Create Azure VM Bastion shareable link

slow

Platform: Azure

MITRE ATT&CK Tactics

• Persistence

Description

By utilizing the 'shareable link' feature on Bastions where it is enabled, an attacker can create a link to allow access to a virtual machine (VM) from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL.

References:

• https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html
• https://learn.microsoft.com/en-us/azure/bastion/shareable-link
• https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT509/AZT509/

Warm-up:

• Create a VM and VNet
• Create an Azure Bastion host with access to the VM, and shareable links enabled

NOTE: Warm-up and cleanup can each take 10-15 minutes to create and destroy the Azure Bastion instance

Detonation:

• Create an Azure Bastion shareable link with access to the VM

Instructions

Detonate with Stratus Red Team

stratus detonate azure.persistence.create-bastion-shareable-link

Detection

Identify Azure events of type Microsoft.Network/bastionHosts/createshareablelinks/action and Microsoft.Network/bastionHosts/getShareablelinks/action. A sample of createshareablelinks is shown below (redacted for clarity).

{
  {
    "category": {
        "value": "Administrative",
        "localizedValue": "Administrative"
    },
    "level": "Informational",
    "operationName": {
        "value": "Microsoft.Network/bastionHosts/createshareablelinks/action",
        "localizedValue": "Creates shareable urls for the VMs under a bastion and returns the urls"
    },
    "resourceGroupName": "stratus-red-team-shareable-link-rg-tz6o",
    "resourceProviderName": {
        "value": "Microsoft.Network",
        "localizedValue": "Microsoft.Network"
    },
    "resourceType": {
        "value": "Microsoft.Network/bastionHosts",
        "localizedValue": "Microsoft.Network/bastionHosts"
    },
    "resourceId": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
    "status": {
        "value": "Succeeded",
        "localizedValue": "Succeeded"
    },
    "subStatus": {
        "value": "",
        "localizedValue": ""
    },
    "properties": {
        "eventCategory": "Administrative",
        "entity": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
        "message": "Microsoft.Network/bastionHosts/createshareablelinks/action",
        "hierarchy": "[removed]"
    },
}