AZT509 - Azure Bastion#
Azure Bastion can be abused to allow persistent network access to a virtual machine over public internet.
Resource
Azure Bastion
Actions
-
Microsoft.Network/bastionHosts/write
-
Microsoft.Network/bastionHosts/createShareableLinks/action
-
Microsoft.Network/bastionHosts/getShareableLinks/action
Detections
Logs#
Data Source | Operation Name | Action | Log Provider |
---|---|---|---|
Resource | Get Bastion Shareable Link | Microsoft.Network/bastionHosts/GetShareableLinks/action | AzureActivity |
Resource | N/A | Microsoft.Network/bastionHosts/write | AzureActivity |
Queries#
Platform | Query |
---|---|
Log Analytics | AzureActivity | where OperationNameValue =~ "MICROSOFT.NETWORK/BASTIONHOSTS/GETSHAREABLELINKS/ACTION" or OperationNameValue =~ "MICROSOFT.NETWORK/BASTIONHOSTS/CREATESHAREABLELINKS/ACTION |
Additional Resources
https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html