Getting Started
This article will serve as a cheat sheet or quick reference for one of the important topics when it comes to the AZ-100 certification exam–managing Azure virtual networks. Make sure to also review the other important topics, such as managing Azure subscriptions, implementing Azure Storage, managing VMs, and managing identities. As part of my Azure study guide, I put together this Azure CLI and PowerShell 'Cheatsheet'. I hope you guys find this useful. You are the MVP we dont deserve.
Install latest version of Azure CLI on Mac
Resource:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos
Install latest version of Azure CLI on Linux
Resources:
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.5.0
Install PowerShell
Run a powershell terminal with:
Update Powershell
Uninstall Powershell
Resource:https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-macos?view=powershell-7.1
Install Azure PowerShell module
For the current user:
Resource:
https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-5.5.0
Setup the AzureRMAlias module
This will deal with incompatibilities with older scripts that use AzureRM:
List available modules
Get authenticated in Powershell
List commands in a module
List functions in a module
Resource:https://stackoverflow.com/questions/6354317/how-do-i-retrieve-the-available-commands-from-a-module
Authenticate via the CLI
Run this command to get authenticated:
This will result in a web browser opening, or a URL prompt. Navigating to this url will prompt you for a code, which you've been provided in the command line. Paste it in, click next, and select the proper account.
Resource:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-macos
Info Gathering
List subscriptions for authenticated account
Get tenant id
Get subscription id
az cli:
Powershell:
Resources:
https://docs.microsoft.com/en-us/powershell/module/az.accounts/get-azsubscription?view=azps-5.5.0 - powershell docs
https://docs.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest - cli docs
List tenants
List Resource Groups by name
Resource:https://docs.microsoft.com/en-us/cli/azure/group?view=azure-cli-latest
Set Subscription
az cli:
Powershell:
Resource:https://powerzure.readthedocs.io/en/latest/Requirements/requirements.html
https://stackoverflow.com/questions/38475104/azure-cli-how-to-change-subscription-default - cli
List all VMs
Resource:https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest
Blob Storage
List all storage accounts and output in a table format:
List all storage accounts and get storage account names:
You can assign one of the account names to an env var if you'd like:
Get storage keys
If you set the env var:
You can assign one of the keys to an env var if you'd like:
List storage containers
List storage container contents
Resource:https://www.secsignal.org/en/news/how-i-hacked-a-domain-controller-in-azure-during-a-penetration-test/
List blob names
Azure Kubernetes (k8s)
Get available versions of k8s in a region
Resource:https://gist.github.com/yokawasa/fd9d9b28f7c79461f60d86c23f615677#aks-cheat-sheet
List managed k8s clusters
Resource:https://docs.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest
Get Resource Group Name for clusters
Get Cluster Name
Configure kubectl
This is pretty awesome, good job Microsoft:
Resources:https://www.reddit.com/r/kubernetes/comments/8ohxcz/how_to_connect_kubectl_to_aks/
https://docs.microsoft.com/en-us/azure/aks/tutorial-kubernetes-deploy-cluster
Security Auditing
ScoutSuite
https://github.com/nccgroup/ScoutSuite will generate an HTML report outlining various issues that exist in the configuration for a given account.
Install:
Run:
Resources:https://kalilinuxtutorials.com/scout-suite-multi-cloud-security-auditing-tool/
PowerZure
Resources:
https://powerzure.readthedocs.io/en/latest/
https://stackoverflow.com/questions/64792108/getting-error-could-not-load-file-or-assembly-system-windows-forms-at-import - fix the weird error that comes up for Importing the AzureADPreview module
https://github.com/Azure/azure-docs-powershell-azuread/issues/189 - fix missing modules like Get-AzureADDirectoryRole
Show all functions
Get help for a particular function
For example:
Get all content from all KeyVaults
Resource:https://hausec.com/2020/01/31/attacking-azure-azure-ad-and-introducing-powerzure/ - PowerZure general usage info
Create a new user
MicroBurst
Resource:https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Cloud - Azure Pentest.md - where I found out about the tool initially
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/out-file?view=powershell-7.1 - write output to a file
SkyArk
Resource:https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Cloud - Azure Pentest.md
Azure AD
List all applications
List all service principles
List all groups
Resource:https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
VMSS
View all VMSS in a subscription
Simply navigate to this page and use the magical Try it button to use the REST API to grab this info. Neat!
CLI
Get VMSS by name and associated resource group
List vms in a VMSS
Resource:https://docs.microsoft.com/en-us/cli/azure/vmss?view=azure-cli-latest
https://github.com/andyt530/az2tf/blob/master/scripts/295_azurerm_virtual_machine_scale_set.sh
Get computer name of vms in a VMSS
Run command in VM in a VMSS
This will run commands in the instance with an id of 0. See the above commands for how to get the id that corresponds to the instance you want to work with.
Run whoami:
Run download and run a binary as a background job:
Resources:
https://docs.microsoft.com/en-us/powershell/module/az.compute/add-azvmsshpublickey?view=azps-5.5.0
https://heranonazure.wordpress.com/2017/08/30/solution-change-vm-scale-set-ssh-key/ - run command on a VMSS instance
Metadata Service
Get all instance metadata
Get access token
Resources:
https://docs.microsoft.com/en-us/azure/virtual-machines/linux/instance-metadata-service?tabs=linux - official docs
https://gist.github.com/nordineb/01d69b63d2daf01e61b116bee607c6b8 - a bunch of endpoints you can get to
https://blog.netspi.com/azure-privilege-escalation-using-managed-identities/ - get access token
Request storage account token
Resources:https://gist.github.com/kfosaaen/2620f73690d2948efb2a31897e1f404e - powershell script I used
Get AKS node IP
Resource:https://itnext.io/how-a-naughty-docker-image-on-aks-could-give-an-attacker-access-to-your-azure-subscription-6d05b92bf811
Roles
Create new role assignment
This will try to assign the assignee the owner role:
Resource:https://www.xmcyber.com/privilege-escalation-and-lateral-movement-on-azure-part-1/
Features
Show registered features in a table format:
Find features associated w/ ContainerService
Resource:https://heranonazure.wordpress.com/2019/09/02/secure-api-server-using-authorized-ip-address-ranges/
The Snyk CLI is an excellent and powerful tool to scan your applications, containers, and infrastructure as code for security vulnerabilities. In this cheatsheet, we will look at the most powerful features our CLI has to offer. You can use the CLI for scanning and monitoring on your local machine, but you can also integrate it into your pipeline. Regardless of how you use it, the Snyk CLI is the go-to tool to test, monitor, and remediate known vulnerabilities in your applications.
We are continually improving our CLI, and it has far more power than we can ever address in a single cheatsheet. For a more detailed overview of our CLI, please look at our knowledge base. If you want to know more about what the CLI can do for a specific language or build system, check our language support page:
- JavaScript (npm, yarn)
- Java (maven | Gradle)
- .Net (Nuget, Paket)
- Python (Pip, Poetry)
- Php (composer)
- Ruby (Bundler)
- Golang (dep, govendor)
- Many more…
Azure Commands Cheat Sheet
Installation
Let’s start from the beginning. If you haven’t installed the Snyk CLI yet, you should do this first. Currently, you have the option to install the Snyk CLI using either npm, Homebrew, Scoop, or by downloading a specific binary from GitHub.
- npm—npm install -g snyk
- Homebrew—brew tap snyk/tap && brew install snyk
- Scoop—scoop bucket add snyk https://github.com/snyk/scoop-snyk
scoop install snyk - manual installer available on Snyk’s GitHub page.
Now that you installed the CLI, you have to authenticate with your Snyk account. There are a few ways to do this.
When you call snyk auth the browser reroutes to the signup or sign-in page where you can authenticate or signup.
Alternatively, you can run snyk auth [api-token] providing a Snyk API token argument that you can retrieve from your account page.
The last option, which we specifically recommended for CI testing, is to create an environment variable called SNYK_TOKEN. All Snyk CLI commands will use this without explicitly running snyk auth.
Pro tip: Make sure you update and reinstall the CLI often. We are fixing and releasing new versions of the CLI very often. You do not want to miss out on new and improved features.
CLI commands
The Snyk CLI takes in a command, followed by several options. Make sure you run the CLI commands within the project folder. Let’s look into what each of these commands does.
Snyk test
The snyk test command tests a local project for known vulnerabilities. It provides information about those vulnerabilities, their severities, types and descriptions, the number of vulnerable paths, remediation actions, and more. The Snyk CLI auto-detects your manifest files and tests the first it finds. Note that Snyk looks for local dependencies to test for vulnerabilities. As a result, you must run the necessary steps to download your dependency tree before running the snyk test, such asnpm install, mvn install, dotnet restore, or dep ensure.
Snyk test is also handy within a CI-pipeline. Running a snyk test when building the binary directly shows if your project contains vulnerabilities. If you like, you can even break your pipeline and demand a full stop. When you call snyk test from a script, you just need to check the exit code. If the exit code is 0, everything is fine, and there are no vulnerabilities found. If it is something else, you probably have some work left.
You can test a specific manifest if you have a project that contains multiple. Use the --file flag to specify the file you want to scan.
Similarly, you can specify the package manager using the --package-manager flag. This is useful in the exceptional case that snyk cant automatically detects the package manager.
If you want to test all projects in a folder, you can use the --all-projects flag. It runs an auto-discovery to scan the current directory and test all manifest files found. By default, Snyk scans the current directory and three extra levels deep. To change the depth level, just add the --detection-depth option.
However, Snyk does not by default test your dev dependencies, as many consider this noise compared to production vulnerabilities. If you want Snyk to include your dev dependencies as well, use the --dev flag.
Another useful flag to use on the test command, as well as on other Snyk commands, is the --org flag. This associates a test or any Snyk command with a specific organization. Organizations are containers in which you can group projects, and they can have multiple users associated with them. This is particularly useful when working in teams and creating snapshots with a snyk monitor. If you do not specify an org, your results are associated with your default org.
If you want to test public repositories from the command line, we’ve got you covered. You can provide the URL of the public repository directly into the command. It only works on npm repositories if the package-lock.json is available. Try it out:
You can also test packages in npm remotely by passing in the package name only, testing the latest release, or fully qualifying the package name and version.
After running a snyk test on a project, the output is served to you in three sections.
- Issues to fix by upgrading:
By updating the library as suggested, you will remove one or more vulnerabilities found in your project. - Patchable issue:
There is no update available that fixes the problem. However, Snyk created a patch to fix the vulnerability. - Issues with no direct upgrade or patch:
There is no update available for the dependency you imported. A vulnerability might actually be in one of the transitive dependencies. If there is already a newer version of the transitive dependency that fixed the vulnerability, we show you that as well. In some ecosystems, you can manually replace transitive dependencies, so this is valuable information.
For every vulnerability that the CLI displays in either of the three sections, you can see a description, the severity, and a link where you can learn more about the specific vulnerability issue.
If you prefer the CLI output in the JSON format, we have a flag for that, --json. You can use the JSON output to format the results however you like.
Saving your scan output in a JSON file is even more straightforward. With the --json-file-output flag, you can directly save the result to the filename you desire for later inspection. In the meantime, you will get the readable output, as shown earlier in your console. This is a perfect solution for CI-pipelines when, for instance, you want to display the results for a specific build in a dashboard. Just try:
Also, note we have a Snyk JSON to HTML mapper that can format your results into a nice HTML-based report you can show to your manager.
You can control the CLI output by severity with the --severity-threshold flag. If you are not interested in the medium or low severe vulnerabilities, you can leave them out of the equation by doing the following:
Snyk monitor
The snyk monitor command takes a snapshot of your project and uploads the results to the Snyk website. Although snyk monitor uses snyk test under the hood, it is important to know that it is not a replacement—Snyk monitor takes a snapshot and monitors that snapshot over time. When any new vulnerabilities or new remediation paths that your project benefits from are found, it will be sent to you as an alert via your chosen communication channel.
In a CI environment, you typically run a snyk test first to see if there are vulnerabilities at this moment. If there are any, you could break your build, depending on the use case. When you continue, snyk monitor is typically used to create a snapshot for that version, so it is monitored over time. A great time to do this is right before going to production. When you are comfortable with a certain level of vulnerabilities, the snyk monitor will help you not digress over time.
Azure Cli Cheat Sheet Pdf
It’s important when running snyk monitor that you specify enough information to ensure your snapshot ends up in the expected location. If you are a member of many organizations, then be sure to specify which one to send your snapshot to via the --org flag. If you have similar project names, you can override the default name Snyk gives your snapshots by entering your desired name using the --project-name flag.
Snyk ignore
Suppose your application contains a vulnerability with no remediating patch or update available or a vulnerability that you do not believe to be currently exploitable in your application. In that case, you may want to tell Snyk to ignore the vulnerability for a certain period. To use the ignore command, first run snyk test and retrieve the vulnerability ID, which you can find in the CLI output. Now you can ignore this vulnerability by using the following command:
The --expiry and --reason flags are optional. By default, the security vulnerability is ignored for 30 days.
Note: the snyk ignore command will create a .snyk file holding the information about the security issue you are ignoring.
Snyk Container
Snyk Container is the CLI capability to scan container images like Docker images. Previously this was available using the --docker flag in the CLI.
Similar to scanning and monitoring your application, you can scan your Docker images using Snyk.
When downloading images for Docker Hub, you can scan and monitor that image like this:
When adding a Dockerfile to either of these commands, Snyk will give you remediation advice on the base image you are using, among other things. If there are different base images available for the image you have built, we can point you to these alternatives.
Snyk Container does not only support Docker containers but also distorless images. These images can be scanned like this:
Also, container archives can be scanned and monitored using Snyk’s container capabilities. Scanning works for both Docker container archives and Open Container Initiative (OCI) images.
Like scanning your applications, the --json and --json-file-output flags are available for seamless integration with your own systems.
Snyk Infrastructure As Code
With the Snyk Infrastructure As Code scanning capabilities, we enable developers to find and fix misconfigurations that can lead to security problems. With the snyk iac command, you can also utilize this functionality in the Snyk CLI on your local machine or in your CI environment. Now, you will get feedback as early as possible in your development cycle. Snyk IaC is available with support for Kubernetes, Helm Charts, and Terraform AWS resources.
If you want to scan a Kubernetes or Terraform file, you can try something like this:
Similar to snyk test the issues found with snyk iac show a description and a severity level. If you need this output in a JSON format to integrate with your system, the --json and the --json-file-output flags are also available here:
Troubleshooting
If you are not sure what command to use or how a specific flag works, you can always also call:
If you are looking for help on a specific section, like config, container or iac you just add this in your help command like this:
Debug
If something does not work, you can ask the CLI to output the debug logging with the -d flag. When talking to our fantastic support team, they will most likely ask you to do this as well:
Are you running out of tests on an open source project?
Snyk scanning is free and unlimited for open source development. However, we do not always recognize an open source project. If you get prompted in the CLI output that you are running out of tests, you can take the following steps to prove your project is in fact, open source.
- run snyk monitor
- navigate to your application in the browser. (the direct url is in the cli output)
- click Settings from the menu
- enter the URL for your OS repo in the Git remote URI field.
Unexpected test results?
For the best result, rebuild your complete project before running any of the CLI commands. If the output of a snyk test or snyk monitor is not as expected, please run your build tool to download and install all dependencies.
For example:
Removing your API key and configuration
If you have authenticated your CLI using snyk auth, you can remove your token from the configuration using the following command:
For more information on other config settings, please call:
Check your version
Always use the latest version of our CLI. We release a new version multiple times a week and sometimes even more.
Ensure you (re)install the latest version using your package manager as described in the first section, or look for the latest build on our GitHub repo.
To check your current version, simple run:
Check the documentation
Specific projects and ecosystems have specific needs. Please check the CLI documentation and the language support documentation to find help for a more specific use-case.