Az - AI Foundry, AI Hubs, Azure OpenAI & AI Search

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

Zašto su ove usluge važne

Azure AI Foundry je Microsoft-ov kišobran za izgradnju GenAI aplikacija. A hub agregira AI projects, Azure ML workspaces, compute, data stores, registries, prompt flow assets i veze ka downstream servisima kao što su Azure OpenAI i Azure AI Search. Svaka komponenta obično izlaže:

• Long-lived API keys (OpenAI, Search, data connectors) replicirane unutar Azure Key Vault ili workspace connection objekata.
• Managed Identities (MI) koje kontrolišu deployments, vector indexing jobs, model evaluation pipelines i Git/GitHub Enterprise operacije.
• Cross-service links (storage accounts, container registries, Application Insights, Log Analytics) koje nasleđuju hub/project permissions.
• Multi-tenant connectors (Hugging Face, Azure Data Lake, Event Hubs) koji mogu leak upstream credentials ili tokens.

Kompromitovanje jednog hub/project može stoga značiti kontrolu nad downstream managed identities, compute clusters, online endpoints i bilo kojim search indexes ili OpenAI deployments na koje prompt flows referenciraju.

Core Components & Security Surface

• AI Hub (Microsoft.MachineLearningServices/hubs): Top-level objekat koji definiše region, managed network, system datastores, default Key Vault, Container Registry, Log Analytics i hub-level identities. Kompromitovan hub omogućava napadaču da injektuje nove projects, registries ili user-assigned identities.
• AI Projects (Microsoft.MachineLearningServices/workspaces): Hostuju prompt flows, data assets, environments, component pipelines i online/batch endpoints. Projects nasleđuju hub resources i mogu ih prebrisati sopstvenim storage, kv i MI. Svaki workspace čuva tajne pod /connections i /datastores.
• Managed Compute & Endpoints: Uključuje managed online endpoints, batch endpoints, serverless endpoints, AKS/ACI deployments i on-demand inference servers. Tokens dobijeni iz Azure Instance Metadata Service (IMDS) unutar ovih runtime-ova obično nose workspace/project MI role assignments (češće Contributor ili Owner).
• AI Registries & Model Catalog: Omogućavaju deljenje modela, environments, components, data i evaluation results unutar region scope-a. Registries mogu automatski sync-ovati na GitHub/Azure DevOps, što znači da PATs mogu biti ugrađeni u connection definitions.
• Azure OpenAI (Microsoft.CognitiveServices/accounts with kind=OpenAI): Pruža GPT family modele. Pristup kontrolišu role assignments + admin/query keys. Mnogi Foundry prompt flows čuvaju generisane ključeve kao tajne ili environment variables dostupne iz compute job-ova.
• Azure AI Search (Microsoft.Search/searchServices): Vector/index storage obično je povezan putem Search admin key koji se čuva unutar project connection. Index podaci mogu sadržati osetljive embeddings, retrieved documents ili raw training corpora.

Arhitektura relevantna za bezbednost

Managed Identities & Role Assignments

• AI hubs/projects mogu omogućiti system-assigned ili user-assigned identities. Ove identitete obično imaju uloge na storage accounts, key vaults, container registries, Azure OpenAI resources, Azure AI Search services, Event Hubs, Cosmos DB ili custom APIs.
• Online endpoints nasleđuju project MI ili mogu biti overrajdovani sa posvećenim user-assigned MI po deployment-u.
• Prompt Flow connections i Automated Agents mogu zahtevati tokene putem DefaultAzureCredential; presretanje metadata endpoint-a sa compute-a daje tokene za lateral movement.

Network Boundaries

• Hubs/projects podržavaju publicNetworkAccess, private endpoints, Managed VNet i **managedOutbound** rules. Pogrešno konfigurisano allowInternetOutbound` ili otvoreni scoring endpoints dozvoljavaju direktnu eksfiltraciju.
• Azure OpenAI i AI Search podržavaju firewall rules, Private Endpoint Connections (PEC), shared private link resources, i trustedClientCertificates. Kada je public access omogućen, ovi servisi prihvataju zahteve sa bilo koje source IP adrese koja zna key.

Data & Secret Stores

• Podrazumevane hub/project deployment-e kreiraju storage account, Azure Container Registry, Key Vault, Application Insights, i Log Analytics workspace unutar skrivenog managed resource group-a (pattern: mlw-<workspace>-rg).
• Workspace datastores referenciraju blob/data lake containers i mogu embed-ovati SAS tokens, service principal secrets ili storage access keys.
• Workspace connections (za Azure OpenAI, AI Search, Cognitive Services, Git, Hugging Face, itd.) čuvaju kredencijale u workspace Key Vault i izlažu ih kroz management plane prilikom listanja connection-a (vrednosti su base64-encoded JSON).
• AI Search admin keys pružaju pun read/write pristup index-ima, skillset-ovima, data source-ovima i mogu dohvatiti dokumente koji hrane RAG sisteme.

Monitoring & Supply Chain

• AI Foundry podržava GitHub/Azure DevOps integraciju za kod i prompt flow assets. OAuth tokens ili PATs žive u Key Vault + connection metadata.
• Model Catalog može mirror-ovati Hugging Face artefakte. Ako je trust_remote_code=true, proizvoljan Python se izvršava tokom deployment-a.
• Data/feature pipelines loguju u Application Insights ili Log Analytics, izlažući connection strings.

Enumeracija sa az

# Install the Azure ML / AI CLI extension (if missing)
az extension add --name ml

# Enumerate AI Hubs (workspaces with kind=hub) and inspect properties
az ml workspace list --filtered-kinds hub --resource-group <RG> --query "[].{name:name, location:location, rg:resourceGroup}" -o table
az resource show --name <HUB> --resource-group <RG> \
--resource-type Microsoft.MachineLearningServices/workspaces \
--query "{location:location, publicNetworkAccess:properties.publicNetworkAccess, identity:identity, managedResourceGroup:properties.managedResourceGroup}" -o jsonc

# Enumerate AI Projects (kind=project) under a hub or RG
az resource list --resource-type Microsoft.MachineLearningServices/workspaces --query "[].{name:name, rg:resourceGroup, location:location}" -o table
az ml workspace list --filtered-kinds project --resource-group <RG> \
--query "[?contains(properties.hubArmId, '/workspaces/<HUB>')].{name:name, rg:resourceGroup, location:location}"

# Show workspace level settings (managed identity, storage, key vault, container registry)
az ml workspace show --name <WS> --resource-group <RG> \
--query "{managedNetwork:properties.managedNetwork, storageAccount:properties.storageAccount, containerRegistry:properties.containerRegistry, keyVault:properties.keyVault, identity:identity}"

# List workspace connections (OpenAI, AI Search, Git, data sources)
az ml connection list --workspace-name <WS> --resource-group <RG> --populate-secrets -o table
az ml connection show --workspace-name <WS> --resource-group <RG> --name <CONNECTION>
# For REST (returns base64 encoded secrets)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WS>/connections/<CONN>?api-version=2024-04-01"

# Enumerate datastores and extract credentials/SAS
az ml datastore list --workspace-name <WS> --resource-group <RG>
az ml datastore show --name <DATASTORE> --workspace-name <WS> --resource-group <RG>

# List managed online/batch endpoints and deployments (capture identity per deployment)
az ml online-endpoint list --workspace-name <WS> --resource-group <RG>
az ml online-endpoint show --name <ENDPOINT> --workspace-name <WS> --resource-group <RG>
az ml online-deployment show --name <DEPLOYMENT> --endpoint-name <ENDPOINT> --workspace-name <WS> --resource-group <RG> \
--query "{identity:identity, environment:properties.environmentId, codeConfiguration:properties.codeConfiguration}"

# Discover prompt flows, components, environments, data assets
az ml component list --workspace-name <WS> --resource-group <RG>
az ml data list --workspace-name <WS> --resource-group <RG> --type uri_folder
az ml environment list --workspace-name <WS> --resource-group <RG>
az ml job list --workspace-name <WS> --resource-group <RG> --type pipeline

# List hub/project managed identities and their role assignments
az identity list --resource-group <RG>
az role assignment list --assignee <MI-PRINCIPAL-ID> --all

# Azure OpenAI resources (filter kind==OpenAI)
az resource list --resource-type Microsoft.CognitiveServices/accounts \
--query "[?kind=='OpenAI'].{name:name, rg:resourceGroup, location:location}" -o table
az cognitiveservices account list --resource-group <RG> \
--query "[?kind=='OpenAI'].{name:name, location:location}" -o table
az cognitiveservices account show --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account keys list --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account deployment list --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account network-rule list --name <AOAI-NAME> --resource-group <RG>

# Azure AI Search services
az search service list --resource-group <RG>
az search service show --name <SEARCH-NAME> --resource-group <RG> \
--query "{sku:sku.name, publicNetworkAccess:properties.publicNetworkAccess, privateEndpoints:properties.privateEndpointConnections}"
az search admin-key show --service-name <SEARCH-NAME> --resource-group <RG>
az search query-key list --service-name <SEARCH-NAME> --resource-group <RG>
az search shared-private-link-resource list --service-name <SEARCH-NAME> --resource-group <RG>

# AI Search data-plane (requires admin key in header)
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/indexes?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/datasources?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/indexers?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"

# Linkage between workspaces and search / openAI (REST helper)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WS>/connections?api-version=2024-04-01" \
--query "value[?properties.target=='AzureAiSearch' || properties.target=='AzureOpenAI']"

Šta tražiti tokom procene

• Opseg identiteta: Projekti često ponovo koriste moćan user-assigned identity pridružen više servisa. Hvatanje IMDS tokena sa bilo kog managed compute nasleđuje te privilegije.
• Connection objects: Base64 payload sadrži tajnu plus metadata (endpoint URL, API version). Mnogi timovi ostavljaju ovde OpenAI + Search admin keys umesto da ih često rotiraju.
• Git & external source connectors: PATs ili OAuth refresh tokeni mogu omogućiti push pristup kodu koji definiše pipelines/prompt flows.
• Datastores & data assets: Daju SAS tokene važeće mesecima; data assets mogu ukazivati na customer PII, embeddings ili training corpora.
• Managed Network overrides: allowInternetOutbound=true ili publicNetworkAccess=Enabled čine trivijalnom exfiltraciju tajni iz jobs/endpoints.
• Hub-managed resource group: Sadrži storage account (<workspace>storage), container registry, KV i Log Analytics. Pristup toj RG često znači potpuni takeover čak i ako portal to skriva.

References

• Azure AI Foundry architecture
• Azure Machine Learning CLI v2
• Azure OpenAI security controls
• Azure AI Search security

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

• Proverite planove pretplate!
• Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.
• Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.