New Technique: Access Virtual Machine using Bastion shareable link (#583)

* Add Azure Bastion shareable link technique

* Add delay note for Bastion technique

* Add techniqe documentation

* Change category to persistence

* Fix tf formatting

* Error and string handling + technique rename

* Update v2/internal/attacktechniques/azure/persistence/create-bastion-shareable-link/main.go

Co-authored-by: Christophe Tafani-Dereeper <[email protected]>

* Update v2/internal/attacktechniques/azure/persistence/create-bastion-shareable-link/main.go

Co-authored-by: Christophe Tafani-Dereeper <[email protected]>

* Cosmetic changes

* Add shareable link + credentials to output

* Fix error handling

* autogen docs

---------

Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
Co-authored-by: Christophe Tafani-Dereeper <[email protected]>

Author: siigil

docs/attack-techniques/azure/azure.create-bastion-shareable-link.md

@@ -0,0 +1,84 @@
+---
+title: Access Virtual Machine using Bastion shareable link
+---
+
+# Access Virtual Machine using Bastion shareable link
+
+ <span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique is slow to warm up and cleanup">slow</span> 
+
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+By utilizing the 'shareable link' feature on Bastions where it is enabled, an attacker can create a link to allow access to a virtual machine (VM) from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL.
+NOTE: This technique will take 10-15 minutes to warmup, and 10-15 minutes to cleanup. This is due to the time to deploy an Azure Bastion.
+
+References:
+
+- https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html
+- https://learn.microsoft.com/en-us/azure/bastion/shareable-link
+- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT509/AZT509/
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create a VM and VNet
+- Create an Azure Bastion host with access to the VM, and shareable links enabled
+NOTE: Warm-up and cleanup can each take 10-15 minutes to create and destroy the Azure Bastion instance
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- Create an Azure Bastion shareable link with access to the VM
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.bastion-shareable-link
+```
+## Detection
+
+Identify Azure events of type <code>Microsoft.Network/bastionHosts/createshareablelinks/action</code> and <code>Microsoft.Network/bastionHosts/getShareablelinks/action</code>. A sample of <code>createshareablelinks</code> is shown below (redacted for clarity).
+
+```json hl_lines="7"
+  {
+    "category": {
+        "value": "Administrative",
+        "localizedValue": "Administrative"
+    },
+    "level": "Informational",
+    "operationName": {
+        "value": "Microsoft.Network/bastionHosts/createshareablelinks/action",
+        "localizedValue": "Creates shareable urls for the VMs under a bastion and returns the urls"
+    },
+    "resourceGroupName": "stratus-red-team-shareable-link-rg-tz6o",
+    "resourceProviderName": {
+        "value": "Microsoft.Network",
+        "localizedValue": "Microsoft.Network"
+    },
+    "resourceType": {
+        "value": "Microsoft.Network/bastionHosts",
+        "localizedValue": "Microsoft.Network/bastionHosts"
+    },
+    "resourceId": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
+    "status": {
+        "value": "Succeeded",
+        "localizedValue": "Succeeded"
+    },
+    "subStatus": {
+        "value": "",
+        "localizedValue": ""
+    },
+    "properties": {
+        "eventCategory": "Administrative",
+        "entity": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
+        "message": "Microsoft.Network/bastionHosts/createshareablelinks/action",
+        "hierarchy": "[removed]"
+    },
+}
+```

docs/attack-techniques/azure/azure.persistence.create-bastion-shareable-link.md

@@ -0,0 +1,89 @@
+---
+title: Create Azure VM Bastion shareable link
+---
+
+# Create Azure VM Bastion shareable link
+
+ <span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique might be slow to warm up or detonate">slow</span> 
+
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+By utilizing the 'shareable link' feature on Bastions where it is enabled, an attacker can create a link to allow access to a virtual machine (VM) from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL.
+
+References:
+
+- https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html
+- https://learn.microsoft.com/en-us/azure/bastion/shareable-link
+- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT509/AZT509/
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create a VM and VNet
+- Create an Azure Bastion host with access to the VM, and shareable links enabled
+
+NOTE: Warm-up and cleanup can each take 10-15 minutes to create and destroy the Azure Bastion instance
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- Create an Azure Bastion shareable link with access to the VM
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.create-bastion-shareable-link
+```
+## Detection
+
+
+Identify Azure events of type <code>Microsoft.Network/bastionHosts/createshareablelinks/action</code> and <code>Microsoft.Network/bastionHosts/getShareablelinks/action</code>. A sample of <code>createshareablelinks</code> is shown below (redacted for clarity).
+
+```json hl_lines="7"
+{
+  {
+    "category": {
+        "value": "Administrative",
+        "localizedValue": "Administrative"
+    },
+    "level": "Informational",
+    "operationName": {
+        "value": "Microsoft.Network/bastionHosts/createshareablelinks/action",
+        "localizedValue": "Creates shareable urls for the VMs under a bastion and returns the urls"
+    },
+    "resourceGroupName": "stratus-red-team-shareable-link-rg-tz6o",
+    "resourceProviderName": {
+        "value": "Microsoft.Network",
+        "localizedValue": "Microsoft.Network"
+    },
+    "resourceType": {
+        "value": "Microsoft.Network/bastionHosts",
+        "localizedValue": "Microsoft.Network/bastionHosts"
+    },
+    "resourceId": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
+    "status": {
+        "value": "Succeeded",
+        "localizedValue": "Succeeded"
+    },
+    "subStatus": {
+        "value": "",
+        "localizedValue": ""
+    },
+    "properties": {
+        "eventCategory": "Administrative",
+        "entity": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
+        "message": "Microsoft.Network/bastionHosts/createshareablelinks/action",
+        "hierarchy": "[removed]"
+    },
+}
+```
+
+

docs/attack-techniques/azure/index.md

@@ -15,3 +15,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Export Disk Through SAS URL](./azure.exfiltration.disk-export.md)
 
+
+## Persistence
+
+- [Create Azure VM Bastion shareable link](./azure.persistence.create-bastion-shareable-link.md)
+

docs/attack-techniques/list.md

@@ -52,6 +52,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Execute Command on Virtual Machine using Custom Script Extension](./azure/azure.execution.vm-custom-script-extension.md) | [Azure](./azure/index.md) | Execution |
 | [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution |
 | [Export Disk Through SAS URL](./azure/azure.exfiltration.disk-export.md) | [Azure](./azure/index.md) | Exfiltration |
+| [Create Azure VM Bastion shareable link](./azure/azure.persistence.create-bastion-shareable-link.md) | [Azure](./azure/index.md) | Persistence |
 | [Create Admin EKS Access Entry](./EKS/eks.lateral-movement.create-access-entry.md) | [EKS](./EKS/index.md) | Lateral Movement |
 | [Backdoor aws-auth EKS ConfigMap](./EKS/eks.persistence.backdoor-aws-auth-configmap.md) | [EKS](./EKS/index.md) | Persistence, Privilege Escalation |
 | [Backdoor Entra ID application through service principal](./entra-id/entra-id.persistence.backdoor-application-sp.md) | [Entra ID](./entra-id/index.md) | Persistence, Privilege Escalation |

docs/index.yaml

@@ -472,6 +472,14 @@ Azure:
             - Exfiltration
           platform: Azure
           isIdempotent: true
+    Persistence:
+        - id: azure.persistence.create-bastion-shareable-link
+          name: Create Azure VM Bastion shareable link
+          isSlow: true
+          mitreAttackTactics:
+            - Persistence
+          platform: Azure
+          isIdempotent: false
 Entra ID:
     Persistence:
         - id: entra-id.persistence.backdoor-application-sp

v2/go.mod

@@ -9,7 +9,8 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
-	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
 	github.com/aws/aws-sdk-go-v2 v1.31.0
 	github.com/aws/aws-sdk-go-v2/config v1.25.11
 	github.com/aws/aws-sdk-go-v2/credentials v1.16.9

v2/go.sum

@@ -13,10 +13,18 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0/go.mod h1:gM3K25LQlsET3QR+4V74zxCsFAy0r6xMNN9n80SZn+4=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.0.0 h1:lMW1lD/17LUA5z1XTURo7LcVG2ICBPlyMHjIUrcFZNQ=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.0.0/go.mod h1:ceIuwmxDWptoW3eCqSXlnPsZFKh4X+R38dWPv7GS9Vs=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0 h1:PTFGRSlMKCQelWwxUyYVEUqseBJVemLyqWJjvMyt0do=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v2 v2.0.0/go.mod h1:LRr2FzBTQlONPPa5HREE5+RjSCTXl7BwOvYOaWTqCaI=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0 h1:2qsIIvxVT+uE6yrNldntJKlLRgxGbZ85kgtz5SNBhMw=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal/v3 v3.1.0/go.mod h1:AW8VEadnhw9xox+VaVd9sP7NjzOAnaZBLRH6Tq3cJ38=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0 h1:pPvTJ1dY0sA35JOeFq6TsY2xj6Z85Yo23Pj4wCCvu4o=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/managementgroups/armmanagementgroups v1.0.0/go.mod h1:mLfWfj8v3jfWKsL9G4eoBoXVcsqcIUTapmdKy7uGOp0=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.0.0 h1:nBy98uKOIfun5z6wx6jwWLrULcM0+cjBalBFZlEZ7CA=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.0.0/go.mod h1:243D9iHbcQXoFUtgHJwL7gl2zx1aDuDMjvBZVGr2uW0=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0/go.mod h1:s1tW/At+xHqjNFvWU4G0c0Qv33KOhvbGNj0RCTQDV8s=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0 h1:Fd+iaEa+JBwzYo6OTWYSNqyvlPSLciMGsmsnYCKcXM0=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork/v6 v6.1.0/go.mod h1:ulHyBFJOI0ONiRL4vcJTmS7rx18jQQlEPmAgo80cRdM=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0 h1:Dd+RhdJn0OTtVGaeDLZpcumkIVCtA/3/Fo42+eoYvVM=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0/go.mod h1:5kakwfW5CjC9KK+Q4wjXAg+ShuIm2mBMua0ZFj2C8PE=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=