Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Technique: Access Virtual Machine using Bastion shareable link #583

Merged
merged 12 commits into from
Oct 21, 2024
Merged

New Technique: Access Virtual Machine using Bastion shareable link #583

merged 12 commits into from
Oct 21, 2024

Conversation

siigil
Copy link
Contributor

@siigil siigil commented Oct 10, 2024

What does this PR do?

New attack technique: Persistence via Azure Bastion shareable link.

Motivation

This technique has been documented as a method for maintaining VM access off-network:

Currently, I'm making the assumption that shareable links are enabled (as they may already be for a contractor or similar), to focus on the creation of a shareable link as the overall technique. Open to critique on this approach!

Checklist

  • The attack technique emulates a single attack step, not a full attack chain
  • We have factual evidence & references that the attack technique was used by real malware, pentesters, or attackers*
    Researcher(s), in this case.
  • The attack technique makes no assumption about the state of the environment prior to warming it up

christophetd
christophetd reviewed Oct 10, 2024
View reviewed changes
v2/internal/attacktechniques/azure/persistence/bastion-shareable-link/main.tf Outdated
resource_group_name = azurerm_resource_group.lab_environment.name
# Required for shareable link feature
sku = "Standard"
shareable_link_enabled = "true"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
shareable_link_enabled = "true"
shareable_link_enabled = true

christophetd
christophetd reviewed Oct 10, 2024
View reviewed changes
v2/internal/attacktechniques/azure/persistence/bastion-shareable-link/main.go Outdated
VMs: []*armnetwork.BastionShareableLink{
{
VM: &armnetwork.VM{
ID: to.Ptr(vmId),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ID: to.Ptr(vmId),
ID: &vmId,

should be enough?

christophetd
christophetd reviewed Oct 10, 2024
View reviewed changes
v2/internal/attacktechniques/azure/persistence/bastion-shareable-link/main.go Outdated

_, err = poller.PollUntilDone(ctx, nil)
if err != nil {
log.Fatalf("failed to poll results: %v", err)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
log.Fatalf("failed to poll results: %v", err)
return fmt.Errorf("failed to retrieve shareable link: %v", err)

christophetd
christophetd reviewed Oct 10, 2024
View reviewed changes
v2/internal/attacktechniques/azure/persistence/bastion-shareable-link/main.go Outdated

// Provide URL to access Bastion shareable link
// NOTE: Response via Go SDK methods does not return any page contents, so we'll supply a Portal URL to fetch the link for now. (The example cited in reference link above is not clear on how to resolve this.)
url := fmt.Sprintln("https://portal.azure.com/#@" + tenantId + "/resource/subscriptions/" + subscriptionID + "/resourceGroups/" + resourceGroup + "/providers/Microsoft.Network/bastionHosts/" + bastionName + "/shareablelinks")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds like Sprintf would be a bit cleaner to build this with %s ?

@siigil
Copy link
Contributor Author

siigil commented Oct 10, 2024

@christophetd Added changes based on your feedback in, but as a heads up haven't retested just yet (will tomorrow AM). Feel free to change/comment anything tomorrow if you get to this first!

@siigil
Copy link
Contributor Author

siigil commented Oct 18, 2024

Updated technique to provide shareable link + credentials for direct bastion access.

@christophetd christophetd force-pushed the katie.knowles/bastion-shareable-link branch from 5907da4 to 6d8c75e Compare October 21, 2024 20:18
@christophetd christophetd enabled auto-merge (squash) October 21, 2024 20:21
@christophetd christophetd merged commit e9d8e96 into DataDog:main Oct 21, 2024
5 checks passed
@christophetd christophetd deleted the katie.knowles/bastion-shareable-link branch October 21, 2024 20:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christophetd christophetd christophetd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@siigil @christophetd