Cloud to On-Prem (or vice-versa)
While Moving Around is mostly concerned about staying horizontally within the same cloud, here we collect techniques that are rather suited for moving from the cloud to on-premises.
Hybrid Worker Groups
Automation Accounts can run RunBooks on HybridWorker Groups. In that case, the task will be executed on a computer (typically on-premises) with SYSTEM rights.
This can be abused to move from the cloud to on-premise: Abusing HybridWorkers
intune device management
Intunes is the Microsoft MDM solution which can manage both Linux and Windows Clinets. An Intune Administrator can designate powershell scripts that are automatically be deployed throughout all enrolled clients. This would make for amazing spreading capabilities.
See Abusing Intunes
Application Proxy
The application proxy allows an internal application to be exposed to the public internet (while being protected by AzureAd/EntraID). If an attacker finds a vulnerability within an application-proxy exposed web site, they can execute code within that backend server.
For more information see Application Proxies
Hybrid Identity
The different Hybrid identity schemes allow connecting a local Active Directory to Azure (EntraID). Obviously, they allow an attacker to traverse from an azure environment onto the on-prem Active Directory and vice-versa.
In addition, azure supports Seamless SSO which is a cloud-based Kerberos-Endpoint for Desktop SSO.
More Information in Hybrid Identities