BadZure is a Python tool that utilizes Terraform to automate the setup of Azure Active Directory (now Entra ID) tenants, populating them with various entities and introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.
BadZure automates the creation of various entities, including users, groups, application registrations, service principals, and administrative units. To simulate common security misconfigurations in real environments, it randomly assigns Azure AD roles, Graph permissions, and application ownership privileges to selected security principals, enabling the creation of unique attack paths. Adhering to the 'Assume Breach' principle, BadZure offers users two methods of initial access to the vulnerable tenants it creates, thereby simulating account takeover scenarios.
The key advantage of BadZure is its ability to quickly populate and purge Azure AD tenants with randomly generated vulnerable configurations and pre-configured initial access, facilitating continuous and iterative Azure AD adversary simulation and detection development experimentation. It is designed for security practitioners interested in exploring and understanding Azure AD security.
BadZure was initialy written to host the Azure AD Battle School: Hands-on Attack and Defense workshop at X33fcon 2023.
An Azure AD tenant populated with BadZure also enables red and blue teams to:
- Experiment with common Azure AD attack vectors and tools
- Quickly stand up misconfigured Azure AD lab tenants.
- Obtain attack telemetry to build, test and enhance detection controls
- Execute purple team exercises in a safe setting
- Faciliate hands-on Azure AD security training
- Host dynamic Azure AD Capture the Flag (CTF) events
BadZure simulates initial access by employing common account takeover techniques, including password attacks and token theft. By providing both passwords and tokens, BadZure enables security practitioners to effectively simulate initial access scenarios and explore various attack vectors against Azure AD tenants.
When configured to use passwords, BadZure assigns randomly generated passwords to key user accounts that are part of the attack paths. These passwords are provided to BadZure users to simulate password-based attacks, such as credential stuffing or password spraying. Additionally, BadZure automatically generates a users.txt file containing the usernames of all created accounts, facilitating testing strategies like password spraying.
For token-based access, BadZure generates JWT access tokens for specified principals. These tokens are provided in the output, simulating scenarios where an attacker has obtained valid tokens through reverse proxy phishing, endpoint malware or device code phishing. Users can utilize these tokens to authenticate directly against Azure AD resources, gaining an understanding of potential attack vectors involving token theft.
BadZure simulates privilege escalation by introducing misconfigurations within Azure AD roles, Graph API permissions, and application ownerships. These misconfigurations include assigning high-privilege roles to service principals or users, granting extensive Graph API permissions to applications, and configuring users as owners of privileged applications. These settings allow for the configuration of service principal abuse attack scenarios.
A BloodHound-generated graph, showcasing the attack paths BadZure can create, is shown below.
- Azure CLI: Follow the instructions here to install Azure CLI.
- Terraform: Follow the instructions here to install Terraform.
Creating an Azure subscription will also provide you an Azure AD tenant.
Note: Utilizing BadZure within your Azure subscription won't lead to any additional costs as it only requires an Azure AD Free license.
git clone https://github.com/mvelazc0/BadZure
cd BadZure
# Create a virtual environment
python -m venv venv
# Activate the virtual environment
# On Windows
venv\Scripts\activate
# On Unix or MacOS
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
az login
# Display the help menu
python badzure.py --help
# Populate a tenant and configure all attack paths using the default badzure.yml config file
python badzure.py build
# Populate a tenant and configure all attack paths with a different config file
python badzure.py build --config config.yml
# Show the created resources in Azure AD tenant
python badzure.py show
# Destroy all created identities with verbose logging
python badzure.py destroy --verbose
BadZure leverages a configuration file used to configure the setup of the Azure AD tenant. This file allows users to specify details such as the number of users, groups, applications, administrative units, and attack paths to be created.
tenant:
tenant_id: "your-tenant-id"
domain: "your-domain.com"
users: 30
groups: 10
applications: 10
administrative_units: 10
attack_paths:
attack_path_1:
enabled: true
initial_access: password
privilege_escalation: ServicePrincipalAbuse
method: AzureADRole
entra_role : random
attack_path_2:
enabled: true
initial_access: token
privilege_escalation: ServicePrincipalAbuse
method: GraphAPIPermission
app_role : random
For more details on the configuration options, please refer to the Wiki
- Mauricio Velazco - @mvelazco
- Cloud Katana by Roberto Rodriguez
- AADInternals by Nestori Syynimaa
- Azure Attack Paths by Fabian Bader
- ROADtools by Dirkjan Mollema
- PurpleCloud by Jason Ostrom
- Azure AD - Attack and Defense Playbook by Sami Lamppu and Thomas Naunheim
- BloodHound/AzureHound by Andy Robbins
- Blog posts, talks and tools by @Haus3c, @kfosaaen, @inversecos and others.
This project is licensed under the Apache 2.0 License - see the LICENSE file for details