Az - AI Foundry, AI Hubs, Azure OpenAI & AI Search

Tip

Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Aprenda e pratique Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Por que esses serviços importam

Azure AI Foundry é o guarda-chuva da Microsoft para construir aplicações GenAI. Um hub agrega projetos de AI, Azure ML workspaces, compute, data stores, registries, assets de prompt flow e conexões para serviços downstream como Azure OpenAI e Azure AI Search. Cada componente comumente expõe:

  • Long-lived API keys (OpenAI, Search, data connectors) replicadas dentro do Azure Key Vault ou objetos de conexão do workspace.
  • Managed Identities (MI) que controlam deployments, jobs de indexação vetorial, pipelines de avaliação de modelos e operações Git/GitHub Enterprise.
  • Cross-service links (storage accounts, container registries, Application Insights, Log Analytics) que herdam permissões do hub/projeto.
  • Multi-tenant connectors (Hugging Face, Azure Data Lake, Event Hubs) que podem leak credenciais ou tokens upstream.

O comprometimento de um único hub/projeto pode, portanto, implicar controle sobre managed identities downstream, clusters de compute, endpoints online e quaisquer índices de search ou deploys de OpenAI referenciados por prompt flows.

Componentes principais & superfície de segurança

  • AI Hub (Microsoft.MachineLearningServices/hubs): Objeto de topo que define região, managed network, system datastores, default Key Vault, Container Registry, Log Analytics, e identidades em nível de hub. Um hub comprometido permite que um atacante injete novos projects, registries ou user-assigned identities.
  • AI Projects (Microsoft.MachineLearningServices/workspaces): Hospedam prompt flows, data assets, environments, component pipelines e online/batch endpoints. Projects herdam recursos do hub e também podem sobrescrever com seu próprio storage, kv, e MI. Cada workspace armazena secrets sob /connections e /datastores.
  • Managed Compute & Endpoints: Inclui managed online endpoints, batch endpoints, serverless endpoints, AKS/ACI deployments e on-demand inference servers. Tokens obtidos do Azure Instance Metadata Service (IMDS) dentro desses runtimes geralmente carregam as role assignments do workspace/project MI (comummente Contributor ou Owner).
  • AI Registries & Model Catalog: Permitem compartilhamento por região de modelos, environments, components, dados e resultados de avaliação. Registries podem sincronizar automaticamente com GitHub/Azure DevOps, significando que PATs podem ficar embutidos dentro das definições de conexão.
  • Azure OpenAI (Microsoft.CognitiveServices/accounts with kind=OpenAI): Fornece modelos da família GPT. O acesso é controlado via role assignments + admin/query keys. Muitos prompt flows do Foundry guardam as keys geradas como secrets ou environment variables acessíveis a partir de compute jobs.
  • Azure AI Search (Microsoft.Search/searchServices): Armazenamento de vetores/índices tipicamente conectado via uma Search admin key armazenada dentro de uma connection do projeto. Dados do índice podem conter embeddings sensíveis, documentos recuperados ou corpus de treinamento bruto.

Arquitetura relevante para segurança

Managed Identities & Role Assignments

  • AI hubs/projects podem habilitar system-assigned ou user-assigned identities. Essas identities normalmente possuem roles em storage accounts, Key Vaults, container registries, Azure OpenAI resources, Azure AI Search services, Event Hubs, Cosmos DB ou APIs customizadas.
  • Online endpoints herdam o MI do projeto ou podem sobrescrever com um user-assigned MI dedicado por deployment.
  • Prompt Flow connections e Automated Agents podem solicitar tokens via DefaultAzureCredential; capturar o endpoint de metadata a partir do compute fornece tokens para movimento lateral.

Network Boundaries

  • Hubs/projects suportam publicNetworkAccess, private endpoints, Managed VNet e **managedOutbound** rules. allowInternetOutbound` mal configurado ou scoring endpoints abertos permitem exfiltração direta.
  • Azure OpenAI e AI Search suportam firewall rules, Private Endpoint Connections (PEC), shared private link resources, e trustedClientCertificates. Quando o acesso público está habilitado, esses serviços aceitam requisições de qualquer IP de origem que conheça a key.

Data & Secret Stores

  • Deployments default de hub/projeto criam uma storage account, Azure Container Registry, Key Vault, Application Insights e um Log Analytics workspace dentro de um resource group gerenciado oculto (padrão: mlw-<workspace>-rg).
  • Workspace datastores fazem referência a blob/data lake containers e podem embutir SAS tokens, service principal secrets ou storage access keys.
  • Workspace connections (para Azure OpenAI, AI Search, Cognitive Services, Git, Hugging Face, etc.) guardam credenciais no Key Vault do workspace e as expõem através do management plane ao listar a connection (os valores são JSON base64-encoded).
  • AI Search admin keys fornecem acesso total de leitura/escrita a índices, skillsets, data sources, e podem recuperar documentos que alimentam sistemas RAG.

Monitoramento & Supply Chain

  • AI Foundry suporta integração com GitHub/Azure DevOps para código e assets de prompt flow. OAuth tokens ou PATs vivem no Key Vault + metadata da connection.
  • Model Catalog pode espelhar artefatos do Hugging Face. Se trust_remote_code=true, Python arbitrário é executado durante o deployment.
  • Data/feature pipelines logam no Application Insights ou Log Analytics, expondo connection strings.

Enumeração com az

# Install the Azure ML / AI CLI extension (if missing)
az extension add --name ml

# Enumerate AI Hubs (workspaces with kind=hub) and inspect properties
az ml workspace list --filtered-kinds hub --resource-group <RG> --query "[].{name:name, location:location, rg:resourceGroup}" -o table
az resource show --name <HUB> --resource-group <RG> \
--resource-type Microsoft.MachineLearningServices/workspaces \
--query "{location:location, publicNetworkAccess:properties.publicNetworkAccess, identity:identity, managedResourceGroup:properties.managedResourceGroup}" -o jsonc

# Enumerate AI Projects (kind=project) under a hub or RG
az resource list --resource-type Microsoft.MachineLearningServices/workspaces --query "[].{name:name, rg:resourceGroup, location:location}" -o table
az ml workspace list --filtered-kinds project --resource-group <RG> \
--query "[?contains(properties.hubArmId, '/workspaces/<HUB>')].{name:name, rg:resourceGroup, location:location}"

# Show workspace level settings (managed identity, storage, key vault, container registry)
az ml workspace show --name <WS> --resource-group <RG> \
--query "{managedNetwork:properties.managedNetwork, storageAccount:properties.storageAccount, containerRegistry:properties.containerRegistry, keyVault:properties.keyVault, identity:identity}"

# List workspace connections (OpenAI, AI Search, Git, data sources)
az ml connection list --workspace-name <WS> --resource-group <RG> --populate-secrets -o table
az ml connection show --workspace-name <WS> --resource-group <RG> --name <CONNECTION>
# For REST (returns base64 encoded secrets)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WS>/connections/<CONN>?api-version=2024-04-01"

# Enumerate datastores and extract credentials/SAS
az ml datastore list --workspace-name <WS> --resource-group <RG>
az ml datastore show --name <DATASTORE> --workspace-name <WS> --resource-group <RG>

# List managed online/batch endpoints and deployments (capture identity per deployment)
az ml online-endpoint list --workspace-name <WS> --resource-group <RG>
az ml online-endpoint show --name <ENDPOINT> --workspace-name <WS> --resource-group <RG>
az ml online-deployment show --name <DEPLOYMENT> --endpoint-name <ENDPOINT> --workspace-name <WS> --resource-group <RG> \
--query "{identity:identity, environment:properties.environmentId, codeConfiguration:properties.codeConfiguration}"

# Discover prompt flows, components, environments, data assets
az ml component list --workspace-name <WS> --resource-group <RG>
az ml data list --workspace-name <WS> --resource-group <RG> --type uri_folder
az ml environment list --workspace-name <WS> --resource-group <RG>
az ml job list --workspace-name <WS> --resource-group <RG> --type pipeline

# List hub/project managed identities and their role assignments
az identity list --resource-group <RG>
az role assignment list --assignee <MI-PRINCIPAL-ID> --all

# Azure OpenAI resources (filter kind==OpenAI)
az resource list --resource-type Microsoft.CognitiveServices/accounts \
--query "[?kind=='OpenAI'].{name:name, rg:resourceGroup, location:location}" -o table
az cognitiveservices account list --resource-group <RG> \
--query "[?kind=='OpenAI'].{name:name, location:location}" -o table
az cognitiveservices account show --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account keys list --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account deployment list --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account network-rule list --name <AOAI-NAME> --resource-group <RG>

# Azure AI Search services
az search service list --resource-group <RG>
az search service show --name <SEARCH-NAME> --resource-group <RG> \
--query "{sku:sku.name, publicNetworkAccess:properties.publicNetworkAccess, privateEndpoints:properties.privateEndpointConnections}"
az search admin-key show --service-name <SEARCH-NAME> --resource-group <RG>
az search query-key list --service-name <SEARCH-NAME> --resource-group <RG>
az search shared-private-link-resource list --service-name <SEARCH-NAME> --resource-group <RG>

# AI Search data-plane (requires admin key in header)
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/indexes?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/datasources?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/indexers?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"

# Linkage between workspaces and search / openAI (REST helper)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WS>/connections?api-version=2024-04-01" \
--query "value[?properties.target=='AzureAiSearch' || properties.target=='AzureOpenAI']"

O que procurar durante a avaliação

  • Identity scope: Projetos frequentemente reutilizam uma poderosa user-assigned identity anexada a múltiplos serviços. Capturar IMDS tokens de qualquer managed compute herda esses privilégios.
  • Connection objects: O payload Base64 inclui o secret além de metadata (endpoint URL, API version). Muitas equipes deixam as OpenAI + Search admin keys aqui em vez de rotacioná-las com frequência.
  • Git & external source connectors: PATs ou OAuth refresh tokens podem permitir push access ao código que define pipelines/prompt flows.
  • Datastores & data assets: Fornecem SAS tokens válidos por meses; data assets podem apontar para PII de clientes, embeddings ou corpora de treinamento.
  • Managed Network overrides: allowInternetOutbound=true ou publicNetworkAccess=Enabled torna trivial exfiltrar secrets de jobs/endpoints.
  • Hub-managed resource group: Contém a storage account (<workspace>storage), container registry, KV e Log Analytics. Acesso a esse RG frequentemente significa full takeover mesmo que o portal oculte isso.

Referências

Tip

Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE) Aprenda e pratique Hacking Azure: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks