What is AzureHound? How Threat Actors Use the AzureHound Tool to Map Your Azure Environment
Nation-state threat actors including Void Blizzard and ransomware operators like Storm-0501 are actively misusing the AzureHound tool to conduct reconnaissance within enterprise Azure cloud environments (Palo Alto Networks).
What is AzureHound? It is a data collection tool that has become one of the most effective and alarming cloud discovery tools currently being weaponized. By default, Microsoft Graph activity logs are not enabled (Unit 42), meaning these reconnaissance operations often leave no trace in standard Azure activity logs. If your organization hasn't enabled advanced Graph logging, you're essentially blind to this critical threat.
The Active Threat Landscape
Threat actors are demonstrating a sharp focus on cloud-based tactics. For instance, Storm-0501 has continuously evolved its campaigns, shifting its primary objective from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics (Microsoft). The group leveraged the AzureHound tool to map relationships and permissions in Azure environments and, consequently, find potential attack paths and escalations (Microsoft).
The tool's effectiveness is alarming. AzureHound transforms complex text data into a visual map of potential attack paths, allowing adversaries to efficiently plan privilege escalation and lateral movement (Unit 42). Within hours, threat actors can enumerate your entire cloud estate including virtual machines, key vaults, storage accounts, all while potentially avoiding detection.
In May 2025, Microsoft reported that Void Blizzard, assessed with high confidence to be Russia-affiliated, has been using AzureHound during the discovery phase of their attacks to enumerate Entra ID configurations (Microsoft). This nation-state actor has been targeting critical sectors including telecommunications, government, and defense across NATO member states and Ukraine.
The Visibility Gap
The critical issue: While you might be monitoring standard Azure activity, some AzureHound requests call the Azure REST API at the management.azure.com ARM endpoint. These requests are logged differently than Graph API calls and present unique visibility challenges (Unit 42). Many enumeration commands executed by the AzureHound tool leave no trace in standard Azure activity logs.
Microsoft Graph activity logs, which address this gap, have only recently reached general availability in April 2024 (Unit 42). Yet, most organizations haven't enabled them, creating a massive blind spot in their cloud security posture.
Without proper logging configured, an attacker could silently:
- Map your entire user hierarchy and administrative structure
- Identify all Global Administrator accounts
- Enumerate every storage account and key vault
- Discover misconfigured permissions and access rights
This critical reconnaissance happens without triggering standard security alerts, enabling attackers to plan their next move undetected.
Understanding AzureHound for Testing and Defense
Before you can defend against AzureHound, you have to understand what is AzureHound and how it functions. Security teams should actively use the AzureHound tool in controlled testing environments (Red Team/Blue Team exercises) to identify their own vulnerabilities.
AzureHound is part of the BloodHound suite, originally created for legitimate security testing. Written in the Go programming language and available precompiled for Windows, Linux, and macOS (Unit 42), it collects data through Microsoft Graph and Azure REST APIs.
Quick Guide: Downloading and Installing AzureHound
The easiest way to obtain the AzureHound tool is by downloading the pre-compiled binary for your operating system from the official BloodHound GitHub Repository releases page.
- Download: Navigate to the BloodHound/AzureHound releases page on GitHub and download the appropriate binary (e.g.,
azurehound.exefor Windows). - Install: Place the executable in a working directory. No formal installation process is required as it’s a standalone binary.
Testing Command Example (Using a JWT):
For security testing purposes, you can run AzureHound by authenticating with a JSON Web Token (JWT) obtained from an existing session to collect data:
Bash
.\azurehound.exe list -t TENANTID -j $JWT -o tenant.json
The resulting tenant.json file can then be ingested into the BloodHound application for graphical visualization and analysis.
How AzureHound Uses Stolen Credentials
Once initial access is gained (whether through a password or a token), the attacker uses that compromised identity to run the AzureHound tool.
AzureHound is flexible and can authenticate using various forms of stolen access:
| Authentication Method | Source of Stolen Access | Security Status |
|---|---|---|
| Username/Password | Direct credential theft | Often blocked by MFA (unless MFA is weak or not enforced) |
| Refresh Token | Stolen via AiTM phishing or infostealer malware | Bypasses MFA and can be used to mint new Access Tokens for long-term access |
| JSON Web Token (JWT) | Stolen from a live session (Access Token) | Grants immediate, but shorter-term, access to APIs |
| Service Principal Secret | Stolen from a misconfigured Azure resource or Key Vault | Grants access to the resource's permissions, often without MFA |
The attacker's goal is to acquire a Refresh Token or a Service Principal Secret, as these provide silent, long-term access with high privileges, allowing them to run AzureHound repeatedly for comprehensive reconnaissance.
The reconnaissance phase where AzureHound is used always occurs after the initial access phase, using the stolen credentials or token to query your environment and map out an attack path.
What Makes It So Effective
The tool requires no special network positioning; both Microsoft Graph and Azure REST APIs are accessible from external locations (GBHackers). This means an attacker doesn't need to be inside your network to map your entire cloud infrastructure.
The integration with BloodHound's visualization is the key differentiator. It transforms raw API data into graphical attack paths, allowing security teams to immediately see:
- Which users have paths to Global Administrator
- Misconfigured service principals with excessive permissions
- Weak points in your conditional access policies
Detection and Prevention Strategies
1. Enable Microsoft Graph Activity Logs Immediately
This is your first and most critical step. Configure Microsoft Entra ID to export Microsoft Graph activity logs to destinations such as Azure Event Hubs (Unit 42).
2. Hunt for AzureHound Indicators
Look for these specific patterns in your cloud logs:
- User-agent strings containing "azurehound"
- Rapid enumeration of multiple Graph endpoints
- Bulk API calls to list users, groups, and role assignments
- Unusual spikes in Graph API activity from single identities
3. Implement Strong Identity Controls
Conditional Access Policies help mitigate exposure to AzureHound by restricting user and application access (Unit 42). Ensure you have:
- MFA enforced for all administrative accounts
- Just-in-time access through Privileged Identity Management (PIM)
- Restricted app registration permissions
- Token protection to prevent replay attacks
4. Monitor for Specific Commands
Defenders should monitor for specific AzureHound commands like list users, list groups, list role-assignments, and list storage-accounts (GBHackers). These specific queries, particularly when executed rapidly, are a strong signal of potential reconnaissance activity.
Using a SIEM tool to collect events, which one do you use ? Check this article where I discuss options.
Summary
The active weaponization of the AzureHound tool by both nation-state actors and major ransomware groups demands immediate action. The shift from endpoint ransomware to cloud-native attacks is a fundamental change in the threat landscape.
Your cloud security strategy must address these critical areas:
- Visibility: Enable Microsoft Graph activity logs and integrate them with your SIEM.
- Identity Controls: Implement PIM, enforce MFA, and restrict administrative access.
- Detection: Deploy hunting queries for AzureHound patterns.
- Testing: Use AzureHound proactively to identify your own vulnerabilities.
Tools like AzureHound give attackers unprecedented visibility into your cloud infrastructure if you let them.
Understanding your current security posture is the first step. Check out my recent post on Cloud Security Fundamentals to build a stronger foundation against these evolving threats.
Key Resources:
- Microsoft Graph Activity Logs Documentation
- BloodHound/AzureHound GitHub Repository
- Unit 42 Threat Research on AzureHound
