Skip to content

VMs

Jump to bottom
Colby Farley edited this page Apr 23, 2026 · 2 revisions

vms

vms is the virtual machine triage command for host posture, exposure, and identity cues.

Use it when you need to know which VMs deserve review before guest-level inspection or deeper host detail.

What This Command Answers

  • Which virtual machines matter first?
  • Which hosts combine reachability, identity, or stronger operational consequence?
  • Which VM should change what you inspect next?

Run It

ho-azure vms --output table

For saved structured output:

ho-azure vms --output json

Example Table Output

asset type public ips private ips identities
vm-web-01 vm 52.160.10.20 10.0.1.4 /subscriptions/.../providers/Microsoft.ManagedIdentity/...

When To Use It

  • when virtual machines are likely to be the clearest place where cloud control meets host risk
  • when you need to rank hosts before deeper network, identity, or disk follow-up
  • when public IPs, managed identity, or workload importance make one VM stand out

What To Look For

  • populated public_ips
  • populated identity_ids
  • workload cues that suggest the host is central or more consequential than routine internal systems
  • the few hosts whose posture makes deeper network or disk review worth your time

Why It Matters

VMs still sit at the center of both infrastructure control and workload data in many Azure environments.

A VM with a public path, privileged managed identity, or interesting disk relationship can matter more than many lower-signal resources. vms helps you surface those hosts early without crossing into guest-level activity.

What Should Stand Out First

  • visible public exposure first
  • identity-bearing VMs near the top
  • posture cues such as public-IP count and identity context easy to scan
  • enough summary to show why a host matters before deeper joins

If You See..., Go Next To...

  • If you see a VM with public_ips populated, go next to Network-Effective because it shows the combined endpoint and inbound-rule evidence behind that host.
  • If you see a VM with identity_ids populated, go next to Managed-Identities because it shows whether that host is also an Azure token path.
  • If the VM already looks like a strong review target and you need the disk-backed path behind it, go next to Snapshots-Disks because it shows the offline-copy paths behind that workload.

What To Do Next

  • Start with the hosts that combine reachability and Azure identity.
  • Treat public VMs as workload plus control-plane questions, not just network findings.
  • Use this command to decide whether your next step belongs in network posture, managed identity, or disk-backed follow-up.

Loot Behavior

Loot currently keeps the top-ranked rows for this command. That ordering is useful, but it is not yet a shipped semantic high / medium / low analyst contract unless the command explicitly labels rows with a defended priority contract.

Boundary

vms is a VM posture and prioritization command.

It should rank the virtual machines that most deserve follow-up first. It is not guest command execution, filesystem inspection, or host forensics.

HarrierOps Azure Wiki

Core
Identity
Config
Secrets
Storage
Resource
Network
Compute
Orchestration

Chain Families

Investigations
Reference

Clone this wiki locally