BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on Microsoft's Azure suite of products and services.
BARK requires no third party dependencies. BARK's functions are designed to be as simple and maintainable as possible. Most functions are very simple wrappers for making requests to various REST API endpoints. BARK's basic functions do not even require each other - you can pull almost any BARK function out of BARK and it will work perfectly as a standalone function in your own scripts.
Primary author: Andy Robbins @_wald0
Contributors:
- Jonas Bülow Knudsen @Jonas_B_K
- Fabian Bader @fabian_bader
- CravateRouge @CravateRouge
- g60ocR @g60ocR
There are many ways to import a PowerShell script. Here's one way:
First, download BARK.ps1 by cloning this repo or simply copy/pasting its raw contents from GitHub.
git clone https://github.com/BloodHoundAD/BARK
Now, cd into the directory where the PS1 is:
cd BARK
Finally, you can dot import the PS1 like this:
. .\BARK.ps1
Hit enter, and your PowerShell instance will now have access to all of BARK's functions.
With very few exceptions, Azure API endpoints require authentication to interact with. BARK comes with a few functions that will help you acquire the necessary tokens for interacting with the MS Graph and Azure REST APIs. Any BARK function that interacts with an Azure API that requires authentication will require you to supply a token.
Let's say you want to list all of the users in an Entra ID tenant. You first need to get a token scoped for MS Graph. There are many ways to get this token:
If you have a username/password combination for an Entra user in that tenant, you can first acquire a refresh token for the user using BARK's Get-EntraRefreshTokenWithUsernamePassword function:
$MyRefreshTokenRequest = Get-EntraRefreshTokenWithUsernamePassword -username "arobbins@contoso.onmicrosoft.com" -password "MyVeryCoolPassword" -TenantID "contoso.onmicrosoft.com"
The resulting object you just created, $MyRefreshTokenRequest, will have as part of it a refresh token for your user. You can now request an MS Graph-scoped token using this refresh token:
$MyMSGraphToken = Get-MSGraphTokenWithRefreshToken -RefreshToken $MyRefreshTokenRequest.refresh_token -TenantID "contoso.onmicrosoft.com"
Now this new object, $MyMSGraphToken, will have as one of its property values an MS Graph-scoped JWT for your user. You are now ready to use this token to list all the users in the Entra tenant:
$MyUsers = Get-AllEntraUsers -Token $MyMSGraphToken.access_token -ShowProgress
Once finished, the $MyEntraUsers variable will be populated by objects representing all of the users in your Entra tenant.
Get-AzureKeyVaultTokenWithClientCredentialsrequests a token from STS with Azure Vault specified as the resource/intended audience using a client ID and secret.Get-AzureKeyVaultTokenWithUsernamePasswordrequests a token from STS with Azure Vault specified as the resource/intended audience using a user-supplied username and password.Get-AzurePortalTokenWithRefreshTokenrequests an Azure Portal Auth Refresh token with a user-supplied refresh token.Get-AzureRMTokenWithClientCredentialsrequests an AzureRM-scoped JWT with a client ID and secret. Useful for authenticating as an Entra service principal.Get-AzureRMTokenWithPortalAuthRefreshTokenrequests an AzureRM-scoped JWT with a user-supplied Azure Portal Auth Refresh token.Get-AzureRMTokenWithRefreshTokenrequests an AzureRM-scoped JWT with a user-supplied refresh token.Get-AzureRMTokenWithUsernamePasswordrequests an AzureRM-scoped JWT with a user-supplied username and password.Get-EntraRefreshTokenWithUsernamePasswordrequests a collection of tokens, including a refresh token, from login.microsoftonline.com with a user-supplied username and password. This will fail if the user has Multi-Factor Authentication requirements or is affected by a Conditional Access Policy.Get-MSGraphTokenWithClientCredentialsrequests an MS Graph-scoped JWT with a client ID and secret. Useful for authenticating as an Entra service principal.Get-MSGraphTokenWithPortalAuthRefreshTokenrequests an MS Graph-scoped JWT with a user-supplied Azure Portal Auth Refresh token.Get-MSGraphTokenWithRefreshTokenrequests an MS Graph-scoped JWT with a user-supplied refresh token.Get-MSGraphTokenWithUsernamePasswordrequests an MS Graph-scoped JWT with a user-supplied username and password.Parse-JWTTokenwill take a Base64 encoded JWT as input and parse it for you. Useful for verifying correct token audience and claims.
The refresh token-based functions in BARK are based on functions in TokenTactics by Steve Borosh.
Get-AllEntraAppscollects all Entra application registration objects.Get-AllEntraGroupscollects all Entra groups.Get-AllEntraRolescollects all Entra admin roles.Get-AllEntraServicePrincipalscollects all Entra service principal objects.Get-AllEntraUserscollects all Entra users.Get-EntraAppOwnercollects owners of an Entra app registration.Get-EntraDeviceRegisteredUserscollects users of an Entra device.Get-EntraGroupMemberscollects members of an Entra group.Get-EntraGroupOwnercollects owners of an Entra group.Get-EntraRoleTemplatescollects Entra admin role templates.Get-EntraServicePrincipalcollects an Entra service principal.Get-EntraServicePrincipalOwnercollects owners of an Entra service principal.Get-EntraTierZeroServicePrincipalscollects Entra service principals that have a Tier Zero Entra Admin Role or Tier Zero MS Graph App Role assignment.Get-MGAppRolescollects the app roles made available by the MS Graph service principal.
Get-AllAzureManagedIdentityAssignmentscollects all managed identity assignments.Get-AllAzureRMAKSClusterscollects all kubernetes service clusters under a subscription.Get-AllAzureRMAutomationAccountscollects all automation accounts under a subscription.Get-AllAzureRMAzureContainerRegistriescollects all container registies under a subscription.Get-AllAzureRMFunctionAppscollects all function apps under a subscription.Get-AllAzureRMKeyVaultscollects all key vaults under a subscription.Get-AllAzureRMLogicAppscollects all logic apps under a subscription.Get-AllAzureRMResourceGroupscollects all resouce groups under a subscription.Get-AllAzureRMSubscriptionscollects all AzureRM subscriptions.Get-AllAzureRMVMScaleSetsVMscollects all virtual machines under a VM scale set.Get-AllAzureRMVMScaleSetscollects all virtual machine scale sets under a subscription.Get-AllAzureRMVirtualMachinescollects all virtual machines under a subscription.Get-AllAzureRMWebAppscollects all web apps under a subscription.Get-AzureAutomationAccountRunBookOutputruns an automation account runbook and retrieves its output.Get-AzureFunctionAppFunctionFilecollects the raw file (usually source code) of a function app function.Get-AzureFunctionAppFunctionscollects all functions under a function app.Get-AzureFunctionAppMasterKeyscollects all master keys under a function app.Get-AzureFunctionOutputruns a function app function and retrieves its output.Get-AzureRMKeyVaultSecretValuecollects a key vault secret value.Get-AzureRMKeyVaultSecretVersionscollects all versions of a key vault secret.Get-AzureRMKeyVaultSecretscollects all secrets under a key vault.Get-AzureRMRoleAssignmentscollects all role assignments against an object.Get-AzureRMRoleDefinitionscollects all role definitions described at a subscription scope, including custom roles.Get-AzureRMWebAppcollects a web app.
Get-IntuneManagedDevicescollects Intune-managed devices.Get-IntuneRoleDefinitionscollects available Intune role definitions.
Add-MemberToEntraGroupwill attempt to add a principal to an Entra group.Enable-EntraRolewill attempt to enables (or "activate") the Entra role.New-EntraAppOwnerwill attempt to add a new owner to an Entra app.New-EntraAppRoleAssignmentwill attempt to grant an app role to a service principal. For example, you can use this to grant a service principal the RoleManagement.ReadWrite.Directory app role.New-EntraAppSecretwill attempt to create a new secret for an existing Entra app registration.New-EntraGroupOwnerwill attempt to add a new owner to an Entra group.New-EntraRoleAssignmentwill attempt to assign an Entra admin role to a specified principal.New-EntraServicePrincipalOwnerwill attempt to will attempt to add a new owner to an Entra service principal.New-EntraServicePrincipalSecretwill attempt to create a new secret for an existing Entra service principal.Reset-EntraUserPasswordwill attempt to reset the password of another user. If successful, the output will contain the new, Azure-generated password of the user.Set-EntraUserPasswordwill attempt to set the password of another user to a new user-provided value.
Invoke-AzureRMAKSRunCommandwill instruct the AKS cluster to execute a command.Invoke-AzureRMVMRunCommandwill attempt to execute a command on a VM.Invoke-AzureRMWebAppShellCommandwill attempt to execute a command on a web app container.Invoke-AzureVMScaleSetVMRunCommandwill attempt to execute a command on a VM Scale Set VM.New-AzureAutomationAccountRunBookwill attempt to add a runbook to an automation account.New-AzureKeyVaultAccessPolicywill attempt to grant a principal "Get" and "List" permissions on a key vault's secrets, keys, and certificates.New-AzureRMRoleAssignmentwill attempt to grant a user-specified AzureRM role assignment to a particular principal over a certain scope.New-PowerShellFunctionAppFunctionwill attempt to create a new PowerShell function in a function app.
ConvertTo-Markdownis used for massaging output from the Invoke-Tests functions for usage in another platform.Invoke-AllAzureMGAbuseTestsperforms all abuse validation tests that can be executed by holding an MS Graph app role. Returns an object describing which privileges were successful at performing each abuse test.Invoke-AllAzureRMAbuseTestsperforms all AzureRM abuse validation tests and outputs a resulting object that describes which AzureRM roles granted the ability to perform each abuse.Invoke-AllEntraAbuseTestsperforms all abuse validation tests that can be executed by principals granted Entra admin roles. Returns an object describing which privileges were successful at performing each abuse test.New-EntraIDAbuseTestSPscreates a new service principal per active Entra admin role and grants each service principal the appropriate role. Returns plain text credentials created for each service prinicpal.New-EntraIDAbuseTestUserscreates a new user per active Entra admin role and grants each user the appropriate role. Returns plain text credentials created for each user.New-IntuneAbuseTestUserscreates a new user per Intune role and grants each user the appropriate role. Returns plain text credentials created for each user.New-MSGraphAppRoleTestSPscreates a new service principal per MS Graph app role and grants each service principal the appropriate role. Returns plain text credentials created for each service prinicpal.New-TestAppRegcreates an application registration object for the explicit purpose of abuse validation testing.New-TestSPcreates a new service principal and associates it with the app created by the above function.Remove-AbuseTestAzureRMRolesis a clean-up function for removing AzureRM admin roles created during testing.Remove-AbuseTestServicePrincipalscleans up abuse tests by removing the serivce principals that were created during testing.Test-AzureRMAddSelfToAzureRMRoleused in abuse validation testing to determine whether a service principal with certain rights can grant itself the User Access Admin role over a subscription.Test-AzureRMCreateFunctionused in abuse validation testing to test if a service principal can add a new function to an existing function app.Test-AzureRMPublishAutomationAccountRunBookis used to test whether a service principal can publish a new runbook to an existing automation account.Test-AzureRMVMRunCommandis used to test whether a principal can run a command on an existing VM.Test-MGAddMemberToNonRoleEligibleGroupis used to test whether the service principal can add itself to a non-role eligible group.Test-MGAddMemberToRoleEligibleGroupis used to test whether the service principal can add itself to a role eligible group.Test-MGAddOwnerToNonRoleEligibleGroupis used to test whether a service principal can grant itself explicit ownership of a non-role eligible group.Test-MGAddOwnerToRoleEligibleGroupis used to test whether a service principal can grant itself explicit ownership of a role eligiblee group.Test-MGAddRootCACertis used to test whether a service principal can add a new Root CA cert to the tenant.Test-MGAddSecretToAppis used to test whether the service principal can add a new secret to an existing app.Test-MGAddSecretToSPis used to test whether the service principal can add a new secret to an existing service principal.Test-MGAddSelfAsOwnerOfAppis used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing Entra app.Test-MGAddSelfAsOwnerOfSPis used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself ownership of an existing Entra service principal.Test-MGAddSelfToEntraRoleis used in abuse validation testing to determine whether a service principal with a particular privilege can add itself to an Entra admin role - Global Admin, for example.Test-MGAddSelfToMGAppRoleis used in abuse validation testing to determine whether a service principal with a particular privilege can grant itself a particular MS Graph app role without admin consent.