azbelt

Standalone DLL and sliver extension for enumerating Azure related credentials, primarily on AAD joined machines

Modules

aadjoin - Gets info about machine AAD status via NetGetAadJoinInformation
credman - Gets credentials from Credential Manager
env - Looks for Azure/AAD specific environment variables that may contain secrets
managed - Calls IMDS endpoint to get info about machine with managed identity
msal - Looks in various MSAL caches for tokens. Tokens are parsed to display scope and validity
sso - If machine is AAD joined, get signed PRT cookie
tbres - Gets tokens from Token Broker cache
all - Runs all enumeration except SSO

A devcontainer is a provided for easy development and building. The devcontainer base definition is located here.

To build, simply:

nimble release

This will drop the DLLs into the project folder. If you want the exe for testing the DLL, you can also build the DLL runner:

nimble dllrun

You can do both at the same time:

nimble all

Name		Name	Last commit message	Last commit date
Latest commit History 45 Commits
.devcontainer		.devcontainer
.github/workflows		.github/workflows
.vscode		.vscode
scripts		scripts
src		src
tools		tools
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
azbelt.nimble		azbelt.nimble
extension.json		extension.json