top of page
  • White Twitter Icon

Azure App C2 Revisited

Azure Applications are often recognized by the well-known *.azurewebsites.net domains. We've long abused Azure-related infrastructure assets for reputable C2 infrastructure (others have, but we've just kept it in the back pocket). Over the past years, new changes, warnings, and all sorts of controls have been used to deter the use of Azure for domain fronting.


We don't encourage using Azure infrastructure for Adversary Simulations or red-teaming, but it's still important to know what's possible so defenders can better prepare.


Azure Application Redirector

Azure applications are often deployed using code, and the user does not have direct access to the infrastructure. As such, deploying an Nginx or Apache redirector onto this service is impossible. Therefore, similar to lambda functions and other serverless infrastructure, we can use a short code snippet to redirect traffic instead.


For reference, code published back in 2019 can be used: https://github.com/vysecurity/AzureAppC2/



After deploying the code, it can be used to operate the same as any C2 infrastructure. The code was initially published to demonstrate *.azurewebsites.net subdomain takeovers - which, till today, is still not fixed. Attackers can still take over subdomains from Microsoft - some belonging to azure.com or even microsoft.com, for malicious purposes.


This information is re-shared in a blog post as many Red Team operators have recently started to discuss using Azure functions for C2. As we have traditionally steered away from Azure infrastructure for C2, it was not apparent that it is only now becoming a trend four years later.


Code


Comments


bottom of page