Skip to content

BadZure

BadZure

BadZure is a Python tool that automates the creation of misconfigured Azure environments, enabling security teams to simulate adversary techniques, develop and test detection controls, and run purple team exercises across Entra ID and Azure infrastructure. It uses Terraform to populate Entra ID tenants and Azure subscriptions with entities and intentional misconfigurations, producing complete attack paths that span identity and cloud infrastructure layers.

BadZure automates the creation of users, groups, application registrations, service principals, administrative units, and Azure resources such as Key Vaults, Storage Accounts, Virtual Machines, Logic Apps, Automation Accounts, Function Apps, Cosmos DB Accounts, and Resource Groups. To simulate a realistic tenant, it randomly assigns Entra ID roles, Graph permissions, and Azure resource access permissions to selected security principals, mimicking the organic permission sprawl found in real environments. On top of this realistic baseline, BadZure layers intentional misconfigurations through configurable attack paths, producing exploitable privilege escalation chains for adversary simulation.

The key advantage of BadZure is its ability to quickly populate and purge tenants with configurations, pre-configured initial access, and intentional attack paths, facilitating continuous and iterative adversary simulation and detection development. It is designed for security practitioners interested in exploring and understanding Entra ID and Azure security, cloud resource misconfigurations, and modern cloud-native attack techniques including certificate-based authentication abuse and managed identity privilege escalation.

BlackHat Arsenal 2024

What Can You Do With It?

  • Red team exercises — Practice Entra ID and Azure attack techniques against realistic environments
  • Detection engineering — Generate attack telemetry across identity and infrastructure layers to build and test detections
  • Purple team operations — Run collaborative exercises covering identity attacks and cloud-native compromise scenarios
  • Security training — Facilitate hands-on Azure security workshops with pre-built attack paths
  • CTF events — Host dynamic cloud security capture-the-flag competitions with multi-vector scenarios

How It Works

BadZure reads a YAML configuration file, generates Entra ID entities and Azure resources via Terraform, and configures privilege escalation paths between them. Every attack path starts with a compromised identity (user or service principal) and ends at a high-privilege target.

graph LR
    CONFIG[/"YAML Config"/] --> BADZURE["BadZure"]
    BADZURE --> ENTITIES["Create Entities<br/><small>Users, Groups, Apps<br/>Azure Resources</small>"]
    ENTITIES --> MISCONFIG["Apply Misconfigurations<br/><small>Roles, Permissions<br/>Ownership, Access</small>"]
    MISCONFIG --> PATHS["Attack Paths Ready<br/><small>Initial Access → Priv Esc</small>"]

Supported Attack Paths

BadZure supports seven privilege escalation techniques across two categories. To learn more about what attack paths are and how they emerge in cloud environments, see What Are Attack Paths?.

Identity-Based

Attack Path Description
ApplicationOwnershipAbuse Exploit application ownership to add credentials to a privileged app
ApplicationAdministratorAbuse Exploit the Application Administrator role to manage any app in the tenant
CloudAppAdministratorAbuse Exploit the Cloud Application Administrator role — narrower scope than Application Administrator
ManagedIdentityAbuse Steal managed identity tokens from Azure resources to pivot to Key Vaults, Storage Accounts, or Cosmos DB

Resource-Based

Attack Path Description
KeyVaultSecretTheft Retrieve application secrets directly from Azure Key Vault
StorageCertificateTheft Retrieve application certificates from Azure Storage
CosmosDBSecretTheft Retrieve application secrets from Azure Cosmos DB

Quick Start

git clone https://github.com/mvelazc0/BadZure
cd BadZure
python -m venv venv && venv\Scripts\activate
pip install -r requirements.txt
az login
python badzure.py build

See the Getting Started guide for full setup instructions.