RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Overview
  • Authentication
  • FOCI token required
  • Connect-AzAccount
  • Enumeration
  • Azure Resource Management
  1. Cloud
  2. Azure
  3. Enumeration

Az.Powershell

PreviousAzureHoundNextInitial Access

Last updated 1 day ago

Overview

The Az PowerShell module is a wrapper around the Azure REST API, meaning when you run a PowerShell cmdlet like Get-AzKeyVault or Get-AzResource, under the hood it makes authenticated HTTP calls to Azure's REST endpoints.

🔍 So, what endpoint does Az PowerShell use?

Each Az PowerShell cmdlet maps to a specific Azure Resource Manager (ARM) REST API endpoint, depending on the resource type and operation.

Here’s how it works:

PowerShell Cmdlet
Underlying Azure REST API Endpoint

Get-AzResource

GET https://management.azure.com/subscriptions/{subscriptionId}/resources?api-version=2021-04-01

Get-AzKeyVault

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/{vaultName}?api-version=2023-02-01

New-AzRoleAssignment

PUT https://management.azure.com{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentGuid}?api-version=2022-04-01

Get-AzRoleAssignment

GET https://management.azure.com{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01

The actual version used may vary depending on the cmdlet version and installed module.

🧠 How to see the exact REST call being made?

Use:

$DebugPreference = "Continue"
Get-AzResource

This will print HTTP request and response info to the console — including the full URI and headers.

Authentication

FOCI token required

# using TokenTactics
Invoke-RefreshToAzureManagementToken -Domain {domain} -refreshToken {refresh_token}

Connect-AzAccount

Connect-AzAccount -AccessToken $accesstoken -AccountId {account_id}

Enumeration

Azure Resource Management

After authenticating and connecting to your Azure account with Connect-AzAccount, you can perform various resource management tasks in Azure. Below is a command to enumerate resources using PowerShell.

Retrieve Azure Resources

To list all the resources within your Azure subscription, use the following command:

Get-AzResource | Format-Table

This command retrieves a list of all resources available under your account and displays them in a tabular format.

Further Reading

Get Azure resource permission

$URI = 'https://management.azure.com/{ResourceId}/providers/Microsoft.Authorization/permissions?api-version=2022-04-01'
$RequestParams = @{ 
    Method = 'GET' 
    Uri = $URI 
    Headers = @{ 
        'Authorization' = "Bearer $access_token"    } 
} 
$Permissions = (Invoke-RestMethod @RequestParams).value 
$Permissions | fl *

For more detailed guidance on managing Azure resources using PowerShell, please visit the official .

Family-Of-Client-Ids - FOCI
Azure PowerShell documentation
LogoWhat is Azure PowerShellMicrosoftLearn