Home

HarrierOps Azure Wiki

HarrierOps Azure is a Go CLI for attack-path-focused Azure reconnaissance, pivot analysis, and management-plane cloud security workflows. This wiki is the operator guide layer: quick starts, walkthroughs, examples, and interpretation help.

Repo docs remain the source of truth for versioned behavior, output contracts, and roadmap decisions.

Start Here

• Getting Started
• Platform Notes
• Running Against The Proof Lab
• Understanding Output
• Command Guides

Command Guide Coverage

Current command-guide coverage in the wiki:

• Core: Inventory
• Identity: Whoami, Principals, Permissions, RBAC, Privesc, Role-Trusts, Cross-Tenant, Lighthouse, Auth-Policies, Managed-Identities
• Config: Arm-Deployments, Env-Vars
• Secrets: Keyvault, Tokens-Credentials
• Storage: Storage
• Resource: Automation, Devops, ACR, API-Mgmt, Databases, Resource-Trusts
• Network: DNS, Endpoints, Application-Gateway, Network-Effective, Network-Ports, Nics
• Compute: Workloads, App-Services, Functions, Container-Apps, Container-Instances, AKS, VMs, VMSS, Snapshots-Disks, webjobs
• Workflow: azure-ml, event-grid, logic-apps
• Chains: chains credential-path, chains deployment-path, chains escalation-path, chains compute-control
• Persistence: persistence automation, persistence app-service, persistence azure-ml, persistence functions, persistence logic-apps, persistence webjobs

If you are new to HarrierOps Azure, start with Command Guides, then follow the reading order from inventory into identity, config, secrets, storage, resource, network, compute, and orchestration as the environment dictates.

Orchestration Overview

Grouped Command	Live Families
chains Grouped path views that pull the strongest Azure pivot stories to the top.	credential-path Turns exposed secret and token clues into the downstream target most likely to widen access. deployment-path Surfaces the build, pipeline, and automation paths most likely to let an attacker change Azure next. escalation-path Highlights the clearest visible route from the current foothold to stronger Azure control. compute-control Finds workloads that can already mint identity-backed access and pivot into broader control.
persistence Service-specific persistence walkthroughs that stay focused on what the current identity can do end to end.	app-service Walks the current identity through App Service deployment, configuration, code replacement, and reachable reuse posture. automation Walks the current identity through Azure Automation account control, runbook changes, execution context, triggers, and the current state already in place. azure-ml Walks the current identity through Azure ML reusable compute, jobs, schedules, endpoints, and identity-backed runtime context. container-apps-jobs Walks the current identity through Container Apps Jobs stored definitions, trigger mode, image/command clues, execution settings, identity, and rerun posture. functions Walks the current identity through Function App code, identity, config, and trigger reuse posture. logic-apps Walks the current identity through Logic Apps workflow control, trigger posture, execution context, and durable workflow reuse paths. vm-extensions Walks the current identity through Azure-side VM Extension attachment, script or command source, settings posture, VM agent delivery, and rerun paths. webjobs Walks the current identity through App Service WebJobs background code, mode, inherited app context, and rerun paths.
evasion Service-specific evasion walkthroughs that rank visible posture by quiet defender-truth disruption.	appinsights Walks the current identity through Application Insights instrumentation, sampling, filtering, and logging-level posture clues without claiming runtime telemetry loss from posture alone. dcr Walks the current identity through Data Collection Rule collection, stream, destination, association, and transformation levers without claiming log-content loss or detector failure from posture alone. diagnostic-settings Walks the current identity through source resources, exported categories, metrics, and destination sinks without claiming sink contents or detector failure from posture alone.
resourcehijacking Service-specific takeover walkthroughs that rank visible posture by commandeering, redirect, replacement, or repurposing value over existing trusted resources.	api-mgmt Walks the current identity through API Management gateway, backend, subscription, named-value, and routing-control posture without claiming live traffic capture or backend ownership from management-plane posture alone. automation Walks the current identity through Automation runbook, schedule, webhook, identity, hybrid worker, and secure-asset posture without claiming job execution or script output from management-plane posture alone. logic-apps Walks the current identity through Logic App workflow, trigger, downstream action, connector, and identity posture without claiming run execution or connector data access from management-plane posture alone.
pathmasking Service-specific relay/proxy walkthroughs that rank visible posture by path ambiguity and attribution-blur value.	api-mgmt Walks the current identity through API Management gateway, backend, hostname, subscription, and route-control posture without claiming live traffic flow or backend ownership from management-plane posture alone. logic-apps Walks the current identity through Logic App trigger, downstream action, connector, and identity posture that can relay activity through a trusted workflow without claiming run execution or payload access by default. relay Walks the current identity through Azure Relay namespaces, Hybrid Connections, authorization-rule posture, and listener-count clues without claiming backend process identity or traffic contents from management-plane posture alone.

Common First Runs

Build the local binary:

go build -o ho-azure ./cmd/ho-azure

Run a quick identity sanity check:

ho-azure whoami --output table

Run a fast environment-shape check:

ho-azure inventory --output table

Run targeted follow-up when configuration, secrets, or data paths matter most:

ho-azure arm-deployments --output table
ho-azure env-vars --output table
ho-azure keyvault --output table
ho-azure tokens-credentials --output table
ho-azure storage --output table

Run resource and network follow-up when the interesting path is a named deployment surface, service boundary, or ingress path:

ho-azure automation --output table
ho-azure devops --output table
ho-azure endpoints --output table
ho-azure application-gateway --output table
ho-azure network-effective --output table

Run compute follow-up when the important question is which workload, cluster, host, or offline disk path matters first:

ho-azure workloads --output table
ho-azure app-services --output table
ho-azure functions --output table
ho-azure container-apps --output table
ho-azure container-instances --output table
ho-azure aks --output table
ho-azure vms --output table

Run orchestration follow-up when you want either a targeted grouped path or a broad transitional path:

ho-azure chains credential-path --output table
ho-azure chains deployment-path --output table
ho-azure chains escalation-path --output table
ho-azure chains compute-control --output table

If you want the short version of platform differences before going deeper, start with Platform Notes.

What Lives Where

• Wiki: walkthroughs, operator examples, practical investigation flow
• Repo docs: API mappings, output contracts, release process, roadmap
• CLI help: command-specific usage via ho-azure <command> --help

Investigation Workflows

• Axios - Post Exposure Azure Triage: a practical order for moving from scope confirmation into secrets, privilege, trust, and reachable workloads after a suspected exposure event
• From EvilTokens to HarrierOps Azure: Why Token Theft Can Become Azure Control: why EvilTokens-style token theft should be treated as an immediate Azure blast-radius question, and how HarrierOps Azure helps map the reachable identity, privilege, trust, and follow-on credential path from a live authenticated session

Planned Wiki Areas

• Command Guides
• FAQ / Known Limits