diff --git a/SUMMARY.md b/SUMMARY.md
index 9e232de7d2..1a58190300 100644
--- a/SUMMARY.md
+++ b/SUMMARY.md
@@ -430,6 +430,11 @@
* [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md)
* [Az - Processes Memory Access Token](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md)
* [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
+ * [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
+ * [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
+ * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
+ * [Az - Authorization Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
+ * [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md)
* [Az - Persistence](pentesting-cloud/azure-security/az-persistence.md)
* [Az - Device Registration](pentesting-cloud/azure-security/az-device-registration.md)
* [Az - Entra ID (formerly AzureAD - AAD)](pentesting-cloud/azure-security/az-azuread/README.md)
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/README.md b/pentesting-cloud/azure-security/az-post-exploitation/README.md
new file mode 100644
index 0000000000..cc0b53da54
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/README.md
@@ -0,0 +1,2 @@
+# Az - Post Exploitation
+
diff --git a/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md b/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
new file mode 100644
index 0000000000..2064388e4d
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
@@ -0,0 +1,147 @@
+# Az - Key Vault Post Exploitation
+
+{% hint style="success" %}
+Learn & practice AWS Hacking: (1).png)
[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: .png)
[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
+
+## Azure Key Vault
+
+For more information about this service check:
+
+{% content-ref url="../az-services/keyvault.md" %}
+[keyvault.md](../az-services/keyvault.md)
+{% endcontent-ref %}
+
+### Microsoft.KeyVault/vaults/secrets/getSecret/action
+
+This permission will allow a principal to read the secret value of secrets:
+
+{% code overflow="wrap" %}
+```bash
+az keyvault secret show --vault-name --name
+
+# Get old version secret value
+az keyvault secret show --id https://.vault.azure.net/secrets//
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/certificates/purge/action**
+
+This permission allows a principal to permanently delete a certificate from the vault.
+
+```bash
+az keyvault certificate purge --vault-name --name
+```
+
+### **Microsoft.KeyVault/vaults/keys/encrypt/action**
+
+This permission allows a principal to encrypt data using a key stored in the vault.
+
+{% code overflow="wrap" %}
+```bash
+az keyvault key encrypt --vault-name --name --algorithm --value
+
+# Example
+echo "HackTricks" | base64 # SGFja1RyaWNrcwo=
+az keyvault key encrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value SGFja1RyaWNrcwo=
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/keys/decrypt/action**
+
+This permission allows a principal to decrypt data using a key stored in the vault.
+
+{% code overflow="wrap" %}
+```bash
+az keyvault key decrypt --vault-name --name --algorithm --value
+
+# Example
+az keyvault key decrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value "ISZ+7dNcDJXLPR5MkdjNvGbtYK3a6Rg0ph/+3g1IoUrCwXnF791xSF0O4rcdVyyBnKRu0cbucqQ/+0fk2QyAZP/aWo/gaxUH55pubS8Zjyw/tBhC5BRJiCtFX4tzUtgTjg8lv3S4SXpYUPxev9t/9UwUixUlJoqu0BgQoXQhyhP7PfgAGsxayyqxQ8EMdkx9DIR/t9jSjv+6q8GW9NFQjOh70FCjEOpYKy9pEGdLtPTrirp3fZXgkYfIIV77TXuHHdR9Z9GG/6ge7xc9XT6X9ciE7nIXNMQGGVCcu3JAn9BZolb3uL7PBCEq+k2rH4tY0jwkxinM45tg38Re2D6CEA==" # This is the result from the previous encryption
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/keys/purge/action**
+
+This permission allows a principal to permanently delete a key from the vault.
+
+```bash
+az keyvault key purge --vault-name --name
+```
+
+### **Microsoft.KeyVault/vaults/secrets/purge/action**
+
+This permission allows a principal to permanently delete a secret from the vault.
+
+```bash
+az keyvault secret purge --vault-name --name
+```
+
+### **Microsoft.KeyVault/vaults/secrets/setSecret/action**
+
+This permission allows a principal to create or update a secret in the vault.
+
+{% code overflow="wrap" %}
+```bash
+az keyvault secret set --vault-name --name --value
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/certificates/delete**
+
+This permission allows a principal to delete a certificate from the vault. The certificate is moved to the "soft-delete" state, where it can be recovered unless purged.
+
+{% code overflow="wrap" %}
+```bash
+az keyvault certificate delete --vault-name --name
+```
+{% endcode %}
+
+### **Microsoft.KeyVault/vaults/keys/delete**
+
+This permission allows a principal to delete a key from the vault. The key is moved to the "soft-delete" state, where it can be recovered unless purged.
+
+```bash
+az keyvault key delete --vault-name --name
+```
+
+### **Microsoft.KeyVault/vaults/secrets/delete**
+
+This permission allows a principal to delete a secret from the vault. The secret is moved to the "soft-delete" state, where it can be recovered unless purged.
+
+```bash
+az keyvault secret delete --vault-name --name
+```
+
+### Microsoft.KeyVault/vaults/secrets/restore/action
+
+This permission allows a principal to restore a secret from a backup.
+
+```bash
+az keyvault secret restore --vault-name --file
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/pentesting-cloud/azure-security/az-privilege-escalation/README.md
new file mode 100644
index 0000000000..1aa36a8cfd
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/README.md
@@ -0,0 +1,2 @@
+# Az - Privilege Escalation
+
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
new file mode 100644
index 0000000000..0089aaefb0
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
@@ -0,0 +1,42 @@
+# Az - Authorization Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
+
+### Microsoft.Authorization/roleAssignments/write
+
+This permission allows to assign roles to principals over a specific scope:
+
+{% code overflow="wrap" %}
+```bash
+# Example
+az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
+```
+{% endcode %}
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
new file mode 100644
index 0000000000..fb56c28c1a
--- /dev/null
+++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md
@@ -0,0 +1,60 @@
+# Az - Key Vault Privesc
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
+
+## Azure Key Vault
+
+For more information about this service check:
+
+{% content-ref url="../az-services/keyvault.md" %}
+[keyvault.md](../az-services/keyvault.md)
+{% endcontent-ref %}
+
+### Microsoft.KeyVault/vaults/write
+
+An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC).
+
+```bash
+# If access policies in the output, then you can abuse it
+az keyvault show --name
+
+# Get current principal ID
+az ad signed-in-user show --query id --output tsv
+
+# Assign all permissions
+az keyvault set-policy \
+ --name \
+ --object-id \
+ --key-permissions all \
+ --secret-permissions all \
+ --certificate-permissions all \
+ --storage-permissions all
+```
+
+{% hint style="success" %}
+Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
+Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
+
+
+
+Support HackTricks
+
+* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
+* **Join the** π¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** π¦ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
+* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
+
+
+{% endhint %}
diff --git a/pentesting-cloud/azure-security/az-services/keyvault.md b/pentesting-cloud/azure-security/az-services/keyvault.md
index fa1444b1b1..f4a5b4c210 100644
--- a/pentesting-cloud/azure-security/az-services/keyvault.md
+++ b/pentesting-cloud/azure-security/az-services/keyvault.md
@@ -17,19 +17,26 @@ Learn & practice GCP Hacking:
@@ -58,9 +65,49 @@ az keyvault show --name name-vault --query networkAcls
The previous command will display the f**irewall settings of `name-vault`**, including enabled IP ranges and policies for denied traffic.
+Moreover, it's possible to create a **private endpoint** to allow a private connection to a vault.
+
+### Deletion Protection
+
+When a key vault is created the minimum number of days to allow for deletion is 7. Which means that whenever you try to delete that key vault it'll need **at least 7 days to be deleted**.
+
+However, it's possible to create a vault with **purge protection disabled** which allow key vault and objects to be purged during retention period. Although, once this protection is enabled for a vault it cannot be disabled.
+
## Enumeration
{% tabs %}
+{% tab title="az" %}
+{% code overflow="wrap" %}
+```bash
+# List all Key Vaults in the subscription
+az keyvault list
+# List Key Vaults in a specific Resource Group
+az keyvault list --resource-group
+# Show details of a specific Key Vault
+az keyvault show --name # If accessPolicies, you can see them here
+# List all keys in a Key Vault
+az keyvault key list --vault-name
+# List all secrets in a Key Vault
+az keyvault secret list --vault-name
+# Get versions of a secret
+az keyvault secret list-versions --vault-name --name
+# List all certificates in a Key Vault
+az keyvault certificate list --vault-name
+# List all deleted Key Vaults in the subscription
+az keyvault list-deleted
+# Get properties of a deleted Key Vault
+az keyvault show-deleted --name
+# Get assigned roles
+az role assignment list --include-inherited --scope "/subscriptions//resourceGroups//providers/Microsoft.KeyVault/vaults/"
+
+# Get secret value
+az keyvault secret show --vault-name --name
+# Get old versions secret value
+az keyvault secret show --id https://.vault.azure.net/secrets//
+```
+{% endcode %}
+{% endtab %}
+
{% tab title="Az Powershell" %}
{% code overflow="wrap" %}
```powershell
@@ -71,17 +118,25 @@ curl "$IDENTITY_ENDPOINT?resource=https://vault.azure.net&api-version=2017-09-01
## $token from management API
Connect-AzAccount -AccessToken $token -AccountId 1937ea5938eb-10eb-a365-10abede52387 -KeyVaultAccessToken $keyvaulttoken
-# List vaults
-Get-AzKeyVault
-# Get secrets names from the vault
-Get-AzKeyVaultSecret -VaultName
+# Get details of a specific Key Vault
+Get-AzKeyVault -VaultName
+# List all keys in a Key Vault
+Get-AzKeyVaultKey -VaultName
+# List all secrets in a Key Vault
+Get-AzKeyVaultSecret -VaultName
+# List all certificates in a Key Vault
+Get-AzKeyVaultCertificate -VaultName
+# List all deleted Key Vaults in the subscription
+Get-AzKeyVault -InRemovedState
+# Get properties of a deleted Key Vault
+Get-AzKeyVault -VaultName -InRemovedState
# Get secret values
-Get-AzKeyVaultSecret -VaultName -Name βAsPlainText
+Get-AzKeyVaultSecret -VaultName -Name -AsPlainText
```
{% endcode %}
{% endtab %}
-{% tab title="az" %}
+{% tab title="az script" %}
```bash
#!/bin/bash
@@ -125,6 +180,18 @@ done
{% endtab %}
{% endtabs %}
+## Privilege Escalation
+
+{% content-ref url="../az-privilege-escalation/az-key-vault-privesc.md" %}
+[az-key-vault-privesc.md](../az-privilege-escalation/az-key-vault-privesc.md)
+{% endcontent-ref %}
+
+## Post Exploitation
+
+{% content-ref url="../az-post-exploitation/az-key-vault-post-exploitation.md" %}
+[az-key-vault-post-exploitation.md](../az-post-exploitation/az-key-vault-post-exploitation.md)
+{% endcontent-ref %}
+
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)