From 20273b8800f60eda9f47593534276d97806ef034 Mon Sep 17 00:00:00 2001
From: Translator <github-actions@github.com>
Date: Tue, 25 Feb 2025 21:58:03 +0000
Subject: [PATCH] Translated
 ['src/pentesting-cloud/azure-security/az-privilege-escalation

---
 src/SUMMARY.md                                |   5 +-
 .../az-virtual-desktop-privesc.md             |  33 ++++++
 .../az-services/az-virtual-desktop.md         | 102 ++++++++++++++++++
 3 files changed, 139 insertions(+), 1 deletion(-)
 create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
 create mode 100644 src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index c9736abf4..17ab8f63d 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -431,6 +431,7 @@
     - [Az - Static Web Applications](pentesting-cloud/azure-security/az-services/az-static-web-apps.md)
     - [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md)
     - [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md)
+    - [Az - Virtual Desktop](pentesting-cloud/azure-security/az-services/az-virtual-desktop.md)
     - [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md)
       - [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md)
   - [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md)
@@ -485,11 +486,13 @@
     - [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md)
     - [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
     - [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md)
+    - [Az - Virtual Desktop Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md)
     - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
   - [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
     - [Az - Automation Accounts Persistence](pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md)
     - [Az - Cloud Shell Persistence](pentesting-cloud/azure-security/az-persistence/az-cloud-shell-persistence.md)
-    - [Az - Queue SQL Persistence](pentesting-cloud/azure-security/az-persistence/az-sql-persistence.md)
+    - [Az - Logic Apps Persistence](pentesting-cloud/azure-security/az-persistence/az-logic-apps-persistence.md)
+    - [Az - SQL Persistence](pentesting-cloud/azure-security/az-persistence/az-sql-persistence.md)
     - [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistence.md)
     - [Az - VMs Persistence](pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md)
     - [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md)
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
new file mode 100644
index 000000000..4648e7edf
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
@@ -0,0 +1,33 @@
+# Az - Virtual Desktop Privesx
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Virtual Desktop Privesc
+
+### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
+您可以检索用于在主机池中注册虚拟机的注册令牌。
+```bash
+az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
+```
+### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
+
+通过这些权限，您可以将用户分配添加到应用程序组，这对于访问虚拟桌面的虚拟机是必需的。
+```bash
+az rest --method PUT \
+--uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
+--body '{
+"properties": {
+"roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
+"principalId": "<USER_OBJECT_ID>"
+}
+}'
+```
+此外，您可以更改虚拟机的用户和密码以访问它。
+```bash
+az vm user update \
+--resource-group <RESOURCE_GROUP_NAME> \
+--name <VM_NAME> \
+--username <USERNAME> \
+--password <NEW_PASSWORD>
+```
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md b/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
new file mode 100644
index 000000000..7394814ab
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
@@ -0,0 +1,102 @@
+# Az - Virtual Desktop
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Virtual Desktop
+
+Virtual Desktop 是一个 **桌面和应用虚拟化服务**。它使得能够远程交付完整的 Windows 桌面，包括 Windows 11、Windows 10 或 Windows Server，给用户，既可以作为单独的桌面，也可以通过单独的应用程序。它支持个人使用的单会话设置和多会话环境。用户可以使用本地应用程序或网页浏览器从几乎任何设备连接。
+
+### Host Pools
+
+Azure Virtual Desktop 中的主机池是配置为会话主机的 Azure 虚拟机集合，为用户提供虚拟桌面和应用程序。主要有两种类型：
+- **个人主机池**，每个虚拟机专用于单个用户，具有其环境
+- **共享主机池**，多个用户共享任何可用会话主机上的资源。它具有可配置的会话限制和会话主机配置，允许 Azure Virtual Desktop 根据配置自动创建会话主机。
+
+每个主机池都有一个 **注册令牌**，用于在主机池内注册虚拟机。
+
+### Application groups & Workspace
+应用程序组 **控制用户访问** 完整桌面或主机池内会话主机上可用的特定应用程序集。主要有两种类型：
+- **桌面应用程序组**，允许用户访问完整的 Windows 桌面（在个人和共享主机池中均可用）
+- **RemoteApp 组**，允许用户访问单个发布的应用程序（仅在共享主机池中可用）。
+一个主机池可以有一个桌面应用程序组，但可以有多个 RemoteApp 组。用户可以被分配到不同主机池中的多个应用程序组。如果用户在同一主机池中同时被分配了桌面和 RemoteApp 组，他们只会看到管理员设置的首选组类型中的资源。
+
+一个 **工作区** 是一个 **应用程序组的集合**，允许用户访问分配给他们的桌面和应用程序组。每个应用程序组必须链接到一个工作区，并且一次只能属于一个工作区。
+
+### Key Features
+- **灵活的虚拟机创建**：直接创建 Azure 虚拟机或稍后添加 Azure 本地虚拟机。
+- **安全功能**：启用受信任启动（安全启动、vTPM、完整性监控）以增强虚拟机安全性（需要虚拟网络）。可以集成 Azure 防火墙并通过网络安全组控制流量。
+- **域加入**：支持 Active Directory 域加入，具有可自定义的配置。
+- **诊断与监控**：启用诊断设置，将日志和指标流式传输到 Log Analytics、存储帐户或事件中心进行监控。
+- **自定义映像模板**：创建和管理它们以在添加会话主机时使用。轻松添加常见自定义或您自己的自定义脚本。
+- **工作区注册**：轻松将默认桌面应用程序组注册到新的或现有的工作区，以简化用户访问管理。
+
+### Enumeration
+```bash
+az extension add --name desktopvirtualization
+
+# List HostPool of a Resource group
+az desktopvirtualization hostpool list --resource-group <Resource_Group>
+
+# List Application Groups
+az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
+# List Application Groups By Subscription
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
+# List Applications in a Application Group
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
+# List Assigned Users to the Application Group
+az rest \
+--method GET \
+--url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
+| jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'
+
+
+# List Workspace in a resource group
+az desktopvirtualization workspace list --resource-group <Resource_Group>
+# List Workspace in a subscription
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"
+
+# List App Attach Package By Resource Group
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
+# List App Attach Package By Subscription
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
+
+# List Desktops
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
+
+# List MSIX Packages
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/msixPackages?api-version=2024-04-03"
+
+# List private endpoint connections associated with hostpool.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
+# List private endpoint connections associated By Workspace.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"
+
+# List the private link resources available for a hostpool.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
+# List the private link resources available for this workspace.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"
+
+# List sessionHosts/virtual machines.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
+
+# List start menu items in the given application group.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"
+
+# List userSessions.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
+# List userSessions By Host Pool
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"
+
+```
+### 连接
+
+要通过网络连接到虚拟桌面，您可以通过 https://client.wvd.microsoft.com/arm/webclient/（最常见）或 https://client.wvd.microsoft.com/webclient/index.html（经典）访问。  
+还有其他方法在这里描述 [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows)
+
+## 权限提升
+
+{{#ref}}
+../az-privilege-escalation/az-virtual-desktop-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}