- Azure POC environment
- Create the Azure Function App
- Configure the Function App and network security group
- Deploy
- Conclusion
This is a continuation of an ongoing series of blog posts I have made on the topic of using cloud provider native services to provide high reputation redirectors for command and control HTTP/S implant traffic.
I have previously looked at this topic for services in GCP and AWS, and now I’m looking at Azure. This post will look at how we can use Azure Functions to forward implant traffic.
If you want some more details on why you might want to do this, check out the linked portion of this previous post here.
Azure POC environment
Similar to what I did for the GCP POCs discussed in previous posts, I needed some simple C2 infrastructure to forward traffic to.
To this end, I created the following using the Azure Portal, using North Central US
for regional resources:
- A resource group
C2VM_group
used to collect all the related infrastructure used for the POC - A Virtual Network, with network range
10.0.0.0/16
, with adefault
subnet network with range10.0.0.0/24
where the C2 VM instance will be attached - A Linux virtual machine with the Sliver C2 installed and a public IP address that I could use to access the instance by SSH. The internal IP of this instance was
10.0.0.4
. - A network security group associated with the instance, configured with custom rules, restricting SSH traffic to my home IP address only. SSH is the means by which I accessed the instance to configure the Operating System and operate the C2 service.
With this basic infrastructure available to forward to, the Function App can be created.
Create the Azure Function App
The Function App and associated resources needed for the POC can be created using the Azure Portal here
Start the new app wizard using the Create
button to start the “Create Function App” wizard.
Select Flex Consumption
as the hosting method and then the following options in the associated steps of the wizard.
Basics
- Function App Name: Select a function app name. The value you choose must be globally unique and will form part of the URL used to access the app. I chose
mytestfunctionxyz123
as my name. - Region: North Central US
- Runtime stack: Python
- Version: 3.12
- Instance size: 2048 MB
Storage
- Storage account: Create new
Azure OpenAI
- Does not need to be enabled
Networking
- Enable public access: On
- Enable virtual network integration: On
- Virtual Network: Select the existing network
- Inbound access: Enable private endpoints: Off
- Outbound access: Enable VNet integration: On
- Outbound subnet: You wont be able to use the
default
subnet so selectCreate new
and create a subnet within the existing VPC associated with your instance - I called my new subnetfuncsubnet
and assigned range10.0.1.0/24
.
Monitoring
- Enable Application Insights: No
Deployment
- Continuous deployment: Disable
- Authentication Settings - Basic authentication: Disable
Authentication Accept the defaults for authentication for storage access
Tags Accept the defaults or set tags as required
Hit Create
to start the wizards deployment process - it will create the Function App and a few other required services for you.
Configure the Function App and network security group
Once the Function App deployment process is done there are a few config steps we need to complete in the Azure Portal.
In the settings of the newly created Function App, go to the “Environment variables” section and set the DESTINATION
variable with the internal IP address of your C2 VM instance. This was 10.0.0.4
in my case.
It is also necessary to modify the network security group of the C2 VM instance to allow traffic from the network address range of the newly created subnet (10.0.1.0/24
in my case) to port 80 on the VMinstance.
Deploy
Deployment will require installing and setting up the Azure CLI. We can deploy code to an existing Function App with the CLI using the zip file deployment approach, which uses a command in the format shown below. The command references the resource group and name of the function and the local zip file containing the source code to deploy in the App.
az functionapp deployment source config-zip -g <RESOURCE_GROUP> -n <FUNCTION_NAME> --src <CODE_ZIP_FILE>
Get the function code from here, clone it locally and change to the root of the source as your present working directory.
You can the make a zip file /tmp/dep.zip
with the needed files from the repo like so.
zip -r /tmp/dep.zip ./function_app.py ./host.json ./requirements.txt
In my example case, I did the deployment using the following command, given my resource group of C2VM_group
, function name mytestfunctionxyz123
and zip file of /tmp/dep.zip
.
az functionapp deployment source config-zip -g C2VM_group -n mytestfunctionxyz123 --src /tmp/dep.zip
After deployment, the app was running at https://mytestfunctionxyz123.azurewebsites.net/
.
The architecture looks like the following.
Conclusion
I intend to keep investigating Azure to see if there are any more ways to use their cloud services to forward for C2, and if I find more I’ll do a follow up post to discuss them. Are you aware of any? Let me know!