← LibraryTechnique entry
C-AZ-CLOUDSHELLCredential Access
Azure Cloud Shell Token Theft
Cloud Shell session writes a refresh token to /home/<user>/.azure on the underlying VM — exfil and reuse.
§ Where this technique fits
C-AZ-CLOUDSHELL is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 0 approved dossiers in the registry, typically.