Skip to content

Access Virtual Machine using Bastion shareable link

slow

Platform: Azure

MITRE ATT&CK Tactics

  • Persistence

Description

By utilizing the 'shareable link' feature on Bastions where it is enabled, an attacker can create a link to allow access to a virtual machine (VM) from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL. NOTE: This technique will take 10-15 minutes to warmup, and 10-15 minutes to cleanup. This is due to the time to deploy an Azure Bastion.

References:

Warm-up:

  • Create a VM and VNet
  • Create an Azure Bastion host with access to the VM, and shareable links enabled NOTE: Warm-up and cleanup can each take 10-15 minutes to create and destroy the Azure Bastion instance

Detonation:

  • Create an Azure Bastion shareable link with access to the VM

Instructions

Detonate with Stratus Red Team
stratus detonate azure.persistence.bastion-shareable-link

Detection

Identify Azure events of type Microsoft.Network/bastionHosts/createshareablelinks/action and Microsoft.Network/bastionHosts/getShareablelinks/action. A sample of createshareablelinks is shown below (redacted for clarity).

  {
    "category": {
        "value": "Administrative",
        "localizedValue": "Administrative"
    },
    "level": "Informational",
    "operationName": {
        "value": "Microsoft.Network/bastionHosts/createshareablelinks/action",
        "localizedValue": "Creates shareable urls for the VMs under a bastion and returns the urls"
    },
    "resourceGroupName": "stratus-red-team-shareable-link-rg-tz6o",
    "resourceProviderName": {
        "value": "Microsoft.Network",
        "localizedValue": "Microsoft.Network"
    },
    "resourceType": {
        "value": "Microsoft.Network/bastionHosts",
        "localizedValue": "Microsoft.Network/bastionHosts"
    },
    "resourceId": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "properties": {
        "eventCategory": "Administrative",
        "entity": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
        "message": "Microsoft.Network/bastionHosts/createshareablelinks/action",
        "hierarchy": "[removed]"
    },
}