autogen docs

docs/attack-techniques/azure/azure.persistence.create-bastion-shareable-link.md

@@ -0,0 +1,89 @@
+---
+title: Create Azure VM Bastion shareable link
+---
+
+# Create Azure VM Bastion shareable link
+
+ <span class="smallcaps w3-badge w3-orange w3-round w3-text-sand" title="This attack technique might be slow to warm up or detonate">slow</span> 
+
+
+Platform: Azure
+
+## MITRE ATT&CK Tactics
+
+
+- Persistence
+
+## Description
+
+
+By utilizing the 'shareable link' feature on Bastions where it is enabled, an attacker can create a link to allow access to a virtual machine (VM) from untrusted networks. Public links generated for an Azure Bastion can allow VM network access to anyone with the generated URL.
+
+References:
+
+- https://blog.karims.cloud/2022/11/26/yet-another-azure-vm-persistence.html
+- https://learn.microsoft.com/en-us/azure/bastion/shareable-link
+- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/AZT509/AZT509/
+
+<span style="font-variant: small-caps;">Warm-up</span>: 
+
+- Create a VM and VNet
+- Create an Azure Bastion host with access to the VM, and shareable links enabled
+
+NOTE: Warm-up and cleanup can each take 10-15 minutes to create and destroy the Azure Bastion instance
+
+<span style="font-variant: small-caps;">Detonation</span>: 
+
+- Create an Azure Bastion shareable link with access to the VM
+
+
+## Instructions
+
+```bash title="Detonate with Stratus Red Team"
+stratus detonate azure.persistence.create-bastion-shareable-link
+```
+## Detection
+
+
+Identify Azure events of type <code>Microsoft.Network/bastionHosts/createshareablelinks/action</code> and <code>Microsoft.Network/bastionHosts/getShareablelinks/action</code>. A sample of <code>createshareablelinks</code> is shown below (redacted for clarity).
+
+```json hl_lines="7"
+{
+  {
+    "category": {
+        "value": "Administrative",
+        "localizedValue": "Administrative"
+    },
+    "level": "Informational",
+    "operationName": {
+        "value": "Microsoft.Network/bastionHosts/createshareablelinks/action",
+        "localizedValue": "Creates shareable urls for the VMs under a bastion and returns the urls"
+    },
+    "resourceGroupName": "stratus-red-team-shareable-link-rg-tz6o",
+    "resourceProviderName": {
+        "value": "Microsoft.Network",
+        "localizedValue": "Microsoft.Network"
+    },
+    "resourceType": {
+        "value": "Microsoft.Network/bastionHosts",
+        "localizedValue": "Microsoft.Network/bastionHosts"
+    },
+    "resourceId": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
+    "status": {
+        "value": "Succeeded",
+        "localizedValue": "Succeeded"
+    },
+    "subStatus": {
+        "value": "",
+        "localizedValue": ""
+    },
+    "properties": {
+        "eventCategory": "Administrative",
+        "entity": "[removed]/resourceGroups/stratus-red-team-shareable-link-rg-tz6o/providers/Microsoft.Network/bastionHosts/stratus-red-team-shareable-link-bastion-tz6o",
+        "message": "Microsoft.Network/bastionHosts/createshareablelinks/action",
+        "hierarchy": "[removed]"
+    },
+}
+```
+
+

docs/attack-techniques/azure/index.md

@@ -15,3 +15,8 @@ Note that some Stratus attack techniques may correspond to more than a single AT
 
 - [Export Disk Through SAS URL](./azure.exfiltration.disk-export.md)
 
+
+## Persistence
+
+- [Create Azure VM Bastion shareable link](./azure.persistence.create-bastion-shareable-link.md)
+

docs/attack-techniques/list.md

@@ -51,6 +51,7 @@ This page contains the list of all Stratus Attack Techniques.
 | [Execute Command on Virtual Machine using Custom Script Extension](./azure/azure.execution.vm-custom-script-extension.md) | [Azure](./azure/index.md) | Execution |
 | [Execute Commands on Virtual Machine using Run Command](./azure/azure.execution.vm-run-command.md) | [Azure](./azure/index.md) | Execution |
 | [Export Disk Through SAS URL](./azure/azure.exfiltration.disk-export.md) | [Azure](./azure/index.md) | Exfiltration |
+| [Create Azure VM Bastion shareable link](./azure/azure.persistence.create-bastion-shareable-link.md) | [Azure](./azure/index.md) | Persistence |
 | [Create Admin EKS Access Entry](./EKS/eks.lateral-movement.create-access-entry.md) | [EKS](./EKS/index.md) | Lateral Movement |
 | [Backdoor aws-auth EKS ConfigMap](./EKS/eks.persistence.backdoor-aws-auth-configmap.md) | [EKS](./EKS/index.md) | Persistence, Privilege Escalation |
 | [Backdoor Entra ID application through service principal](./entra-id/entra-id.persistence.backdoor-application-sp.md) | [Entra ID](./entra-id/index.md) | Persistence, Privilege Escalation |

docs/index.yaml

@@ -465,6 +465,14 @@ Azure:
             - Exfiltration
           platform: Azure
           isIdempotent: true
+    Persistence:
+        - id: azure.persistence.create-bastion-shareable-link
+          name: Create Azure VM Bastion shareable link
+          isSlow: true
+          mitreAttackTactics:
+            - Persistence
+          platform: Azure
+          isIdempotent: false
 Entra ID:
     Persistence:
         - id: entra-id.persistence.backdoor-application-sp