🧠 Understanding Persistence

Persistence in a penetration test refers to maintaining long term access to an environment. Since initial access methods are often short lived, persistence techniques allow you to regain access even after detection or remediation.

🔁 General Guidelines for Persistence

Assume your access will be noticed.
Set up multiple channels (both short term and long term).
Be ready to confuse incident response teams with noise.
Have persistence at multiple levels (identity, VM, script, etc.).

🧩 Multiple Channels: Redundancy and Obfuscation

Example 1 (Direct Access):
- Execute commands via VM Run Command as an Azure AD user.
- High visibility and traceability.
Example 2 (Indirect Access):
- Use Automation Account Runbooks to run commands as Run As account.
- Lower visibility and attribution.

Use loud/noisy channels to mask quiet ones.

🧱 Long Term vs Short Term Persistence

Short term channels:
- Easier to detect and remove.
- Include exposed credentials or direct access methods.
Long term channels:
- Privileged access like subscription Owner, AAD roles.
- Used sparingly to recover from short term losses.

🏗️ Persistence in Azure Subscriptions

Establish access through identities (User Accounts, Service Principals, Managed Identities).
Persist at multiple levels:
- Subscription
- Resource group
- Individual resources

🕵️‍♂️ Stealing Credentials from Systems

Browser Session Hijack

Open https://portal.azure.com on a compromised system with valid session.
SSO or cached sessions may auto authenticate.

Exporting PowerShell/Azure CLI Tokens

Tokens are stored at C:\Users\<USERNAME>\.Azure.
These can be reused on another machine.
Use Save-AzContext to export context:

☁️ General Persistence Strategy

Assume your access will be noticed and removed.
Establish both short term and long term access vectors.
Use multiple access channels at different privilege levels.

🖥️ Persistence via Azure Virtual Machines (IaaS)

Command & Control (C2) Implants

Deploy using
VM Run Command
Custom Script Extensions
RDP
Desired State Configuration (DSC)

Management Ports (RDP/SSH)

Open ports temporarily for remote access (discouraged due to alert risk).
Use Azure Service Tags like AzureCloud to obscure backdoor origin.

Managed Identity Abuse

Assign Managed Identity to the VM.
Grant permissions to other Azure or AAD resources.
Leverage token acquisition from the metadata service.

DSC Backdoor Example

Enforce the presence of C:\testfile.exe.
Ensure a process is running from that path.
Correct deviations via DSC automation.

🤖 Persistence via Automation Accounts

Leverage Run as Accounts with high privilege (Owner, Global Admin).

Use scheduled or webhook triggered runbooks to

Add backdoor users
Execute remote VM commands
Modify Azure AD roles

🔧 Persistence via Azure PaaS Service

Network Persistence

Modify authorized IP ranges for public endpoints (e.g. SQL Server, Storage).
Use Lava's sql_backdoor_firewall_rule module.

User Persistence

Exploit access keys, SAS tokens, or RBAC assignments.
Use long duration SAS tokens for stealth.

🔐 Persistence in Azure AD

Create Backdoor Identities

User accounts with predictable naming.
Service principals (bypass MFA, CA policies).
Guest users (less ideal; noisy).

Modify Existing Identities

Enable disabled users and reset passwords.
Add credentials (secrets) to existing service principals.

Privilege Escalation

Add backdoor identity to existing privileged groups.
Modify dynamic group rules.
Assign privileged Azure AD roles directly (requires Privileged Role Admin).

🔓 Bypassing Conditional Access

Add loophole rules that only apply to backdoor users.
Add attacker's IP to trusted locations.
Configure MFA trusted IPs to avoid enforcement.

🧠 Final Thoughts

Persistence in Azure is a nuanced and layered discipline. Combining stealth, privilege control, and cloud native features is key to long term success whether you're an attacker, red teamer, or defender simulating adversaries.

← Previous: Exploit Owner