-
Notifications
You must be signed in to change notification settings - Fork 0
Getting Started
This page is the fastest path from install to a believable first HarrierOps Azure run.
HarrierOps Azure builds the live Azure runtime path by default, so a normal source build is ready for real Azure command execution.
For a local binary:
go build -o ho-azure ./cmd/azurefoxIf you prefer to run directly from source without creating a local binary first:
go run ./cmd/azurefox helpFor local development:
go test ./...HarrierOps Azure is intended to work on macOS, Linux, and Windows. The command examples below use
portable relative paths like ./ho-azure-demo; shell syntax mainly differs for environment-variable
export and binary invocation.
Live operator guidance is built into ho-azure help and ho-azure help <command>.
Install profile summary:
-
go build -o ho-azure ./cmd/azurefoxbuilds the normal operator binary from a local checkout -
go run ./cmd/azurefox ...runs the same live Azure command profile directly from source -
go test ./...runs the contributor validation baseline for the Go repo
HarrierOps Azure checks credentials in this order:
- Azure CLI credential
- Environment/service principal credential
Supported auth paths:
| Path | How it starts | Current support | Metadata auth_mode
|
|---|---|---|---|
| Interactive user via Azure CLI | az login |
supported | azure_cli |
| Service principal via Azure CLI | az login --service-principal ... |
supported through Azure CLI | azure_cli |
| Managed identity via Azure CLI | az login --identity |
supported through Azure CLI | azure_cli |
| Service principal via environment client secret |
AZURE_TENANT_ID + AZURE_CLIENT_ID + AZURE_CLIENT_SECRET
|
supported | environment |
| Service principal via environment certificate |
AZURE_TENANT_ID + AZURE_CLIENT_ID + AZURE_CLIENT_CERTIFICATE_PATH
|
supported | environment |
| Environment fallback after Azure CLI failure | automatic fallback when CLI auth is unavailable but environment auth succeeds | supported | environment_fallback |
Browser-based Azure CLI example:
az login
az account set --subscription <subscription-id>Service principal via Azure CLI:
az login --service-principal \
--username <client-id> \
--password <client-secret> \
--tenant <tenant-id>
az account set --subscription <subscription-id>
ho-azure whoami --subscription <subscription-id>Service principal via environment client secret:
# macOS/Linux
export AZURE_TENANT_ID=<tenant-id>
export AZURE_CLIENT_ID=<client-id>
export AZURE_CLIENT_SECRET=<client-secret>
ho-azure whoami --tenant <tenant-id> --subscription <subscription-id># Windows PowerShell
$env:AZURE_TENANT_ID="<tenant-id>"
$env:AZURE_CLIENT_ID="<client-id>"
$env:AZURE_CLIENT_SECRET="<client-secret>"
ho-azure whoami --tenant <tenant-id> --subscription <subscription-id>Service principal via environment certificate:
# macOS/Linux
export AZURE_TENANT_ID=<tenant-id>
export AZURE_CLIENT_ID=<client-id>
export AZURE_CLIENT_CERTIFICATE_PATH=/path/to/certificate.pem
export AZURE_CLIENT_CERTIFICATE_PASSWORD=<optional-password>
ho-azure whoami --tenant <tenant-id> --subscription <subscription-id># Windows PowerShell
$env:AZURE_TENANT_ID="<tenant-id>"
$env:AZURE_CLIENT_ID="<client-id>"
$env:AZURE_CLIENT_CERTIFICATE_PATH="C:\\path\\to\\certificate.pem"
$env:AZURE_CLIENT_CERTIFICATE_PASSWORD="<optional-password>"
ho-azure whoami --tenant <tenant-id> --subscription <subscription-id>Azure-hosted managed identity through Azure CLI:
az login --identity
az account set --subscription <subscription-id>
ho-azure whoami --subscription <subscription-id>For a user-assigned managed identity:
az login --identity --client-id <user-assigned-managed-identity-client-id>
az account set --subscription <subscription-id>
ho-azure whoami --subscription <subscription-id>AZUREFOX_DEVOPS_ORG is only needed when running the devops command. The identity used for
devops still needs access to the Azure DevOps organization, not just ARM access to the tenant or
subscription.
By default, HarrierOps Azure writes artifacts into your current directory.
For ad hoc runs, it is usually cleaner to pass --outdir explicitly:
ho-azure --outdir ./ho-azure-demo whoami --output tableRelative paths like ./ho-azure-demo are a simple cross-platform default. If you already have a
preferred temp or working directory, use that instead.
Check who HarrierOps Azure sees you as:
ho-azure --outdir ./ho-azure-demo whoami --output tableTake a broader inventory pass:
ho-azure --outdir ./ho-azure-demo inventory --output tableRun a grouped identity-focused follow-up:
ho-azure --outdir ./ho-azure-demo permissions --output table
ho-azure --outdir ./ho-azure-demo privesc --output table
ho-azure --outdir ./ho-azure-demo chains escalation-path --output tableHarrierOps Azure supports generic and scoped help:
go run ./cmd/azurefox help
ho-azure help
ho-azure help permissions
ho-azure whoami --help- Use Understanding Output to learn where artifacts land and how to read them
- Use Running Against The Proof Lab if you want a disposable environment for demos and validation
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to HarrierOps Azure: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)