Please go to BloodHound after gathering information with AzureHound.
Custom queries for finding interesting stuff
- Download newest release of AzureHound from
Within PowerShell, paste the following code as-is.
$body = @{
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"resource" = ""
$UserAgent = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36"
$Headers["User-Agent"] = $UserAgent
$authResponse = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "" `
-Headers $Headers `
-Body $body
The output will contain a user_code and device_code. Now, open a browser where your AzureAD user either already logged on or can log on to Azure. In this browser, navigate to
After the device login is done, run the following as-is.
"client_id" = "1950a258-227b-4e31-a9cf-717495945fc2"
"grant_type" = "urn:ietf:params:oauth:grant-type:device_code"
"code" = $authResponse.device_code
$Tokens = Invoke-RestMethod `
-UseBasicParsing `
-Method Post `
-Uri "" `
-Headers $Headers `
-Body $body
The output will include several tokens including a refresh_token
. It will start with characters similar to ā0.ARwA6Wgā¦ā. Now you are ready to run AzureHound! Take the refresh token and supply it to AzureHound using the -r switch:
./azurehound -r "0.ARwA6Wg..." list --tenant "" -o output.json