-
Notifications
You must be signed in to change notification settings - Fork 0
Privesc
privesc is the escalation-path command for HarrierOps Azure.
Use it when the question is no longer "who has access?" but "which visible path could turn this foothold into more control?"
- Which visible paths could broaden access quickly?
- Which path is most likely to matter first?
- Which path is closest to the current foothold or another already-interesting principal?
ho-azure privesc --output tableFor saved structured output:
ho-azure privesc --output json| severity | principal | path | asset | current |
|---|---|---|---|---|
high |
ho-azure-lab-sp |
direct-role-abuse |
- |
yes |
high |
ua-app |
public-identity-pivot |
vm-web-01 |
no |
- after Permissions shows strong principals
- when you want likely escalation stories instead of raw identity evidence
- when you need to prioritize the most actionable control-expansion paths first
- paths involving the current identity
- role-assignment or delegation rights that could expand control
- workload-linked identities that could become a cleaner pivot than a user account
- concise reasoning that explains why a path matters immediately
Privilege inventory is useful, but escalation paths usually determine what changes next.
privesc compresses identity, role, and attachment context into a smaller set of high-signal paths
so you can spend time validating the path most likely to change what you can do in the tenant.
- the path with the highest impact
- the path closest to the current foothold
- the path that is easiest to understand and validate
- whether the current identity or another already-interesting principal is involved
- If you see
path_type=direct-role-abuse, go next to RBAC because it shows the exact role assignment evidence and scope behind that escalation path. - If you see
path_type=public-identity-pivot, go next to Managed-Identities andendpointsbecause one shows the workload-to-identity path and the other shows the ingress path into that workload. - If the path depends on a service principal or application trust edge, go next to Role-Trusts because it explains who can modify the identity that makes the path possible.
- Validate the underlying evidence in RBAC or Managed Identities.
- Use Role Trusts if the path appears to depend on indirect control.
- If the current identity is involved, treat that path as a priority before broader inventory work.
Loot for this command keeps priority=high rows when present because privesc ships a defended
row-level priority field in JSON. That is semantic-high-band loot selection, not just a
top-ranked cutoff.
privesc should surface credible escalation paths backed by readable evidence.
It is not an exploit framework, a proof engine, or a claim that every imaginable attack chain is present.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to HarrierOps Azure: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)