How to Assess and Respond to Your Assets In The Cloud?

Analyze your Azure and AWS virtual machines from one command.

Matt Suiche
Comae Technologies
3 min readMay 5, 2019


We recently made some additions to our PowerShell interface to enable users with a valid account to leverage DumpIt on their remote machines such as virtual machines (VMs) on Microsoft Azure or Amazon AWS but also machines with PowerShell Remoting enabled.

The whole workflow from capture to analysis is now handled as described in the below diagram. This is another novel way to speed up the investigation process of Windows machines, especially for Cloud set-ups.

Get your Stardust report on your VMs from one PowerShell command-line

The three new commands are:

  • Invoke-ComaeAzVMWinAnalyze for Microsoft Azure virtual machines.
  • Invoke-ComaeAwsVMWinAnalyze for Amazon Aws virtual machines
  • Invoke-ComaeADWinAnalyze for on-premise machines.

For each of those commands, the user needs to provide Comae credentials (ClientId and ClientSecret) that will be used to download DumpIt and send the machine memory image to the Comae Stardust’s account of the user.

Get Started

First of all, to have access to all the Comae functions you need to import Comae.ps1 module either from GitHub or from the Comae Toolkit archive which should be in the same folder as DumpIt.exe

Import-Module .\Comae.ps1

Microsoft Azure

Function Invoke-ComaeAzVMWinAnalyze(
[Parameter(Mandatory = $True)] [string] $ClientId,
[Parameter(Mandatory = $True)] [string] $ClientSecret,
[Parameter(Mandatory = $True)] [string] $ResourceGroupName,
[Parameter(Mandatory = $True)] [string] $VMName



In the case of Microsoft Azure, the user needs to provide the name of the resource group, ResourceGroupName, and the virtual machine nameVMName, where the memory will be acquired by DumpIt and analyzed by Stardust.

In the case of Microsoft Azure, the Azure credentials will be asked through a pop-up unless the user is already logged in with Connect-AzAccount from the new Azure PowerShell Module.


Invoke-ComaeAzVMWinAnalyze -ResourceGroupName “test-group” -VMName “TestMachine” -ClientId “xxxxxxxxxxxxxx” -ClientSecret “yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy”

Amazon AWS

Function Invoke-ComaeAwsVMWinAnalyze(
[Parameter(Mandatory = $True)] [string] $ClientId,
[Parameter(Mandatory = $True)] [string] $ClientSecret,
[Parameter(Mandatory = $False)] [string] $AccessKey,
[Parameter(Mandatory = $False)] [string] $SecretKey,
[Parameter(Mandatory = $True)] [string] $Region,
[Parameter(Mandatory = $True)] [string] $InstanceId



Just like with the Azure scenario, the user needs to provide their Comae credentials (ClientId ,ClientSecret), the authentification to AWS will be done with the AWS credentials (AccessKey, SecretKey), and the virtual machine information required are the region Region and the identifier of the remote AWS instance InstanceId.

PowerShell Remoting

Function Invoke-ComaeADWinAnalyze(
[Parameter(Mandatory = $True)] [string] $ClientId,
[Parameter(Mandatory = $True)] [string] $ClientSecret,
[Parameter(Mandatory = $True)] [string] $ComputerName


PowerShell remoting needs to be enabled. You can read about Enable-PSRemoting to configure the computer to receive remote commands.


The PowerShell Remoting scenario only requires the target machine to have enabled PowerShell remoting to be allowed to receive commands. The user only needs to provide their Comae credentials (ClientId, ClientSecret) and the machine name of the remote computer (ComputerName).



Matt Suiche
Comae Technologies

Hacker, Microsoft MVP, Founder of @ComaeIo — Co-Founder of @CloudVolumes (now @VMWare)