-
Notifications
You must be signed in to change notification settings - Fork 0
Tokens Credentials
tokens-credentials is the credential-path triage command for AzureFox.
Use it when you want to know which workloads are most likely to expose credential-bearing metadata, mint tokens, or lead to the most useful secret follow-up first.
- Which workloads look most likely to produce a useful credential or token path?
- Which surfaces deserve review before broad secret hunting?
- Which asset most changes the credential story if it is compromised?
azurefox tokens-credentials --output tableFor a saved structured artifact:
azurefox tokens-credentials --output json| asset | kind | surface | access path | priority | operator signal | next review |
|---|---|---|---|---|---|---|
app-public-api |
AppService |
plain-text-secret |
app-setting |
high |
setting=DB_PASSWORD |
Check env-vars for exact setting context. |
func-orders |
FunctionApp |
plain-text-secret |
app-setting |
high |
setting=AzureWebJobsStorage |
Check env-vars for exact setting context. |
vm-web-01 |
VM |
managed-identity-token |
imds |
high |
public-ip=52.160.10.20; identities=1 |
Check endpoints, then managed-identities and permissions. |
- when the environment has many apps or workloads and you need to narrow secret review fast
- after
inventoryorworkloadssuggests an app-heavy estate - when you want the shortest path to token-capable or credential-bearing surfaces
- workloads that can mint tokens
- plain-text secret or credential-shaped metadata
- assets that combine multiple credential signals
- publicly reachable workloads that also look identity-relevant
Most useful secret review starts with the workload path, not the final secret value.
tokens-credentials helps you focus on the workloads most likely to lead to a practical identity or
credential path, which is much more efficient than treating every app or deployment surface as
equally important.
- explicitly high-priority findings
- workloads that can mint tokens or expose credential-shaped metadata
- assets that combine multiple credential signals
- rows whose summary already explains why they matter
- If you see
surface_type=plain-text-secret, go next toenv-varsbecause it shows the exact setting name and workload context behind the credential-bearing row. - If you see
surface_type=managed-identity-token, go next tomanaged-identitiesandpermissionsbecause one shows the attached identity path and the other confirms what that identity can do in Azure. - If the credential or token surface belongs to a publicly reachable workload, go next to
endpointsbecause it shows the ingress path into the asset exposing that surface.
- Prioritize workloads that combine token potential with other credential signals.
- Move from the candidate surface into the exact command that confirms identity path, config context, or ingress reachability.
- Treat this as a ranking command that narrows the workload set before deeper secrets review.
tokens-credentials is a prioritization command.
It should rank credential-bearing and token-capable surfaces clearly. It is not a token-minting, secret-retrieval, or active abuse command.
- Home
- Getting Started
- Platform Notes
- Running Against The Proof Lab
- Understanding Output
- Command Guides
Core
Identity
Config
Secrets
Storage
Resource
Compute
Orchestration
Chain Families
Grouped Sweeps
Investigations
- Axios - Post Exposure Azure Triage
- From EvilTokens to AzureFox: Why Token Theft Can Become Azure Control
- FAQ / Known Limits (coming soon)