Introduction

Stomspotter is an Azure Red Team tool to graph Azure and Azure AD objects.

By mapping out relationships between objects, Stormspotter visualises the attack paths between Azure objects.

Stormspotter currently only supports Neo4j 3.x.x.

I recommend setting image: neo4j:3.5.18 in your docker-compose.yml

Requirements

  • Docker
  • Docker Compose
  • Python 3.8.X
  • Az PowerShell

Installation

Installation via Docker to avoid manual installation of dependencies.

The docker-compose file creates three containers:

  • Frontend
  • Backend
  • Neo4j
git clone https://github.com/Azure/Stormspotter
cd Stormspotter
docker-compose up -d

Stormspotter Frontend will expose a WebUI on port 9091.

Neo4j will be exposed on port 7474 (HTTP) amd 7687 (Bolt).

Default credentials are specified in the docker-compose file. These should be changed.

Docker-compose password

Execution

Stormcollector

  1. Download the relevant package from Stormspotter Releases
  2. Login via az login --allow-no-subscriptions
  3. Execute the stormcollector pyz file to collect Azure objects.
cd stormcollector
python3 sscollector.pyz cli
  1. Locate the output in the stormcollector folder with the pyz file. Stormspotter-output

  2. Upload to StormCollector UI

  3. Check logs in backend to see processing status Processing-status

  4. Complete. Enjoy!