-
Notifications
You must be signed in to change notification settings - Fork 0
Privesc
Colby Farley edited this page Apr 7, 2026
·
4 revisions
privesc is the escalation-path command for AzureFox.
Use it when the question is no longer "who has access?" but "which visible path could turn this foothold into more control?"
- Which visible paths could broaden access quickly?
- Which path is most likely to matter first?
- Which path is closest to the current foothold or another already-interesting principal?
azurefox privesc --output tableFor saved structured output:
azurefox privesc --output json| severity | principal | path | asset | current |
|---|---|---|---|---|
high |
azurefox-lab-sp |
direct-role-abuse |
- |
yes |
high |
ua-app |
public-identity-pivot |
vm-web-01 |
no |
- after Permissions shows strong principals
- when you want likely escalation stories instead of raw identity evidence
- when you need to prioritize the most actionable control-expansion paths first
- paths involving the current identity
- role-assignment or delegation rights that could expand control
- workload-linked identities that could become a cleaner pivot than a user account
- concise reasoning that explains why a path matters immediately
Privilege inventory is useful, but escalation paths usually determine what changes next.
privesc compresses identity, role, and attachment context into a smaller set of high-signal paths
so you can spend time validating the path most likely to change what you can do in the tenant.
- the path with the highest impact
- the path closest to the current foothold
- the path that is easiest to understand and validate
- whether the current identity or another already-interesting principal is involved
- If you see
path_type=direct-role-abuse, go next to RBAC because it shows the exact role assignment evidence and scope behind that escalation path. - If you see
path_type=public-identity-pivot, go next to Managed-Identities andendpointsbecause one shows the workload-to-identity path and the other shows the ingress path into that workload. - If the path depends on a service principal or application trust edge, go next to Role-Trusts because it explains who can modify the identity that makes the path possible.
- Validate the underlying evidence in RBAC or Managed Identities.
- Use Role Trusts if the path appears to depend on indirect control.
- If the current identity is involved, treat that path as a priority before broader inventory work.
privesc should surface credible escalation paths backed by readable evidence.
It is not an exploit framework, a proof engine, or a claim that every imaginable attack chain is present.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)