AZT509 - Azure Bastion

Azure Bastion can be abused to allow persistent network access to a virtual machine over public internet.

Resource

Azure Bastion

Actions

• Microsoft.Network/bastionHosts/write

• Microsoft.Network/bastionHosts/createShareableLinks/action

• Microsoft.Network/bastionHosts/getShareableLinks/action

Detections

Logs

Data Source	Operation Name	Action	Log Provider
Resource	Get Bastion Shareable Link	Microsoft.Network/bastionHosts/GetShareableLinks/action	AzureActivity
Resource	N/A	Microsoft.Network/bastionHosts/write	AzureActivity

Queries

Platform	Query
Log Analytics	AzureActivity | where OperationNameValue =~ "MICROSOFT.NETWORK/BASTIONHOSTS/GETSHAREABLELINKS/ACTION" or OperationNameValue =~ "MICROSOFT.NETWORK/BASTIONHOSTS/CREATESHAREABLELINKS/ACTION

Additional Resources

https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html