Azure Virtual Machine Execution Techniques
In Azure, there are several ways to execute commands on a running virtual machine aside from using RDP or SSH to remote in and open a shell. One of the common ways to accomplish this in Azure is through the Run Command feature that is present on all Azure Virtual Machines. Since this is commonly…
Abusing and Detecting Alternative Data Channel Command Execution on Azure Virtual Machines
Currently, command execution on virtual machines (VM) in Azure happens through the cmdlet Invoke-AzVMRunCommand. There are other specific ways, such as using an Azure Runbook if a RunAs account is being used. However, after some experimentation, there is another data channel that can be abused by Azure VMs to allow an attacker to run commands…
Attacking Azure & Azure AD, Part II
Abstract When I published my first article, Attacking Azure & Azure AD and Introducing PowerZure, I had no idea I was just striking the tip of the iceberg. Over the past eight months, my co-worker Andy Robbins and I have continued to do a lot of research on the Azure front. We’ve recently found some…
Attacking Azure, Azure AD, and Introducing PowerZure
Over the past decade, Azure’s presence in businesses has grown significantly as new features and support were added to Azure. The purpose of this article is to cover three main points: Explain the components of Azure and how they fit into a modern IT environment. Explain how certain things within Azure can be leveraged from…
AzureHound Cypher Cheatsheet
List of Cypher queries to help analyze AzureHound data. Queries under ‘GUI’ are intended for the BloodHound GUI (Settings>Query Debug Mode). Queries under ‘Console’ are intended for the Neo4j console (usually located at http://localhost:7474). Download the ‘Custom Queries’ json file here: https://github.com/hausec/Bloodhound-Custom-Queries GUI Return All Azure Users that are part of the ‘Global Administrator’ Role…
hausec 