Az - AI Foundry, AI Hubs, Azure OpenAI & AI Search

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Kwa Nini Huduma Hizi Ni Muhimu

Azure AI Foundry ni mfumo wa Microsoft wa kujenga programu za GenAI. Hub hukusanya miradi ya AI, Azure ML workspaces, compute, data stores, registries, prompt flow assets, na muunganisho kwa huduma za downstream kama Azure OpenAI na Azure AI Search. Kila kipengele kwa kawaida huwa na wazi:

  • Long-lived API keys (OpenAI, Search, data connectors) replicated inside Azure Key Vault or workspace connection objects.
  • Managed Identities (MI) ambazo zinadhibiti deployments, vector indexing jobs, model evaluation pipelines, na vitendo vya Git/GitHub Enterprise.
  • Cross-service links (storage accounts, container registries, Application Insights, Log Analytics) ambazo zina urithi wa ruhusa za hub/project.
  • Multi-tenant connectors (Hugging Face, Azure Data Lake, Event Hubs) ambazo zinaweza leak upstream credentials au tokens.

Kudhoofisha hub/project moja kunaweza kwa hivyo kumaanisha udhibiti wa managed identities za downstream, compute clusters, online endpoints, na index za search au OpenAI deployments zinazorejelezwa na prompt flows.

Core Components & Security Surface

  • AI Hub (Microsoft.MachineLearningServices/hubs): Top-level object inayobainisha region, managed network, system datastores, default Key Vault, Container Registry, Log Analytics, na hub-level identities. Hub iliyodhoofishwa inamruhusu mshambuliaji kuingiza projects mpya, registries, au user-assigned identities.
  • AI Projects (Microsoft.MachineLearningServices/workspaces): Hutoa prompt flows, data assets, environments, component pipelines, na online/batch endpoints. Projects huchukua rasilimali za hub na pia zinaweza kuziongeza mwenyewe storage, kv, na MI. Kila workspace inaweka secrets chini ya /connections na /datastores.
  • Managed Compute & Endpoints: Inajumuisha managed online endpoints, batch endpoints, serverless endpoints, AKS/ACI deployments, na on-demand inference servers. Tokens zinazopatikana kutoka Azure Instance Metadata Service (IMDS) ndani ya runtimes hizi kwa kawaida zina assignment za MI za workspace/project (kwa kawaida Contributor au Owner).
  • AI Registries & Model Catalog: Antaruwek region-scoped sharing ya models, environments, components, data, na evaluation results. Registries zinaweza kusawazisha moja kwa moja kwa GitHub/Azure DevOps, maana PATs zinaweza kuwa embedded ndani ya connection definitions.
  • Azure OpenAI (Microsoft.CognitiveServices/accounts with kind=OpenAI): Inatoa modeli za familia ya GPT. Ufikiaji udhibitiwa kupitia role assignments + admin/query keys. Prompt flows nyingi za Foundry huweka keys zilizotengenezwa kama secrets au environment variables zinazopatikana kutoka compute jobs.
  • Azure AI Search (Microsoft.Search/searchServices): Vector/index storage kwa kawaida imeunganishwa kupitia Search admin key iliyohifadhiwa ndani ya project connection. Data za index zinaweza kuwa na embeddings nyeti, nyaraka zilizopatikana, au raw training corpora.

Security-Relevant Architecture

Managed Identities & Role Assignments

  • AI hubs/projects zinaweza kuwezesha system-assigned au user-assigned identities. Hizi identities kwa kawaida zina nafasi (roles) kwenye storage accounts, key vaults, container registries, Azure OpenAI resources, Azure AI Search services, Event Hubs, Cosmos DB, au APIs maalum.
  • Online endpoints zinapata inheritance ya project MI au zinaweza kupitisha override na user-assigned MI maalum kwa kila deployment.
  • Prompt Flow connections na Automated Agents zinaweza kuomba tokens kupitia DefaultAzureCredential; kukamata metadata endpoint kutoka compute kunatoa tokens kwa ajili ya lateral movement.

Network Boundaries

  • Hubs/projects zinaunga mkono publicNetworkAccess, private endpoints, Managed VNet na **managedOutbound** rules. Misconfigured allowInternetOutbound` au scoring endpoints zilizo wazi zinaruhusu exfiltration moja kwa moja.
  • Azure OpenAI na AI Search zinaunga mkono firewall rules, Private Endpoint Connections (PEC), shared private link resources, na trustedClientCertificates. Wakati public access imewezeshwa huduma hizi zinakubali requests kutoka kwa IP yoyote inayojua key.

Data & Secret Stores

  • Deployments za default hub/project huunda storage account, Azure Container Registry, Key Vault, Application Insights, na Log Analytics workspace ndani ya hidden managed resource group (pattern: mlw-<workspace>-rg).
  • Workspace datastores zinarejea blob/data lake containers na zinaweza embed SAS tokens, service principal secrets, au storage access keys.
  • Workspace connections (kwa Azure OpenAI, AI Search, Cognitive Services, Git, Hugging Face, n.k.) zinaweka credentials kwenye workspace Key Vault na kuziweka wazi kupitia management plane wakati wa kuorodhesha connection (values ni base64-encoded JSON).
  • AI Search admin keys zinatoa access kamili ya read/write kwa indexes, skillsets, data sources, na zinaweza kupata nyaraka zinazosaidia RAG systems.

Monitoring & Supply Chain

  • AI Foundry inaunga mkono GitHub/Azure DevOps integration kwa code na prompt flow assets. OAuth tokens au PATs zinaishi ndani ya Key Vault + connection metadata.
  • Model Catalog inaweza kuiga Hugging Face artifacts. Ikiwa trust_remote_code=true, Python yoyote inaweza kutekelezwa wakati wa deployment.
  • Data/feature pipelines hurekodi kwenye Application Insights au Log Analytics, zikiwaonyesha connection strings.

Enumeration with az

# Install the Azure ML / AI CLI extension (if missing)
az extension add --name ml

# Enumerate AI Hubs (workspaces with kind=hub) and inspect properties
az ml workspace list --filtered-kinds hub --resource-group <RG> --query "[].{name:name, location:location, rg:resourceGroup}" -o table
az resource show --name <HUB> --resource-group <RG> \
--resource-type Microsoft.MachineLearningServices/workspaces \
--query "{location:location, publicNetworkAccess:properties.publicNetworkAccess, identity:identity, managedResourceGroup:properties.managedResourceGroup}" -o jsonc

# Enumerate AI Projects (kind=project) under a hub or RG
az resource list --resource-type Microsoft.MachineLearningServices/workspaces --query "[].{name:name, rg:resourceGroup, location:location}" -o table
az ml workspace list --filtered-kinds project --resource-group <RG> \
--query "[?contains(properties.hubArmId, '/workspaces/<HUB>')].{name:name, rg:resourceGroup, location:location}"

# Show workspace level settings (managed identity, storage, key vault, container registry)
az ml workspace show --name <WS> --resource-group <RG> \
--query "{managedNetwork:properties.managedNetwork, storageAccount:properties.storageAccount, containerRegistry:properties.containerRegistry, keyVault:properties.keyVault, identity:identity}"

# List workspace connections (OpenAI, AI Search, Git, data sources)
az ml connection list --workspace-name <WS> --resource-group <RG> --populate-secrets -o table
az ml connection show --workspace-name <WS> --resource-group <RG> --name <CONNECTION>
# For REST (returns base64 encoded secrets)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WS>/connections/<CONN>?api-version=2024-04-01"

# Enumerate datastores and extract credentials/SAS
az ml datastore list --workspace-name <WS> --resource-group <RG>
az ml datastore show --name <DATASTORE> --workspace-name <WS> --resource-group <RG>

# List managed online/batch endpoints and deployments (capture identity per deployment)
az ml online-endpoint list --workspace-name <WS> --resource-group <RG>
az ml online-endpoint show --name <ENDPOINT> --workspace-name <WS> --resource-group <RG>
az ml online-deployment show --name <DEPLOYMENT> --endpoint-name <ENDPOINT> --workspace-name <WS> --resource-group <RG> \
--query "{identity:identity, environment:properties.environmentId, codeConfiguration:properties.codeConfiguration}"

# Discover prompt flows, components, environments, data assets
az ml component list --workspace-name <WS> --resource-group <RG>
az ml data list --workspace-name <WS> --resource-group <RG> --type uri_folder
az ml environment list --workspace-name <WS> --resource-group <RG>
az ml job list --workspace-name <WS> --resource-group <RG> --type pipeline

# List hub/project managed identities and their role assignments
az identity list --resource-group <RG>
az role assignment list --assignee <MI-PRINCIPAL-ID> --all

# Azure OpenAI resources (filter kind==OpenAI)
az resource list --resource-type Microsoft.CognitiveServices/accounts \
--query "[?kind=='OpenAI'].{name:name, rg:resourceGroup, location:location}" -o table
az cognitiveservices account list --resource-group <RG> \
--query "[?kind=='OpenAI'].{name:name, location:location}" -o table
az cognitiveservices account show --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account keys list --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account deployment list --name <AOAI-NAME> --resource-group <RG>
az cognitiveservices account network-rule list --name <AOAI-NAME> --resource-group <RG>

# Azure AI Search services
az search service list --resource-group <RG>
az search service show --name <SEARCH-NAME> --resource-group <RG> \
--query "{sku:sku.name, publicNetworkAccess:properties.publicNetworkAccess, privateEndpoints:properties.privateEndpointConnections}"
az search admin-key show --service-name <SEARCH-NAME> --resource-group <RG>
az search query-key list --service-name <SEARCH-NAME> --resource-group <RG>
az search shared-private-link-resource list --service-name <SEARCH-NAME> --resource-group <RG>

# AI Search data-plane (requires admin key in header)
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/indexes?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/datasources?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"
az rest --method GET \
--url "https://<SEARCH-NAME>.search.windows.net/indexers?api-version=2024-07-01" \
--headers "api-key=<ADMIN-KEY>"

# Linkage between workspaces and search / openAI (REST helper)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<SUB>/resourceGroups/<RG>/providers/Microsoft.MachineLearningServices/workspaces/<WS>/connections?api-version=2024-04-01" \
--query "value[?properties.target=='AzureAiSearch' || properties.target=='AzureOpenAI']"

Kitu cha Kuangalia Wakati wa Tathmini

  • Identity scope: Miradi mara nyingi hunatumia tena user-assigned identity yenye nguvu iliyounganishwa na services nyingi. Kupata IMDS tokens kutoka kwa managed compute yoyote kunarithi vibali hivyo.
  • Connection objects: Base64 payload inajumuisha secret pamoja na metadata (endpoint URL, API version). Timu nyingi huacha OpenAI + Search admin keys hapa badala ya kuzizungusha mara kwa mara.
  • Git & external source connectors: PATs au OAuth refresh tokens zinaweza kuruhusu push access kwa code inayobainisha pipelines/prompt flows.
  • Datastores & data assets: Huenda zinatoa SAS tokens zenye uhalali wa miezi; data assets zinaweza kuelekeza kwenye customer PII, embeddings, au training corpora.
  • Managed Network overrides: allowInternetOutbound=true au publicNetworkAccess=Enabled hufanya iwe rahisi exfiltrate secrets kutoka kwa jobs/endpoints.
  • Hub-managed resource group: Inajumuisha storage account (<workspace>storage), container registry, KV, na Log Analytics. Access kwa RG hiyo mara nyingi inamaanisha full takeover hata kama portal inaficha.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks