServerName> -ResourceGroupName <ResourceGroupName>

Get BACPAC backup file of database

Get-AzSqlDatabaseTransparentDataEncryption -ServerName <ServerName> -DatabaseName <DatabaseName> -ResourceGroupName <ResourceGroupName>

Compliance search

  • Must be a member of “eDiscovery Manager” role group in Security & Compliance Center (Administrator, compliance officer, or eDiscover manager)
  • https://protection.office.com
  • Search through almost all office365 services

Metadata Service URL

http://169.254.169.254/metadata

Get access tokens from the metadata service

GET 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/' HTTP/1.1 Metadata: true