LOLCloud

Access Activity Logs

az monitor activity-log list

List Key Vault Keys

az keyvault key list --vault-name [vault_name]

List Resource Groups

az group list --output table

List SQL Servers

az sql server list

Enumerate Public IP Addresses

az network public-ip list --output table

List All Role Assignments

az role assignment list --all

Enumerate Storage Account Access Keys

az storage account keys list --account-name [account_name]

List Network Security Groups

az network nsg list --output table

Get Active Directory User

Get-AzADUser -DisplayName [UserName]

Enumerate Virtual Network Subnets

az network vnet subnet list --resource-group [RG_NAME] --vnet-name [VNET_NAME]

Check Key Vault Access Policies

az keyvault show --name [VAULT_NAME] --query "properties.accessPolicies"

List SQL Servers in Subscription

az sql server list

Access Managed Identity Token

curl -H "Metadata:true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-01&resource=https://management.azure.com"

View Storage Account Keys

az storage account keys list --account-name [ACCOUNT_NAME]

Identify Public-Facing IPs

az network public-ip list --query "[].ipAddress"

List Web App Configurations

az webapp config appsettings list --name [APP_NAME] --resource-group [RG_NAME]

Check Azure Function App Settings

az functionapp config appsettings list --name [FUNCTION_NAME] --resource-group [RG_NAME]

List Load Balancer Rules

az network lb rule list --resource-group [RG_NAME] --lb-name [LB_NAME]

Get Network Interface Info

az network nic show --ids [NIC_ID]

Enumerate Service Principals

az ad sp list --all --query "[].displayName"

Create Service Principal

az ad sp create-for-rbac --name [SERVICE_PRINCIPAL_NAME] --role contributor --scopes /subscriptions/[SUBSCRIPTION_ID]

Assign Role to Service Principal

az role assignment create --assignee [SP_ID] --role contributor --scope /subscriptions/[SUBSCRIPTION_ID]

List Service Principal Permissions

az ad sp show --id [SERVICE_PRINCIPAL_ID]

Generate SSH Key for VM Access

ssh-keygen -t rsa -b 2048 -f ~/.ssh/azure_key

Upload SSH Key to VM

az vm user update --resource-group [RG_NAME] --name [VM_NAME] --username [USERNAME] --ssh-key-value ~/.ssh/azure_key.pub

SSH into VM

ssh -i ~/.ssh/azure_key [USERNAME]@[VM_PUBLIC_IP]

Upload File to VM over SSH

scp -i ~/.ssh/azure_key ~/localfile.txt [USERNAME]@[VM_PUBLIC_IP]:~/remotefile.txt

List Role Assignments for User

az role assignment list --assignee [USER_ID]

Create New User in Active Directory

az ad user create --display-name "[DISPLAY_NAME]" --password "[PASSWORD]" --user-principal-name [USER_NAME]

Set User Account Permissions

az role assignment create --assignee [USER_ID] --role reader --scope /subscriptions/[SUBSCRIPTION_ID]

Technique/Command Name	Command	Reference
List Instances	`gcloud compute instances list`	GCP Docs
List IAM Policies	`gcloud projects get-iam-policy PROJECT_ID`	GCP Docs
List Firewall Rules	`gcloud compute firewall-rules list`	GCP Docs
View Audit Logs	`gcloud logging read "logName=projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"`	GCP Docs
List Cloud Storage Buckets	`gsutil ls`	GCP Docs
List API Services	`gcloud services list --available`	GCP Docs
Get Service Account Tokens	`gcloud auth print-access-token --impersonate-service-account [email]`	GCP Docs
Check IAM Policies for Project	`gcloud projects get-iam-policy [project-id] --flatten="bindings[].members"`	GCP Docs
List VPC Networks	`gcloud compute networks list`	GCP Docs
Enumerate IAM Roles	`gcloud iam roles list`	GCP Docs
View Service Account Key	`gcloud iam service-accounts keys list --iam-account [SERVICE_ACCOUNT_EMAIL]`	GCP Docs
Retrieve Metadata Token	`curl -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token"`	GCP Docs
List Cloud Functions	`gcloud functions list`	GCP Docs
Get Secret Value	`gcloud secrets versions access latest --secret=[SECRET_NAME]`	GCP Docs
Access Project IAM Policy	`gcloud projects get-iam-policy [PROJECT_ID]`	GCP Docs
Enable Service Account Impersonation	`gcloud auth print-access-token --impersonate-service-account [SERVICE_ACCOUNT_EMAIL]`	GCP Docs
List VPC Networks	`gcloud compute networks list`	GCP Docs
List Compute Instances with Details	`gcloud compute instances describe [INSTANCE_NAME] --zone=[ZONE]`	GCP Docs
Access Logs for Activity	`gcloud logging read "resource.type=gce_instance"`	GCP Docs
Create Service Account	`gcloud iam service-accounts create [SERVICE_ACCOUNT_NAME] --display-name="Service Account for Red Team"`	GCP Docs
Assign Role to Service Account	`gcloud projects add-iam-policy-binding [PROJECT_ID] --member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" --role="roles/editor"`	GCP Docs
Create Service Account Key	`gcloud iam service-accounts keys create ~/key.json --iam-account [SERVICE_ACCOUNT_EMAIL]`	GCP Docs
Enable SSH Access on Instance	`gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]`	GCP Docs
Connect to Instance with SSH Key	`gcloud compute ssh [INSTANCE_NAME] --zone [ZONE] --ssh-key-file=~/.ssh/[YOUR_KEY]`	GCP Docs
List Active SSH Connections	`gcloud compute instances get-serial-port-output [INSTANCE_NAME] --zone [ZONE]`	GCP Docs
Upload File to Instance via SSH	`gcloud compute scp ~/localfile.txt [INSTANCE_NAME]:~/remotefile.txt --zone [ZONE]`	GCP Docs
Set Metadata for SSH Access	`gcloud compute project-info add-metadata --metadata ssh-keys="[USERNAME]:ssh-rsa [KEY]"`	GCP Docs
List Service Account Permissions	`gcloud projects get-iam-policy [PROJECT_ID] --filter="bindings.members:[SERVICE_ACCOUNT_EMAIL]"`	GCP Docs
Delete Service Account Key	`gcloud iam service-accounts keys delete [KEY_ID] --iam-account [SERVICE_ACCOUNT_EMAIL]`	GCP Docs

Technique/Command Name

Command

Reference

List Instances

gcloud compute instances list

List IAM Policies

gcloud projects get-iam-policy PROJECT_ID

List Firewall Rules

gcloud compute firewall-rules list

View Audit Logs

gcloud logging read "logName=projects/[PROJECT_ID]/logs/cloudaudit.googleapis.com%2Factivity"

List Cloud Storage Buckets

gsutil ls

List API Services

gcloud services list --available

Get Service Account Tokens

gcloud auth print-access-token --impersonate-service-account [email]

Check IAM Policies for Project

gcloud projects get-iam-policy [project-id] --flatten="bindings[].members"

List VPC Networks

gcloud compute networks list

Enumerate IAM Roles

gcloud iam roles list

View Service Account Key

gcloud iam service-accounts keys list --iam-account [SERVICE_ACCOUNT_EMAIL]

Retrieve Metadata Token

curl -H "Metadata-Flavor: Google" "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token"

List Cloud Functions

gcloud functions list

Get Secret Value

gcloud secrets versions access latest --secret=[SECRET_NAME]

Access Project IAM Policy

gcloud projects get-iam-policy [PROJECT_ID]

Enable Service Account Impersonation

gcloud auth print-access-token --impersonate-service-account [SERVICE_ACCOUNT_EMAIL]

List VPC Networks

gcloud compute networks list

List Compute Instances with Details

gcloud compute instances describe [INSTANCE_NAME] --zone=[ZONE]

Access Logs for Activity

gcloud logging read "resource.type=gce_instance"

Create Service Account

gcloud iam service-accounts create [SERVICE_ACCOUNT_NAME] --display-name="Service Account for Red Team"

Assign Role to Service Account

gcloud projects add-iam-policy-binding [PROJECT_ID] --member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" --role="roles/editor"

Create Service Account Key

gcloud iam service-accounts keys create ~/key.json --iam-account [SERVICE_ACCOUNT_EMAIL]

Enable SSH Access on Instance

gcloud compute ssh [INSTANCE_NAME] --zone [ZONE]

Connect to Instance with SSH Key

gcloud compute ssh [INSTANCE_NAME] --zone [ZONE] --ssh-key-file=~/.ssh/[YOUR_KEY]

List Active SSH Connections

gcloud compute instances get-serial-port-output [INSTANCE_NAME] --zone [ZONE]

Upload File to Instance via SSH

gcloud compute scp ~/localfile.txt [INSTANCE_NAME]:~/remotefile.txt --zone [ZONE]

Set Metadata for SSH Access

gcloud compute project-info add-metadata --metadata ssh-keys="[USERNAME]:ssh-rsa [KEY]"

List Service Account Permissions

gcloud projects get-iam-policy [PROJECT_ID] --filter="bindings.members:[SERVICE_ACCOUNT_EMAIL]"

Delete Service Account Key

gcloud iam service-accounts keys delete [KEY_ID] --iam-account [SERVICE_ACCOUNT_EMAIL]

Technique/Command Name	Command	Reference
List EC2 Instances	`aws ec2 describe-instances`	AWS Docs
List IAM Policies	`aws iam list-policies`	AWS Docs
Get Account Summary	`aws iam get-account-summary`	AWS Docs
List CloudWatch Log Groups	`aws logs describe-log-groups`	AWS Docs
List Elastic Load Balancers	`aws elb describe-load-balancers`	AWS Docs
List Security Groups	`aws ec2 describe-security-groups`	AWS Docs
Describe Lambda Functions	`aws lambda list-functions`	AWS Docs
Get RDS Instances	`aws rds describe-db-instances`	AWS Docs
CloudTrail Event Lookup	`aws cloudtrail lookup-events`	AWS Docs
List S3 Buckets	`aws s3 ls`	AWS Docs
Enumerate IAM Users	`aws iam list-users`	AWS Docs
List Security Groups	`aws ec2 describe-security-groups`	AWS Docs
Retrieve Metadata (EC2)	`curl http://169.254.169.254/latest/meta-data/`	AWS Docs
Assume IAM Role	`aws sts assume-role --role-arn [role-arn] --role-session-name session_name`	AWS Docs
Get Account Details	`aws sts get-caller-identity`	AWS Docs
List Access Keys for IAM User	`aws iam list-access-keys --user-name [username]`	AWS Docs
Describe Network Interfaces	`aws ec2 describe-network-interfaces`	AWS Docs
List VPCs	`aws ec2 describe-vpcs`	AWS Docs
IAM Role Policy	`aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]`	AWS Docs
Download S3 Object	`aws s3 cp s3://bucket-name/key /local-path`	AWS Docs
Describe Route Tables	`aws ec2 describe-route-tables`	AWS Docs
Check IAM Policies	`aws iam list-attached-user-policies --user-name [username]`	AWS Docs
Create IAM User	`aws iam create-user --user-name [USER_NAME]`	AWS Docs
Attach Policy to User	`aws iam attach-user-policy --user-name [USER_NAME] --policy-arn arn:aws:iam::aws:policy/[POLICY_NAME]`	AWS Docs
Create Access Key for User	`aws iam create-access-key --user-name [USER_NAME]`	AWS Docs
Assign IAM Role to EC2 Instance	`aws ec2 associate-iam-instance-profile --instance-id [INSTANCE_ID] --iam-instance-profile Name=[PROFILE_NAME]`	AWS Docs
Connect to EC2 Instance via SSH	`ssh -i [YOUR_KEY.pem] ec2-user@[INSTANCE_PUBLIC_DNS]`	AWS Docs
Upload File to EC2 Instance via SCP	`scp -i [YOUR_KEY.pem] localfile.txt ec2-user@[INSTANCE_PUBLIC_DNS]:~/remotefile.txt`	AWS Docs
Describe IAM Policies for Role	`aws iam list-attached-role-policies --role-name [ROLE_NAME]`	AWS Docs
Delete IAM User	`aws iam delete-user --user-name [USER_NAME]`	AWS Docs
List EC2 Instances by Tags	`aws ec2 describe-instances --filters "Name=tag:Name,Values=[TAG_NAME]"`	AWS Docs
Rotate Access Key for IAM User	`aws iam create-access-key --user-name [USER_NAME]`	AWS Docs
Describe Security Group Rules	`aws ec2 describe-security-groups --group-ids [GROUP_ID]`	AWS Docs
Update IAM Role Trust Policy	`aws iam update-assume-role-policy --role-name [ROLE_NAME] --policy-document file://trust-policy.json`	AWS Docs

Technique/Command Name

Command

Reference

List EC2 Instances

aws ec2 describe-instances

List IAM Policies

aws iam list-policies

Get Account Summary

aws iam get-account-summary

List CloudWatch Log Groups

aws logs describe-log-groups

List Elastic Load Balancers

aws elb describe-load-balancers

List Security Groups

aws ec2 describe-security-groups

Describe Lambda Functions

aws lambda list-functions

Get RDS Instances

aws rds describe-db-instances

CloudTrail Event Lookup

aws cloudtrail lookup-events

List S3 Buckets

aws s3 ls

Enumerate IAM Users

aws iam list-users

List Security Groups

aws ec2 describe-security-groups

Retrieve Metadata (EC2)

curl http://169.254.169.254/latest/meta-data/

Assume IAM Role

aws sts assume-role --role-arn [role-arn] --role-session-name session_name

Get Account Details

aws sts get-caller-identity

List Access Keys for IAM User

aws iam list-access-keys --user-name [username]

Describe Network Interfaces

aws ec2 describe-network-interfaces

List VPCs

aws ec2 describe-vpcs

IAM Role Policy

aws iam get-role-policy --role-name [role-name] --policy-name [policy-name]

Download S3 Object

aws s3 cp s3://bucket-name/key /local-path

Describe Route Tables

aws ec2 describe-route-tables

Check IAM Policies

aws iam list-attached-user-policies --user-name [username]

Create IAM User

aws iam create-user --user-name [USER_NAME]

Attach Policy to User

aws iam attach-user-policy --user-name [USER_NAME] --policy-arn arn:aws:iam::aws:policy/[POLICY_NAME]

Create Access Key for User

aws iam create-access-key --user-name [USER_NAME]

Assign IAM Role to EC2 Instance

aws ec2 associate-iam-instance-profile --instance-id [INSTANCE_ID] --iam-instance-profile Name=[PROFILE_NAME]

Connect to EC2 Instance via SSH

ssh -i [YOUR_KEY.pem] ec2-user@[INSTANCE_PUBLIC_DNS]

Upload File to EC2 Instance via SCP

scp -i [YOUR_KEY.pem] localfile.txt ec2-user@[INSTANCE_PUBLIC_DNS]:~/remotefile.txt

Describe IAM Policies for Role

aws iam list-attached-role-policies --role-name [ROLE_NAME]

Delete IAM User

aws iam delete-user --user-name [USER_NAME]

List EC2 Instances by Tags

aws ec2 describe-instances --filters "Name=tag:Name,Values=[TAG_NAME]"

Rotate Access Key for IAM User

aws iam create-access-key --user-name [USER_NAME]

Describe Security Group Rules

aws ec2 describe-security-groups --group-ids [GROUP_ID]

Update IAM Role Trust Policy

aws iam update-assume-role-policy --role-name [ROLE_NAME] --policy-document file://trust-policy.json