Azure Command Line Forensics - Host Based Artifacts
![Image](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_lI0Cb0EWo2uC4Q5DrJ2Vi0XZHogtt2sxWa6ZqvdofVHn0ZyAV109D5rc-WSCPH9n38PITJIsma3nNGaX4PdoxMbvEq7H_5fyPdA9I7nCiA-h4aIHrWIEWVz6GJkGvU09vsSJ4tDe5-zWKRgi9yjDTGHyf2fgJ_5CI8WWUJAEbl2M5rdn3INhssF5UA/s16000/Screen%20Shot%202023-03-09%20at%205.40.17%20pm.png)
On most of the on-premises to cloud lateral movement compromises I’ve worked relating to Azure, threat actors typically leverage a bunch of different command-line focused tools. They use these tools to perform enumeration of the victim’s Azure environment, backdooring active directory, various persistence techniques and lateral movement. These are generally a combination or one of the following (this is not a comprehensive list... just examples): AADInternals Azure CLI AzureAD PowerShell Threat actors run these tools on servers and hosts of interest i.e. AD FS servers, AD CS servers to abuse pass-through authentication or abuse identity federation. The Azure CLI has also been leveraged by attackers to perform various enumeration / reconnaissance style attacks. If you want more detailed information around how to detect and perform attacks against Azure and Microsoft 365, check out my " Attacking and Defending Azure / M365 " course. High-Level Methodology First to perform t