New Technique: Access Virtual Machine using Bastion shareable link #583
Conversation
v2/internal/attacktechniques/azure/persistence/bastion-shareable-link/main.tf
Outdated
Show resolved
Hide resolved
| resource_group_name = azurerm_resource_group.lab_environment.name | ||
| # Required for shareable link feature | ||
| sku = "Standard" | ||
| shareable_link_enabled = "true" |
There was a problem hiding this comment.
| shareable_link_enabled = "true" | |
| shareable_link_enabled = true |
| func init() { | ||
| const codeBlock = "```" | ||
| stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ | ||
| ID: "azure.persistence.bastion-shareable-link", |
There was a problem hiding this comment.
something more action oriented like the below might work better?
| ID: "azure.persistence.bastion-shareable-link", | |
| ID: "azure.persistence.create-bastion-sharing-link", |
There was a problem hiding this comment.
Keeping "shareable" if we can as this is the feature name, but can use "sharing" if we're up against a character limit.
There was a problem hiding this comment.
ah makes sense, so wdyt of azure.persistence.create-bastion-shareable-link?
| VMs: []*armnetwork.BastionShareableLink{ | ||
| { | ||
| VM: &armnetwork.VM{ | ||
| ID: to.Ptr(vmId), |
There was a problem hiding this comment.
| ID: to.Ptr(vmId), | |
| ID: &vmId, |
should be enough?
| }, | ||
| }, nil) | ||
| if err != nil { | ||
| log.Fatalf("failed to create shareable link: %v", err) |
There was a problem hiding this comment.
we generally try to return errors here (i.e. return fmt.Errorf("failed to create shareable link: %v", err);)
| }, | ||
| }, nil) | ||
| if err != nil { | ||
| log.Fatalf("failed to create shareable link: %v", err) |
There was a problem hiding this comment.
| log.Fatalf("failed to create shareable link: %v", err) | |
| return fmt.Errorf("failed to create shareable link: %v", err) |
|
|
||
| _, err = poller.PollUntilDone(ctx, nil) | ||
| if err != nil { | ||
| log.Fatalf("failed to poll results: %v", err) |
There was a problem hiding this comment.
| log.Fatalf("failed to poll results: %v", err) | |
| return fmt.Errorf("failed to retrieve shareable link: %v", err) |
|
|
||
| // Provide URL to access Bastion shareable link | ||
| // NOTE: Response via Go SDK methods does not return any page contents, so we'll supply a Portal URL to fetch the link for now. (The example cited in reference link above is not clear on how to resolve this.) | ||
| url := fmt.Sprintln("https://portal.azure.com/#@" + tenantId + "/resource/subscriptions/" + subscriptionID + "/resourceGroups/" + resourceGroup + "/providers/Microsoft.Network/bastionHosts/" + bastionName + "/shareablelinks") |
There was a problem hiding this comment.
sounds like Sprintf would be a bit cleaner to build this with %s ?
| }, | ||
| }, nil) | ||
| if err != nil { | ||
| log.Fatalf("failed to finish the request: %v", err) |
There was a problem hiding this comment.
| log.Fatalf("failed to finish the request: %v", err) | |
| return fmt.Errorf("failed to delete shareable bastion link: %v", err) |
| } | ||
| _, err = poller.PollUntilDone(ctx, nil) | ||
| if err != nil { | ||
| log.Fatalf("failed to pull the result: %v", err) |
There was a problem hiding this comment.
| log.Fatalf("failed to pull the result: %v", err) | |
| return fmt.Errorf("failed to retrieve shareable bastion link deletion result: %v", err) |
|
@christophetd Added changes based on your feedback in, but as a heads up haven't retested just yet (will tomorrow AM). Feel free to change/comment anything tomorrow if you get to this first! |
v2/internal/attacktechniques/azure/persistence/create-bastion-shareable-link/main.go
Outdated
Show resolved
Hide resolved
v2/internal/attacktechniques/azure/persistence/create-bastion-shareable-link/main.go
Outdated
Show resolved
Hide resolved
…shareable-link/main.go Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
…shareable-link/main.go Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
What does this PR do?
New attack technique: Persistence via Azure Bastion shareable link.
Motivation
This technique has been documented as a method for maintaining VM access off-network:
Currently, I'm making the assumption that shareable links are enabled (as they may already be for a contractor or similar), to focus on the creation of a shareable link as the overall technique. Open to critique on this approach!
Checklist
Researcher(s), in this case.