This post is part 2 in the Hunting Azure Admins for Vertical Escalation series. Part 1 of this series detailed the usage and functionality of Azure authentication tokens, file locations that cache the tokens during a user session (“%USERPROFILE%\.Azure\TokenCache.dat”), methods for locating user exported Azure context files

In this post, we will look at a rather simple, but important procedure when attacking organizations that leverage cloud providers such as Microsoft Azure. There is a lot of excellent public research on attacking Azure, however, most research tends to focus on tactics that assume you have first obtained some