{
	"id": "c6486c4e-8bfc-4c57-b2e0-4839b4b12477",
	"created_at": "2026-04-06T00:14:47.537998Z",
	"updated_at": "2026-04-10T03:21:19.87853Z",
	"deleted_at": null,
	"sha1_hash": "c1795975d04cf8132ab2771fe9e2f308e8f2f4a1",
	"title": "GitHub - Azure/Stormspotter: Azure Red Team tool for graphing Azure and Azure Active Directory objects",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 467973,
	"plain_text": "GitHub - Azure/Stormspotter: Azure Red Team tool for graphing\r\nAzure and Azure Active Directory objects\r\nBy legra-ms\r\nArchived: 2026-04-05 16:02:17 UTC\r\nVVeerrssiioonn 11..00..00bb\r\n ppyytthhoonn 3.8\r\nStormspotter creates an “attack graph” of the resources in an Azure subscription. It enables red teams and\r\npentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders\r\nto quickly orient and prioritize incident response work.\r\nInstallation\r\nWith Docker\r\nMost users may find it easier to install Stormspotter via Docker. This is the recommended method.\r\ngit clone https://github.com/Azure/Stormspotter\r\ndocker-compose up\r\nhttps://github.com/Azure/Stormspotter\r\nPage 1 of 6\n\nThe docker-compose file will create three containers:\r\nStormspotter Frontend\r\nStormspotter Backend\r\nNeo4j v4\r\nBy default, the Stormspotter container will expose the UI on port 9091. The neo4j container will expose neo4j on\r\nports 7474 (HTTP), and 7687 (Bolt). Default configuration of Neo4j does not have SSL enabled, therefore you\r\nmay initially interact directly with the neo4j interface on port 7474.\r\nNote: Currently, Stormspotter only supports running these containers locally. Attempting to upload to the frontend\r\nhosted remotely will be unsuccessful but this behavior is expected to change in the future.\r\nThe default credentials for neo4j are: neo4j/password. You can change this in the docker-compose file via the\r\nNEO4JAUTH environment variable.\r\nWithout Docker\r\nIf you choose to run Stormspotter without Docker, you must have Python 3.8, NodeJS/npm, and Neo4j installed.\r\nYou can also grab the latest Stormspotter releases from here.\r\nBackend\r\nThe backend handles parsing data into Neo4j is built with FastAPI. If you don't plan on uploading new content for\r\nthe database, you may not need to run the backend at all. The backend is configured to run on port 9090. You may\r\nchange this by changing the port number on line 5 of app.py. If you do, you must also change the port in the Q-Uploader component in the DatabaseView Component so that the uploads from the frontend get sent to the correct\r\nport where the backend resides.\r\ncd backend\r\npython3 ssbackend.pyz\r\nWeb App\r\nThe web app is developed using Vue and the Quasar Framework. The single-page app (SPA) has been built for\r\nyou and resides in frontend/dist/spa . To serve this directory:\r\nnpm install -g @quasar/cli\r\ncd frontend/dist/spa\r\nquasar serve -p 9091 --history\r\nYou can then visit http://localhost:9091 in your browser.\r\nRunning Stormspotter\r\nhttps://github.com/Azure/Stormspotter\r\nPage 2 of 6\n\nStormcollector\r\nStormcollector is the portion of Stormspotter that allows you to enumerate the subscriptions the provided\r\ncredentials have access to. The RECOMMENDED way to use Stormcollector is to run the sscollector.pyz\r\npackage, found in the release file for your operating system. This PYZ has been created with Shiv and comes with\r\nall the packages already zipped up! The dependencies will extract themselves to a .shiv folder in the user's\r\nhome directory.\r\ncd stormcollector\r\npython3 sscollector.pyz -h\r\nIf for some reason you don't want to use the provided package, you may install the required packages with pip\r\nor pipenv . With this approach, it's highly recommended to install Stormcollector in a virtual environment to\r\nprevent package conflicts. If you have issues managing your virtual environments, you should use the\r\nrecommended method above.\r\ncd stormcollector\r\npython3 -m pip install pipenv\r\npipenv install .\r\npython3 ./sscollector.py\r\nCurrent login types supported:\r\nAzure CLI (must use az login first)\r\nService Principal Client ID/Secret\r\nYou can check out all of the options Stormcollector offers by using the -h switch as shown above. The most\r\nbasic usages of Stormcollector are:\r\npython3 sscollector.pyz cli\r\npython3 sscollector.pyz spn -t \u003ctenant\u003e -c \u003cclientID\u003e -s \u003cclientSecret\u003e\r\nCommon options for all authentication types\r\n--cloud: Specify a different Azure Cloud (GERMAN, CHINA, USGOV)\r\n--config: Specify a custom configuration for cloud environments\r\n--azure: Only enumerate Azure Resource Manager resources\r\n--aad: Only enumerate Azure Active Directory\r\n--subs: Subscriptions you wish to scan. Multiple subscriptions can be added as a space deliminated list.\r\n--nosubs: Subscriptions you wish to exclude. Multiple subscriptions can be excluded as a space\r\ndeliminated list.\r\n--json: Convert SQLite output to JSON (WARNING: STORMSPOTTER ONLY PARSES SQLITE\r\nFORMAT )\r\nhttps://github.com/Azure/Stormspotter\r\nPage 3 of 6\n\nThis option is useful if you want to parse the output for reasons other than Stormspotter.\r\n--ssl-cert: Specify an SSL cert for Stormcollector to use for requests. Not a common option\r\n--backfill: Perform AAD enumeration only for object IDs associated with RBAC enumeration. Only\r\napplicable when --azure is specified.\r\nUploading Results\r\nOnce you've started up the UI, you will see a section in the database tab labeled \"Stormcollector Upload\". Add\r\nyour file to this uploader and the processing will begin. As the results get processed, you can check the backend\r\nlogs to view progress, and the results should also be reflected in the same Database View tab.\r\nNotes\r\nWith Stormspotter currently in beta, not all resource types have been implemented for display. You may see\r\nlabels with missing icons and/or simply display the \"name\" and \"id\" fields. Over time, more resources will\r\nbe properly implemented.\r\nKnown Issues\r\nCheck for known issues before submitting one.\r\nScreenshots\r\nView Permissions on a KeyVault\r\nhttps://github.com/Azure/Stormspotter\r\nPage 4 of 6\n\nShow Members of an Azure AD Role\r\nShow Incoming and Outgoing Relationships\r\nContributing\r\nThis project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor\r\nLicense Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your\r\ncontribution. For details, visit https://cla.opensource.microsoft.com.\r\nWhen you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and\r\ndecorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot.\r\nhttps://github.com/Azure/Stormspotter\r\nPage 5 of 6\n\nYou will only need to do this once across all repos using our CLA.\r\nThis project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of\r\nConduct FAQ or contact opencode@microsoft.com with any additional questions or comments.\r\nSource: https://github.com/Azure/Stormspotter\r\nhttps://github.com/Azure/Stormspotter\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/Azure/Stormspotter"
	],
	"report_names": [
		"Stormspotter"
	],
	"threat_actors": [],
	"ts_created_at": 1775434487,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1795975d04cf8132ab2771fe9e2f308e8f2f4a1.pdf",
		"text": "https://archive.orkl.eu/c1795975d04cf8132ab2771fe9e2f308e8f2f4a1.txt",
		"img": "https://archive.orkl.eu/c1795975d04cf8132ab2771fe9e2f308e8f2f4a1.jpg"
	}
}