Az - AI Foundry, AI Hubs, Azure OpenAI & AI Search

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Waarom hierdie dienste saak maak

Azure AI Foundry is Microsoft’s umbrella vir die bou van GenAI-toepassings. ’n hub konsolideer AI projects, Azure ML workspaces, compute, data stores, registries, prompt flow assets, en verbindings na downstream dienste soos Azure OpenAI en Azure AI Search. Elke komponent openbaar gewoonlik:

  • Long-lived API keys (OpenAI, Search, data connectors) gerepliseer binne Azure Key Vault of workspace connection objects.
  • Managed Identities (MI) wat deployments, vector indexing jobs, model evaluation pipelines, en Git/GitHub Enterprise operasies beheer.
  • Cross-service links (storage accounts, container registries, Application Insights, Log Analytics) wat hub/project permissions erf.
  • Multi-tenant connectors (Hugging Face, Azure Data Lake, Event Hubs) wat dalk upstream credentials of tokens kan leak.

Kompromittering van ’n enkele hub/project kan dus beheer oor downstream managed identities, compute clusters, online endpoints, en enige search indexes of OpenAI deployments wat deur prompt flows verwys word, impliseer.

Kernkomponente & Sekuriteitsoppervlak

  • AI Hub (Microsoft.MachineLearningServices/hubs): Top-level object wat region, managed network, system datastores, default Key Vault, Container Registry, Log Analytics, en hub-level identities definieer. ’n Gecompromitteerde hub laat ’n aanvaller toe om nuwe projects, registries, of user-assigned identities in te voeg.
  • AI Projects (Microsoft.MachineLearningServices/workspaces): Host prompt flows, data assets, environments, component pipelines, en online/batch endpoints. Projects erf hub resources en kan ook met hul eie storage, kv, en MI oorhandig. Elke workspace stoor secrets onder /connections en /datastores.
  • Managed Compute & Endpoints: Sluit managed online endpoints, batch endpoints, serverless endpoints, AKS/ACI deployments, en on-demand inference servers in. Tokens wat van Azure Instance Metadata Service (IMDS) binne hierdie runtimes gehaal word, dra gewoonlik die workspace/project MI roltoewysings (gewoonlik Contributor of Owner).
  • AI Registries & Model Catalog: Laat region-scoped sharing van models, environments, components, data, en evaluation results toe. Registries kan outomaties sinkroniseer na GitHub/Azure DevOps, wat beteken PATs mag in connection definitions ingebed wees.
  • Azure OpenAI (Microsoft.CognitiveServices/accounts with kind=OpenAI): Verskaf GPT family models. Toegang word beheer deur roltoewysings + admin/query keys. Baie Foundry prompt flows hou die gegenereerde keys as secrets of environment variables toeganklik vanaf compute jobs.
  • Azure AI Search (Microsoft.Search/searchServices): Vector/index storage gewoonlik verbind via ’n Search admin key gestoor binne ’n project connection. Index data kan sensitiewe embeddings, geraadpleegde dokumente, of rou training corpora bevat.

Sekuriteitsrelevante argitektuur

Managed Identities & Role Assignments

  • AI hubs/projects kan system-assigned of user-assigned identities aktiveer. Hierdie identiteite hou gewoonlik rolle op storage accounts, key vaults, container registries, Azure OpenAI resources, Azure AI Search services, Event Hubs, Cosmos DB, of custom APIs.
  • Online endpoints erf die project MI of kan met ’n toegewyde user-assigned MI per deployment oorhandig word.
  • Prompt Flow connections en Automated Agents kan tokens versoek via DefaultAzureCredential; die vang van die metadata endpoint vanaf compute gee tokens vir lateral movement.

Network Boundaries

  • Hubs/projects ondersteun publicNetworkAccess, private endpoints, Managed VNet en **managedOutbound** reëls. Misgekonfigureerde allowInternetOutbound` of oop scoring endpoints laat direkte exfiltrasie toe.
  • Azure OpenAI en AI Search ondersteun firewall rules, Private Endpoint Connections (PEC), shared private link resources, en trustedClientCertificates. Wanneer public access geaktiveer is, aanvaar hierdie dienste versoeke van enige source IP wat die key ken.

Data & Secret Stores

  • Default hub/project deployments skep ’n storage account, Azure Container Registry, Key Vault, Application Insights, en Log Analytics workspace binne ’n versteekte managed resource group (patroon: mlw-<workspace>-rg).
  • Workspace datastores verwys na blob/data lake containers en kan SAS tokens, service principal secrets, of storage access keys ingebed hê.
  • Workspace connections (vir Azure OpenAI, AI Search, Cognitive Services, Git, Hugging Face, ens.) hou credentials in die workspace Key Vault en maak dit sigbaar deur die management plane wanneer die connection gelys word (waardes is base64-encoded JSON).
  • AI Search admin keys bied volle read/write toegang tot indexes, skillsets, data sources, en kan dokumente haal wat RAG systems voed.

Monitoring & Supply Chain

  • AI Foundry ondersteun GitHub/Azure DevOps integrasie vir code en prompt flow assets. OAuth tokens of PATs leef in die Key Vault + connection metadata.
  • Model Catalog kan Hugging Face artifacts spieël. As trust_remote_code=true is, voer arbitrary Python tydens deployment uit.
  • Data/feature pipelines log na Application Insights of Log Analytics, wat connection strings blootstel.

Enumerasie met az

# Install the Azure ML / AI CLI extension (if missing)
az extension add --name ml

# Enumerate AI Hubs (workspaces with kind=hub) and inspect properties
az ml workspace list --filtered-kinds hub --resource-group <RG> --query "[].{name:name, location:location, rg:resourceGroup}" -o table
az resource show --name <HUB> --resource-group <RG> \
--resource-type Microsoft.MachineLearningServices/workspaces \
--query "{location:location, publicNetworkAccess:properties.publicNetworkAccess, identity:identity, managedResourceGroup:properties.managedResourceGroup}" -o jsonc

# Enumerate AI Projects (kind=project) under a hub or RG
az resource list --resource-type Microsoft.MachineLearningServices/workspaces --query "[].{name:name, rg:resourceGroup, location:location}" -o table
az ml workspace list --filtered-kinds project --resource-group <RG> \
--query "[?contains(properties.hubArmId, '/workspaces/<HUB>')].{name:name, rg:resourceGroup, location:location}"

# Show workspace level settings (managed identity, storage, key vault, container registry)
az ml workspace show --name <WS> --resource-group <RG> \
--query "{managedNetwork:properties.managedNetwork, storageAccount:properties.storageAccount, containerRegistry:properties.containerRegistry, keyVault:properties.keyVault, identity:identity}"

# List workspace connections (OpenAI, AI Search, Git, data sources)
az ml connection list --workspace-name <WS> --resource-group <RG> --populate-secrets -o table
az ml connection show --workspace-name <WS> --resource-group <RG> --name <CONNECTION>
# For REST (returns base64 encoded secrets)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WS>/connections/<CONN>?api-version=2024-04-01"

# Enumerate datastores and extract credentials/SAS
az ml datastore list --workspace-name <WS> --resource-group <RG>
az ml datastore show --name <DATASTORE> --workspace-name <WS> --resource-group <RG>

# List managed online/batch endpoints and deployments (capture identity per deployment)
az ml online-endpoint list --workspace-name <WS> --resource-group <RG>
az ml online-endpoint show --name <ENDPOINT> --workspace-name <WS> --resource-group <RG>
az ml online-deployment show --name <DEPLOYMENT> --endpoint-name <ENDPOINT> --workspace-name <WS> --resource-group <RG> \
--query "{identity:identity, environment:properties.environmentId, codeConfiguration:properties.codeConfiguration}"

# Discover prompt flows, components, environments, data assets
az ml component list --workspace-name <WS> --resource-group <RG>
az ml data list --workspace-name <WS> --resource-group <RG> --type uri_folder
az ml environment list --workspace-name <WS> --resource-group <RG>
az ml job list --workspace-name <WS> --resource-group <RG> --type pipeline

# List hub/project managed identities and their role assignments
az identity list --resource-group <RG>
az role assignment list --assignee <MI-PRINCIPAL-ID> --all

# Azure OpenAI resources (filter kind==OpenAI)
az resource list --resource-type Microsoft.CognitiveServices/accounts \
--query "[?kind=='OpenAI'].{name:name, rg:resourceGroup, location:location}" -o table
az cognitiveservices account list --resource-group <RG> \
--query "[?kind=='OpenAI'].{name:name, location:location}" -o table
az cognitiveservices account show --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account keys list --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account deployment list --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account network-rule list --name <AOAI-NAME> --resource-group <RG>

# Azure AI Search services
az search service list --resource-group <RG>
az search service show --name <SEARCH-NAME> --resource-group <RG> \
--query "{sku:sku.name, publicNetworkAccess:properties.publicNetworkAccess, privateEndpoints:properties.privateEndpointConnections}"
az search admin-key show --service-name <SEARCH-NAME> --resource-group <RG>
az search query-key list --service-name <SEARCH-NAME> --resource-group <RG>
az search shared-private-link-resource list --service-name <SEARCH-NAME> --resource-group <RG>

# AI Search data-plane (requires admin key in header)
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/indexes?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/datasources?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/indexers?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"

# Linkage between workspaces and search / openAI (REST helper)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WS>/connections?api-version=2024-04-01" \
--query "value[?properties.target=='AzureAiSearch' || properties.target=='AzureOpenAI']"

Waar om op te let tydens assessering

  • Identity scope: Projekte hergebruik dikwels ’n kragtige user-assigned identity wat aan verskeie dienste geheg is. Capturing IMDS tokens van enige managed compute erf daardie voorregte.
  • Connection objects: Base64 payload sluit die secret plus metadata in (endpoint URL, API version). Baie spanne laat OpenAI + Search admin keys hier staan eerder as om dit gereeld te roteer.
  • Git & external source connectors: PATs of OAuth refresh tokens kan push-toegang gee tot code wat pipelines/prompt flows definieer.
  • Datastores & data assets: Verskaf SAS tokens wat vir maande geldig is; data assets kan na customer PII, embeddings, of training corpora wys.
  • Managed Network overrides: allowInternetOutbound=true of publicNetworkAccess=Enabled maak dit trivial om secrets te exfiltrate vanaf jobs/endpoints.
  • Hub-managed resource group: Bevat die storage account (<workspace>storage), container registry, KV, en Log Analytics. Toegang tot daardie RG beteken dikwels volledige oorname selfs al versteek die portal dit.

References

Tip

Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Leer & oefen Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks