AZT509 - Azure Bastion#

Azure Bastion can be abused to allow persistent network access to a virtual machine over public internet.

Resource

Azure Bastion

Actions

Microsoft.Network/bastionHosts/write
Microsoft.Network/bastionHosts/createShareableLinks/action
Microsoft.Network/bastionHosts/getShareableLinks/action

Detections

Logs#

Data Source	Operation Name	Action	Log Location
Resource	Get Bastion Shareable Link	Microsoft.Network/bastionHosts/GetShareableLinks/action	Activity Log
Resource	N/A	Microsoft.Network/bastionHosts/write	Azure Activity Log

Queries#

Log Analytics

    | where OperationNameValue =~ "MICROSOFT.NETWORK/BASTIONHOSTS/GETSHAREABLELINKS/ACTION" or OperationNameValue =~ "MICROSOFT.NETWORK/BASTIONHOSTS/CREATESHAREABLELINKS/ACTION"
    | order by TimeGenerated desc
    | project Caller, CallerIpAddress, OperationName, TimeGenerated, ResourceId

Additional Resources

https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html