-
Notifications
You must be signed in to change notification settings - Fork 207
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Technique: Access Virtual Machine using Bastion shareable link #583
base: main
Are you sure you want to change the base?
Conversation
v2/internal/attacktechniques/azure/persistence/bastion-shareable-link/main.tf
Outdated
Show resolved
Hide resolved
resource_group_name = azurerm_resource_group.lab_environment.name | ||
# Required for shareable link feature | ||
sku = "Standard" | ||
shareable_link_enabled = "true" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shareable_link_enabled = "true" | |
shareable_link_enabled = true |
func init() { | ||
const codeBlock = "```" | ||
stratus.GetRegistry().RegisterAttackTechnique(&stratus.AttackTechnique{ | ||
ID: "azure.persistence.bastion-shareable-link", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
something more action oriented like the below might work better?
ID: "azure.persistence.bastion-shareable-link", | |
ID: "azure.persistence.create-bastion-sharing-link", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keeping "shareable" if we can as this is the feature name, but can use "sharing" if we're up against a character limit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah makes sense, so wdyt of azure.persistence.create-bastion-shareable-link
?
VMs: []*armnetwork.BastionShareableLink{ | ||
{ | ||
VM: &armnetwork.VM{ | ||
ID: to.Ptr(vmId), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ID: to.Ptr(vmId), | |
ID: &vmId, |
should be enough?
}, | ||
}, nil) | ||
if err != nil { | ||
log.Fatalf("failed to create shareable link: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we generally try to return errors here (i.e. return fmt.Errorf("failed to create shareable link: %v", err);
)
}, | ||
}, nil) | ||
if err != nil { | ||
log.Fatalf("failed to create shareable link: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.Fatalf("failed to create shareable link: %v", err) | |
return fmt.Errorf("failed to create shareable link: %v", err) |
|
||
_, err = poller.PollUntilDone(ctx, nil) | ||
if err != nil { | ||
log.Fatalf("failed to poll results: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.Fatalf("failed to poll results: %v", err) | |
return fmt.Errorf("failed to retrieve shareable link: %v", err) |
|
||
// Provide URL to access Bastion shareable link | ||
// NOTE: Response via Go SDK methods does not return any page contents, so we'll supply a Portal URL to fetch the link for now. (The example cited in reference link above is not clear on how to resolve this.) | ||
url := fmt.Sprintln("https://portal.azure.com/#@" + tenantId + "/resource/subscriptions/" + subscriptionID + "/resourceGroups/" + resourceGroup + "/providers/Microsoft.Network/bastionHosts/" + bastionName + "/shareablelinks") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds like Sprintf would be a bit cleaner to build this with %s
?
}, | ||
}, nil) | ||
if err != nil { | ||
log.Fatalf("failed to finish the request: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.Fatalf("failed to finish the request: %v", err) | |
return fmt.Errorf("failed to delete shareable bastion link: %v", err) |
} | ||
_, err = poller.PollUntilDone(ctx, nil) | ||
if err != nil { | ||
log.Fatalf("failed to pull the result: %v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
log.Fatalf("failed to pull the result: %v", err) | |
return fmt.Errorf("failed to retrieve shareable bastion link deletion result: %v", err) |
@christophetd Added changes based on your feedback in, but as a heads up haven't retested just yet (will tomorrow AM). Feel free to change/comment anything tomorrow if you get to this first! |
v2/internal/attacktechniques/azure/persistence/create-bastion-shareable-link/main.go
Outdated
Show resolved
Hide resolved
v2/internal/attacktechniques/azure/persistence/create-bastion-shareable-link/main.go
Outdated
Show resolved
Hide resolved
…shareable-link/main.go Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
…shareable-link/main.go Co-authored-by: Christophe Tafani-Dereeper <[email protected]>
Updated technique to provide shareable link + credentials for direct bastion access. |
What does this PR do?
New attack technique: Persistence via Azure Bastion shareable link.
Motivation
This technique has been documented as a method for maintaining VM access off-network:
Currently, I'm making the assumption that shareable links are enabled (as they may already be for a contractor or similar), to focus on the creation of a shareable link as the overall technique. Open to critique on this approach!
Checklist
Researcher(s), in this case.