Skip to content

Azure Web Application Service Usage

Jump to bottom
Jesse edited this page Aug 9, 2021 · 2 revisions

Overview

I've run into several instances where I was worried about first IP/domain contact that incident response was monitoring during Red Team operations. There have been a lot of great uses of Azure functions in recent time, and I realized no one was really using simple IIS servers for redirection. Combined with that, understanding Azure Web Application Services are just virtually hosted IIS servers that grant automatic Microsoft SSL certificates makes using them extremely enticing to blend in with normal web traffic. So here's a quick walkthrough on how to set up an Azure Application Service as a redirector for your C2.

Pros

  • Shared IP space with legitimate web sites
  • Infinite choice of unique subdomains that get prepended to .azurewebsites.net
  • Official Microsoft SSL certificates
  • Ability to link a custom domain and legitimate MS certificate if the *.azurewebsites.net is not desired
  • Easy firewall restriction configuration
  • Lightweight and ability to cluster sites to a single Azure Application Service Plan to save cost on spinning up several separate VM servers

Cons

  • Restricting inbound access to Cobalt Strike Teamserver may open your C2 infrastructure up to others proxying through Azure Application Services
  • Using IIS as a redirector

Set up

This walkthrough will consist of setting up the process manually via the Azure Portal.

Note: This can be automated via Azure APIs. I've already written a Python script for this, which I may release at a later time after more testing.

  1. Create the web app in Azure, this will create both an Application Service Plan and the actual web application service. Later you can link additional web applications to the same Application Service Plan to save on budget. You can literally pick any unique name for the application's subdomain on *.azurewebsites.net.

Once the Application Service is set up you can view that you have a legitimate *.azurewebsites.net Microsoft SSL certificate.

  1. Get your web.config file created, by using the convenient script I created cs2webconfig based on a malleable C2 profile of choice. (I put a modified version of the amazon profile created by harmj0y in the repo as reference)
python cs2webconfig.py -t <teamserveraddress> -p <c2profile> -r <redirectoraddress> -o <outputfile>

  1. Login to the Azure portal and open up the App Service Editor for the web application created in step 1. You can either upload the web.config to the wwwroot directory of the application or create a new file and copy/paste it.

  1. Upload the included applicationHost.xdt, then hop into the Console in the App Service Editor and move the file to the site directory.

  1. Restart the Azure Application Service for the .xdt file to initiate. And then browse to the site to validate it's working. The current web.config template will redirect all requests besides images and fonts to the index.html file (the cs2webconfig Python script can be modified to fit your own needs if you don't like that functionality).

  1. It's probably a good idea to downgrade TLS on the redirectors to accommodate older systems.

  2. Set up your teamserver listener. It is highly recommended to not include Host headers in your malleable profile web requests because it'll break redirection to the Application Service hosting.

Considerations

  • Azure web applications don't use typical Azure Network Security Groups for firewall restrictions, so you need to restrict access to them through the the Network Restrictions for the specific Application Service.
  • You can pull all the egress IP address for the application service from the website, but keep in mind these egress points are used by anyone else in using Azure Web Applications/Services so you may open up your infrastructure if you decide to restrict access by IP addresses to your C2 teamservers.

Clone this wiki locally