Skip to content

AZT403.1 - Local Resource Hijack: Cloud Shell .IMG#

By modifying the .bashrc file in a CloudShell .IMG file, an adversary may escalate their privileges by injecting commands that will add an arbitrary user account to a desired role and scope.

Resource

Azure CloudShell

Actions

  • n/a

Examples

cloudshell

Detections

Detection Details#

A storage account is created in order to store the profile .IMG file when using CloudShell. These storage accounts always start with cs followed by a string of numbers + letters. E.g.: cs120000000ff Logs from the storage account require them to be configured with diagnostic settings being sent to a log aggregator.

Additionally, ~/.config/PowerShell/Microsoft.PowerShell_profile.ps1 is where the PowerShell startup script is stored, which also may be a target for backdooring.

Queries#

Platform Query
Log Analytics #!sql

Azure Monitor Alert#

Deploy to Azure