Matt Burrough’s Pentesting Azure Applications is a great crash course on how someone would start pen testing an Azure environment. The author gives an excellent rundown on the use of Mimikatz and how to obtain certain information from memory. Matt Burrough also provides a thorough description of how monitoring, logs and alerts could help determine if anything is out of the ordinary. Pentesting Azure Applications allows the reader to understand the information by demonstrating code and explaining how the provided code segment functions. This allows the reader to follow along with the concepts that the book introduces and provides an example for the reader. The reader will hopefully be able to use the introduced concepts for future pen testing. Matt's writing helps allow a reader to see common issues that users of Azure may introduce. It was quite interesting to see where users stored passwords and how easy they were to obtain. However, it was quite interesting to see how the two Azure service models managed credentials. This demonstrated how the Azure Service Management model was better suited to maintaining credentials than the older Azure Resource Manager model. Pentesting Azure Applications provides a great guide for someone to start pen testing an Azure environment. This book can also demonstrate to an Azure administrator the potential weak points for their environment.
– Andrew Swoboda, Senior Security Researcher, Tripwire
I found that Pentesting Azure Applications is a great guide on the titular topic. The author lays out his basic assumptions from the beginning – such as that the reader is already knowledgeable about pentesting to some degree. I particularly enjoyed the “Defender’s Tip” boxes scattered throughout the book. These tips provide some great advice for the other side of a pentester’s job – fixing the holes. The ones I found especially useful are those that can be applied more broadly as opposed to those that only related to Azure. Another useful aside consisted of the notes, which were helpfully placed directly beneath their relevant paragraphs. These notes provide links and brief blurbs about external resources. In some cases, they offer useful sidebar commentary about Azure or the pentesting methods being discussed. Overall, while Pentesting Azure Applications seemed slow-paced at times, it was laid out in a logical fashion that walks the reader through the author’s methodology while providing the information and tools needed by the reader to succeed on their own.
– Ary Widdes, Security Researcher, Tripwire
Pentesting Azure Applications is less of a guide toward pentesting and more of an unofficial Azure manual. Much of the book focuses simply on describing Azure and how to interact with it. A large portion of this book is effectively just saying that an attacker can do lots of bad things if they compromise Azure credentials. Much of the rest of the book is focused on standard post-exploitative tools and methods for finding credentials from compromised systems and then reviewing how to log in and use the credentials. Although this book could certainly be helpful for anyone looking to get acquainted with Azure security policies, any experienced penetration tester should already know most of what’s in the book and can learn the rest by simply reading Microsoft’s documentation. While it is clear that the author has some valuable expertise to draw upon, I believe this book could be considerably condensed to about half its size without losing much value.