BadZure is a PowerShell script that uses the Microsoft Graph SDK to set up Azure Active Directory tenants. It fills them with different entities and makes common security mistakes to make tenants that are easy to attack and have multiple entry points.
BadZure automates the process of creating users, groups, application registrations, service principals, and administrative units, among other things.
It gives Azure AD roles, Graph permissions, and application ownership privileges to randomly chosen security principals to mimic common security misconfigurations in real environments.
This lets it create new attack paths. In line with the “Assume Breach” principle, BadZure gives users two ways to gain initial access to the vulnerable tenants it makes. This simulates account takeover scenarios.
BadZure’s main benefit is that it can quickly fill and clean up existing Azure AD tenants with randomly generated vulnerable configurations and pre-configured initial access.
This makes it easier for both the red team (attack simulation) and the blue team (detection development) to try out new ideas. It is made for security professionals who want to learn more about and explore Azure AD security.
BadZure was first made for a class at X33fcon 2023 called Azure AD Battle School: Hands-on Attack and Defense.
When BadZure is added to an Azure AD tenant, red and blue teams can also:
BadZure makes it easier to log in for the first time by modeling account takeover methods like password attacks and token theft. It accomplishes this by giving the principal JWT access tokens or assigning a password (which the user can choose or generate randomly).
BadZure also instantly makes a file called “users.txt” that lists the usernames of the new accounts. This is done to support testing methods like “password spraying.” Users can put themselves in the shoes of an attacker who is going after an Azure AD tenant by using the passwords or tokens that are given out in the output.
BadZure makes three attack vectors for gaining more privileges by simulating service principal abuse situations. It does this by making sure that Azure AD roles, Graph rights, and application ownerships cause misconfigurations. Below is a BloodHound-made image that shows the attack paths that BadZure makes.
You can learn more and download this tool here
Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…
While file extensions in Linux are optional and often misleading, the file command helps decode what a…
The touch command is one of the quickest ways to create new empty files or update timestamps…
Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…
Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…
Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…