T1552: Unsecured Credentials

[Viraj05-cr7]

Authenticate to Azure using interactive login

Write-Host "Please log in to your Azure account...";
Connect-AzAccount;

Initialize arrays to collect results

$ExposedSecrets = @();
$KeyVaultIssues = @();
$AppSettingsIssues = @();

1. Check Service Principal Secrets

Write-Host "Checking Service Principals for Exposed Secrets...";
try {
$ServicePrincipals = Get-AzADServicePrincipal -ErrorAction Stop;
foreach ($Principal in $ServicePrincipals) {
$Secrets = Get-AzADAppCredential -ObjectId $Principal.Id -ErrorAction SilentlyContinue;
if ($Secrets -and ($Secrets | Where-Object { $.EndDate -gt (Get-Date) })) {
Write-Host "Service Principal: $($Principal.DisplayName) has active credentials.";
$ExposedSecrets += $Principal;
}
}
} catch {
Write-Host "Error checking Service Principals: $";
}

2. Check Azure Key Vault for Exposed Secrets

Write-Host "Checking Azure Key Vault for Accessible Secrets...";
try {
$KeyVaults = Get-AzKeyVault -ErrorAction Stop;
foreach ($Vault in $KeyVaults) {
$Secrets = Get-AzKeyVaultSecret -VaultName $Vault.VaultName -ErrorAction SilentlyContinue;
if ($Secrets.Count -gt 0) {
Write-Host "Key Vault: $($Vault.VaultName) has $($Secrets.Count) secrets.";
$KeyVaultIssues += $Vault;
}
}
} catch {
Write-Host "Error checking Key Vaults: $_";
}

3. Check App Service Application Settings

Write-Host "Checking App Services for Exposed App Settings...";
try {
$AppServices = Get-AzWebApp -ErrorAction Stop;
foreach ($App in $AppServices) {
$AppSettings = Get-AzWebAppSettings -ResourceGroupName $App.ResourceGroup -Name $App.Name -ErrorAction SilentlyContinue;
if ($AppSettings) {
$CredentialsFound = $AppSettings.Properties.Keys | Where-Object { $_ -match "password|secret|key" };
if ($CredentialsFound) {
Write-Host "App Service: $($App.Name) has potentially exposed credentials in App Settings.";
$AppSettingsIssues += $App;
}
}
}
} catch {
Write-Host "Error checking App Services: $_";
}

Summary of Results

Write-Host "`n--- Simulation Complete ---";
Write-Host "Exposed Service Principal Secrets: $($ExposedSecrets.Count)";
Write-Host "Key Vaults with Accessible Secrets: $($KeyVaultIssues.Count)";
Write-Host "App Services with Exposed App Settings: $($AppSettingsIssues.Count)";

[Viraj05-cr7]

Combine all the segmented snippets as one full code in PowerShell, you'll get the results...

Run this test using a low or no privilege account to find the data