AzureHound is an open-source data collection tool used to enumerate Microsoft Entra ID and Azure resources via Microsoft Graph and Azure REST APIs, and while intended for defensive testing, threat actors have misused it for cloud discovery and privilege escalation mapping. Recent activity links its misuse to actors such as Curious Serpens, Void Blizzard and Storm-0501, and defenders are advised to monitor Microsoft Graph activity logs, Entra ID sign-in logs, and user-agent strings like azurehound/ to detect abuse. #AzureHound #CuriousSerpens #VoidBlizzard #Storm-0501
Keypoints
- AzureHound enumerates users, groups, service principals, roles, storage accounts, apps and infrastructure via Microsoft Graph and Azure REST APIs and outputs JSON for BloodHound ingestion.
- Threat actors use AzureHound post-compromise to map attack paths for privilege escalation, lateral movement and data exfiltration in Azure environments.
- Several threat actors and campaigns have been observed using AzureHound, including Curious Serpens, Void Blizzard and Storm-0501.
- Some AzureHound REST API calls (via management.azure[.]com/ARM) are not logged in Azure control-plane activity logs, creating visibility gaps defenders must mitigate by correlating Graph API test calls and sign-in logs.
- Defensive controls recommended include phishing-resistant MFA, Privileged Identity Management, Conditional Access Policies, token binding, disabling user app registrations, EDR/XDR/CDR coverage and Graph API activity logging.
- Detection opportunities include monitoring user-agent strings (azurehound/), high-volume API enumeration by a single identity, and correlating Graph API events with Entra ID sign-ins and IP/user-agent details.
- Cortex XDR/XSIAM hunting examples and XQL queries can surface AzureHound activity by filtering cloud_audit_logs for azurehound user agents and aggregating API call volumes.
MITRE Techniques
- [T1087.004] Account Discovery: Cloud ā AzureHound automates collection of identities (users, devices, service principals) using commands like ālist usersā, ālist devicesā, and ālist service-principalsā to enumerate tenant identities (āā¦the tool automates the collection of all identities, including users, devices and service principalsā¦ā).
- [T1069.003] Permission Groups Discovery: Cloud Groups ā AzureHound enumerates groups, roles and role assignments with commands such as ālist groupsā, ālist rolesā, and ālist role-assignmentsā to map permission relationships and find privilege escalation paths (āā¦enumerate Entra ID groups, roles and role assignmentsā¦ā).
- [T1619] Cloud Storage Object Discovery ā AzureHound discovers storage accounts and blob containers using ālist storage-accountsā and ālist storage-containersā, exposing storage names, endpoints and network ACLs relevant for data exfiltration (āā¦enumerating all storage accounts that the identity passed into the command has access toā¦ā).
- [T1526] Cloud Service Discovery ā AzureHound enumerates platform services (apps, web apps, function apps, managed clusters, container registries) with commands like ālist web-appsā, ālist function-appsā, and ālist container-registriesā to identify misconfigured or vulnerable services (āā¦enumerating services like Web Apps, Function Apps and Kubernetes clusters (AKS)ā¦ā).
- [T1580] Cloud Infrastructure Discovery ā AzureHound lists tenants, subscriptions, resource groups, virtual machines and key vaults using commands such as ālist tenantsā, ālist subscriptionsā, ālist resource-groupsā, ālist virtual-machinesā and ālist key-vaultsā to build an architectural map of the cloud environment (āā¦build a complete architectural map of the cloud deployment by listing the following: Virtual machines, Key vaults, The hierarchy of tenants, subscriptions and resource groupsā¦ā).
Indicators of Compromise
- [User-Agent] AzureHound identification ā azurehound/ (user agent string observed in Microsoft Graph activity logs and cloud audit logs).
- [API Endpoints] Graph and Identity endpoints used ā hxxps[:]//graph.microsoft[.]com/v1.0/organization (Graph test call), login.microsoftonline[.]com (Microsoft identity platform test call).
- [REST Endpoint] ARM calls not logged in control-plane ā management.azure[.]com Microsoft.Storage/storageAccounts/list (storage account enumeration call; read operation may not appear in activity logs).
- [App ID / Client ID] PowerShell client identifier context ā 1950a258-227b-4e31-a9cf-717495945fc2 (observed in Graph activity logs during AzureHound requests and useful for correlation).
- [Entra ID Object ID] user context ā example: 454b1120-3507-4bbb-b559-87b7f64af7fa (UserPrincipalObjectID seen in Graph activity log extracts for correlation with sign-in logs).
Read more: https://unit42.paloaltonetworks.com/threat-actor-misuse-of-azurehound/