{{#include ../../../banners/hacktricks-training.md}}
For more information about VMs check:
{{#ref}} ../az-services/vms/ {{#endref}}
An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed.
An attacker could get access to the instances and backdoor them:
- Using a traditional rootkit for example
- Adding a new public SSH key (check EC2 privesc options)
- Backdooring the User Data
{{#include ../../../banners/hacktricks-training.md}}