gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-05 19:32:24 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-post-exploitation/az

Browse Source
This commit is contained in:
Translator
2025-02-26 16:08:12 +00:00
parent e6915e1e7a
commit 7a9cbc990b
5 changed files with 142 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/SUMMARY.md
View File

@@ -454,7 +454,7 @@
- [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
- [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
- [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
- [Az - CosmosDB](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
- [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
- [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
- [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
- [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
@@ -465,6 +465,7 @@
- [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
- [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
- [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md)
- [Az - Virtual Desktop Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md)
- [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md)
- [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
- [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)

21
src/pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md Normal file
View File

@@ -0,0 +1,21 @@
# Az - VMs & Network Post Exploitation
{{#include ../../../banners/hacktricks-training.md}}
## Virtual Desktop
Kwa maelezo zaidi kuhusu Virtual Desktop angalia ukurasa ufuatao:
{{#ref}}
../az-services/az-virtual-desktop.md
{{#endref}}
### Mbinu za kawaida
- Overwrite a **MSIX package from the storage account** to get RCE in any VM using that app.
- In a remoteapp its possible to change the **path of the binary to execute**.
- **Escape from apps** to a shell to get RCE.
- Any post exploitation attack & persistence from **Azure VMs.**
- Its possible to **configure a script to be executed** in pool to apply custom configurations
{{#include ../../../banners/hacktricks-training.md}}

27
src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
View File

@@ -4,14 +4,24 @@
## Azure Virtual Desktop Privesc
Kwa maelezo zaidi kuhusu Azure Virtual Desktop angalia:
{{#ref}}
../az-services/az-virtual-desktop.md
{{#endref}}
### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
Unaweza kupata token ya usajili inayotumika kujiandikisha mashine za virtual ndani ya host pool.
Unaweza kupata token ya usajili inayotumika kujiandikisha kwa mashine za virtual ndani ya host pool.
```bash
az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
```
### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
### Microsoft.Authorization/roleAssignments/read, Microsoft.Authorization/roleAssignments/write
Kwa ruhusa hizi unaweza kuongeza mgawanyiko wa mtumiaji kwenye kikundi cha Maombi, ambacho kinahitajika ili kufikia mashine ya virtual ya desktop ya virtual.
> [!WARNING]
> Mshambuliaji mwenye ruhusa hizi anaweza kufanya mambo hatari zaidi kuliko haya.
Kwa ruhusa hizi unaweza kuongeza mgawo wa mtumiaji kwenye kundi la Programu, ambalo linahitajika ili kufikia mashine ya virtual ya desktop ya virtual:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
@@ -22,12 +32,7 @@ az rest --method PUT \
}
}'
```
Zaidi ya hayo, unaweza kubadilisha mtumiaji wa mashine ya virtual na nenosiri ili kuweza kuifikia.
```bash
az vm user update \
--resource-group <RESOURCE_GROUP_NAME> \
--name <VM_NAME> \
--username <USERNAME> \
--password <NEW_PASSWORD>
```
Kumbuka kwamba ili mtumiaji aweze kufikia Desktop au programu, pia anahitaji jukumu la `Virtual Machine User Login` au `Virtual Machine Administrator Login` juu ya VM.
{{#include ../../../banners/hacktricks-training.md}}

32
src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
View File

@@ -13,7 +13,7 @@ Kwa maelezo zaidi kuhusu Azure Virtual Machines na Network angalia:
### **`Microsoft.Compute/virtualMachines/extensions/write`**
Ruhusa hii inaruhusu kutekeleza nyongeza katika mashine za virtual ambazo zinaruhusu **kutekeleza msimbo wowote juu yao**.\
Mfano wa kutumia nyongeza za kawaida kutekeleza amri zisizo za kawaida katika VM:
Mfano wa kutumia nyongeza za kawaida kutekeleza amri za kawaida katika VM:
{{#tabs }}
{{#tab name="Linux" }}
@@ -87,7 +87,7 @@ Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Na
{{#endtab }}
{{#endtabs }}
Pia inawezekana kutumia nyongeza maarufu kutekeleza msimbo au kufanya vitendo vya kibali ndani ya VMs:
Pia inawezekana kutumia nyongeza zinazojulikana vizuri kutekeleza msimbo au kufanya vitendo vya kibali ndani ya VMs:
<details>
@@ -105,7 +105,7 @@ Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Na
<summary>DesiredConfigurationState (DSC)</summary>
Hii ni **VM extensio**n inayomilikiwa na Microsoft inayotumia PowerShell DSC kusimamia usanidi wa Azure Windows VMs. Hivyo, inaweza kutumika **kutekeleza amri za kawaida** katika Windows VMs kupitia nyongeza hii:
Hii ni **VM extensio**n inayomilikiwa na Microsoft inayotumia PowerShell DSC kusimamia usanidi wa Azure Windows VMs. Hivyo, inaweza kutumika **kutekeleza amri zisizo na mipaka** katika Windows VMs kupitia nyongeza hii:
```bash
# Content of revShell.ps1
Configuration RevShellConfig {
@@ -251,7 +251,7 @@ az vm application set \
### `Microsoft.Compute/virtualMachines/runCommand/action`
Hii ndiyo njia ya msingi zaidi ambayo Azure inatoa ili **kutekeleza amri zisizo na mpangilio katika VMs:**
Hii ni njia ya msingi zaidi ambayo Azure inatoa ili **kutekeleza amri za kawaida katika VMs:**
{{#tabs }}
{{#tab name="Linux" }}
@@ -298,19 +298,19 @@ Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt
### `Microsoft.Compute/virtualMachines/login/action`
Ruhusa hii inaruhusu mtumiaji **kuingia kama mtumiaji kwenye VM kupitia SSH au RDP** (mradi uthibitishaji wa Entra ID umewezeshwa kwenye VM).
Ruhusa hii inamruhusu mtumiaji **kuingia kama mtumiaji kwenye VM kupitia SSH au RDP** (mradi uthibitisho wa Entra ID umewezeshwa kwenye VM).
Ingia kupitia **SSH** na **`az ssh vm --name <vm-name> --resource-group <rsc-group>`** na kupitia **RDP** na **vithibitisho vyako vya kawaida vya Azure**.
Ingia kupitia **SSH** kwa **`az ssh vm --name <vm-name> --resource-group <rsc-group>`** na kupitia **RDP** kwa **akidi zako za kawaida za Azure**.
### `Microsoft.Compute/virtualMachines/loginAsAdmin/action`
Ruhusa hii inaruhusu mtumiaji **kuingia kama mtumiaji kwenye VM kupitia SSH au RDP** (mradi uthibitishaji wa Entra ID umewezeshwa kwenye VM).
Ruhusa hii inamruhusu mtumiaji **kuingia kama mtumiaji kwenye VM kupitia SSH au RDP** (mradi uthibitisho wa Entra ID umewezeshwa kwenye VM).
Ingia kupitia **SSH** na **`az ssh vm --name <vm-name> --resource-group <rsc-group>`** na kupitia **RDP** na **vithibitisho vyako vya kawaida vya Azure**.
Ingia kupitia **SSH** kwa **`az ssh vm --name <vm-name> --resource-group <rsc-group>`** na kupitia **RDP** kwa **akidi zako za kawaida za Azure**.
## `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Hizi zote ni ruhusa muhimu za **kuunda VM yenye utambulisho maalum wa kusimamiwa** na kuacha **bandari wazi** (22 katika kesi hii). Hii inaruhusu mtumiaji kuunda VM na kuungana nayo na **kuiba token za utambulisho wa kusimamiwa** ili kupandisha mamlaka kwake.
Hizi zote ni ruhusa muhimu za **kuunda VM yenye utambulisho maalum wa kusimamiwa** na kuacha **bandari wazi** (22 katika kesi hii). Hii inamruhusu mtumiaji kuunda VM na kuungana nayo na **kuchukua token za utambulisho wa kusimamiwa** ili kupandisha mamlaka kwake.
Kulingana na hali, ruhusa zaidi au chache zinaweza kuhitajika ili kutumia mbinu hii.
```bash
@@ -343,14 +343,24 @@ az vm identity assign \
/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \
/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2
```
Kisha mshambuliaji anahitaji **kudhoofisha kwa namna fulani VM** ili kuiba tokens kutoka kwa utambulisho wa usimamizi uliotolewa. Angalia **maelezo zaidi katika**:
Kisha mshambuliaji anahitaji kuwa **amevunjika somehow VM** ili kuiba tokeni kutoka kwa utambulisho wa usimamizi uliotolewa. Angalia **maelezo zaidi katika**:
{{#ref}}
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm
{{#endref}}
### "Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write"
Ruhusa hizi zinaruhusu kubadilisha mtumiaji wa mashine ya virtual na nenosiri ili kuweza kuipata:
```bash
az vm user update \
--resource-group <RESOURCE_GROUP_NAME> \
--name <VM_NAME> \
--username <USERNAME> \
--password <NEW_PASSWORD>
```
### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
Kulingana na [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), ruhusa hii inakuwezesha kusimamia OS ya rasilimali yako kupitia Windows Admin Center kama msimamizi. Hivyo inaonekana kama hii inatoa ufikiaji wa WAC kudhibiti VMs...
Kulingana na [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), ruhusa hii inakuwezesha kudhibiti OS ya rasilimali yako kupitia Windows Admin Center kama msimamizi. Hivyo inaonekana hii inatoa ufikiaji wa WAC kudhibiti VMs...
{{#include ../../../banners/hacktricks-training.md}}

127
src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
View File

@@ -9,56 +9,100 @@ Virtual Desktop ni **huduma ya virtualisasi ya desktop na programu**. Inaruhusu
### Host Pools
Host pools katika Azure Virtual Desktop ni makusanyo ya mashine za Azure virtual zilizowekwa kama wenyeji wa kikao, zikitoa desktops na programu za virtual kwa watumiaji. Kuna aina mbili kuu:
- **Personal host pools**, ambapo kila mashine ya virtual inatengwa kwa mtumiaji mmoja, ikiwa na mazingira yake
- **Pooled host pools**, ambapo watumiaji wengi wanashiriki rasilimali kwenye mwenyeji wa kikao yeyote iliyo na upatikanaji. Ina kikomo cha kikao kinachoweza kubadilishwa na usanidi wa mwenyeji wa kikao unaruhusu Azure Virtual Desktop kujiandaa mwenyeji wa kikao kulingana na usanidi
Kila host pool ina **token ya usajili** inayotumika kujiandikisha mashine za virtual ndani ya host pool.
- **Host pools za kibinafsi**, ambapo kila mashine ya virtual inatengwa kwa mtumiaji mmoja.
- Inaweza kuwekwa ili **msimamizi aweze kupeana** watumiaji maalum kwa VMs au kufanya hivyo **kiotomatiki**.
- Hii ni bora kwa watu wenye kazi nzito kwani kila mtu atakuwa na VM yake. Aidha, wataweza kuhifadhi faili na kuweka mipangilio kwenye diski ya OS na hizi zitaendelea kama **kila mtumiaji ana VM yake (mwenyeji)**.
### Application groups & Workspace
Application groups **zinadhibiti ufikiaji wa mtumiaji** kwa desktop kamili au seti maalum za programu zinazopatikana kwenye wenyeji wa kikao ndani ya host pool. Kuna aina mbili:
- **Desktop application groups**, ambazo zinawapa watumiaji ufikiaji wa desktop kamili ya Windows (inapatikana kwa host pools za kibinafsi na zilizoshirikiwa)
- **RemoteApp groups**, ambazo zinawaruhusu watumiaji kufikia programu binafsi zilizochapishwa (inapatikana tu kwa host pools zilizoshirikiwa).
Host pool inaweza kuwa na Desktop application group moja lakini ina RemoteApp groups nyingi. Watumiaji wanaweza kupewa majukumu katika application groups nyingi katika host pools tofauti. Ikiwa mtumiaji amepewa majukumu ya desktop na RemoteApp ndani ya host pool moja, wanaona tu rasilimali kutoka kwa aina ya kundi inayopendelea iliyowekwa na wasimamizi.
- **Host pools zilizoshirikiwa**, ambapo watumiaji wengi **wanashiriki rasilimali** kwenye wenyeji wa kikao waliopo.
- Inawezekana kuweka **idadi ya juu ya watumiaji** (kikao) kwa mwenyeji.
- Inawezekana **kuongeza VMs kwa mikono** kwa kutumia funguo za usajili, au **kuruhusu Azure kujiendesha kiotomatiki** idadi ya wenyeji bila kuwa na chaguo la kuongeza VMs kwa kutumia funguo za usajili. Haiwezekani kujiendesha kiotomatiki VMs kwa host pools za kibinafsi.
- Ili kuhifadhi faili katika vikao vya watumiaji, inahitajika kutumia **FSlogix**.
A **workspace** ni **mkusanyiko wa application groups**, ikiruhusu watumiaji kufikia desktops na application groups zilizotolewa kwao. Kila application group lazima iunganishwe na workspace, na inaweza kuwa chini ya workspace moja tu kwa wakati mmoja.
### Session Hosts
Hizi ni **VMs ambazo watumiaji wataungana nazo.**
- Ikiwa kujiendesha kiotomatiki kumechaguliwa, kigezo kitaandaliwa na **sifa za wenyeji** ambazo zinahitaji kuundwa kwa pool.
- Ikiwa sivyo, unapounda Host pool inawezekana kuashiria **sifa na idadi ya VMs** unazotaka kuunda na Azure itaunda na kuziongeza kwako.
Vipengele vikuu vya **kuweka VMs** ni:
- Jina la **prefix** la VMs mpya
- Aina ya **VM**: Hii inaweza kuwa “Azure virtual machine” (kutumia Azure VMs) au “Azure Local virtual machine” ambayo inaruhusu wenyeji kupelekwa kwenye tovuti au kwenye ukingo.
- Mahali, maeneo, chaguzi za usalama za VM, picha, CPU, kumbukumbu, ukubwa wa Diski…
- **VNet, kundi la usalama na bandari** za kufichua kwa mtandao
- Inawezekana kuweka akidi za kujiunga kiotomatiki na **AD domain**, au kutumia Entra ID directory
- Ikiwa ni Entra ID, inawezekana kiotomatiki **kujiandikisha VM mpya katika Intune**
- Inahitajika kuweka **jina la mtumiaji wa msimamizi na nenosiri** isipokuwa Azure itajiendesha wenyeji, katika kesi hiyo **siri inapaswa kuwekwa na jina la mtumiaji na nyingine na nenosiri**
- Inawezekana **kuweka script itakayotekelezwa** kwa usanidi wa kawaida
### Application Groups
**Makundi ya programu** yanadhibiti ufikiaji wa mtumiaji kwa desktop kamili au seti maalum za programu zinazopatikana kwenye wenyeji wa kikao ndani ya pool ya mwenyeji.
Kuna aina mbili za makundi ya programu:
- **Makundi ya programu za desktop**, ambayo yanawapa watumiaji ufikiaji wa desktops kamili za Windows na programu zilizounganishwa.
- **Makundi ya RemoteApp**, ambayo yanaruhusu watumiaji kufikia programu binafsi.
- Haiwezekani kupeana aina hii ya kundi la programu kwa Pool ya Kibinafsi.
- Inahitajika kuashiria njia ya binary ya kutekeleza ndani ya VM.
Pool iliyoshirikiwa inaweza kuwa na **kundi moja la programu za Desktop** na **makundi mengi ya RemoteApp** na watumiaji wanaweza kupewa makundi mengi ya programu katika pools tofauti za wenyeji.
Wakati mtumiaji **anapopewa ufikiaji** anapewa jukumu **`Desktop Virtualization User`** juu ya kundi la programu.
### Workspaces & Connections
**Workspace** ni mkusanyiko wa makundi ya programu.
Ili **kuungana** na Desktop au programu zilizotolewa inawezekana kufanya hivyo kutoka [https://windows365.microsoft.com/ent#/devices](https://windows365.microsoft.com/ent#/devices)
Na kuna njia nyingine zilizoelezwa kwenye [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client)
Wakati mtumiaji anafikia akaunti yake atawasilishwa **kwa kutenganishwa na workspaces kila kitu alichonacho**. Hivyo, inahitajika kuongeza **kila kundi la programu katika workspace moja** ili ufikiaji ulioainishwa uwe wazi.
Ili mtumiaji aweze kufikia Desktop au programu, pia anahitaji jukumu **`Virtual Machine User Login`** au **`Virtual Machine Administrator Login`** juu ya VM.
### Managed Identities
Haiwezekani kupeana utambulisho wa kusimamiwa kwa host pools hivyo VMs zilizoundwa ndani ya pool zitakuwa nazo.
Hata hivyo, inawezekana **kupeana utambulisho wa mfumo na wa mtumiaji kwa VMs** na kisha kufikia tokeni kutoka kwa metadata. Kwa kweli, baada ya kuzindua host pools kutoka kwenye wavuti, VMs 2 zilizoundwa zina utambulisho wa kusimamiwa wa mfumo ulioanzishwa (ingawa haina ruhusa yoyote).
### Key Features
- **Flexible VM Creation**: Unda mashine za Azure virtual moja kwa moja au ongeza mashine za Azure Local baadaye.
- **Security Features**: Wezesha Trusted Launch (boot salama, vTPM, ufuatiliaji wa uaminifu) kwa usalama wa juu wa VM (mtandao wa virtual unahitajika). Inaweza kuunganishwa na Azure Firewall na kudhibiti trafiki kupitia Makundi ya Usalama wa Mtandao.
- **Domain Join**: Msaada wa kujiunga na Active Directory domain kwa usanidi unaoweza kubadilishwa.
- **Diagnostics & Monitoring**: Wezesha Mipangilio ya Diagnostic ili kutiririsha kumbukumbu na vipimo kwa Log Analytics, akaunti za hifadhi, au vituo vya matukio kwa ufuatiliaji.
- **Custom image templates**: Unda na usimamie ili kuzitumia unapoongeza wenyeji wa kikao. Ongeza urahisi wa kawaida au scripts zako za kawaida.
- **Workspace Registration**: Rahisi kujiandikisha kwa application groups za desktop za default kwa workspaces mpya au zilizopo kwa usimamizi rahisi wa ufikiaji wa mtumiaji.
### Enumeration
```bash
az extension add --name desktopvirtualization
# List HostPool of a Resource group
az desktopvirtualization hostpool list --resource-group <Resource_Group>
# List HostPools
az desktopvirtualization hostpool list
# List Workspaces
az desktopvirtualization workspace list
# List Application Groups
az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
# List Application Groups By Subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
az desktopvirtualization applicationgroup list
# List Applications in a Application Group
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
# Check if Desktops are enabled
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
# List Assigned Users to the Application Group
az rest \
--method GET \
--url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
| jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'
# List hosts
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
# List Workspace in a resource group
az desktopvirtualization workspace list --resource-group <Resource_Group>
# List Workspace in a subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"
# List App Attach Package By Resource Group
# List App Attach packages
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
# List App Attach Package By Subscription
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
# List user sessions
az rest --method GET --url "https://management.azure.com/ssubscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostpools/{hostPoolName}/sessionhosts/{hostPoolHostName}/userSessions?api-version=2024-04-03"
# List Desktops
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
@@ -68,34 +112,27 @@ az rest --method GET --url "https://management.azure.com/subscriptions/{subscrip
# List private endpoint connections associated with hostpool.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
# List private endpoint connections associated By Workspace.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"
# List the private link resources available for a hostpool.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
# List the private link resources available for this workspace.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"
# List sessionHosts/virtual machines.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
# List start menu items in the given application group.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"
# List userSessions.
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
# List userSessions By Host Pool
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"
```
### Connection
Ili kuungana na desktop ya virtual kupitia wavuti unaweza kufikia kupitia https://client.wvd.microsoft.com/arm/webclient/ (ya kawaida zaidi), au https://client.wvd.microsoft.com/webclient/index.html (kijadi) Kuna njia nyingine ambazo zimeelezewa hapa [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows)
## Privesc
{{#ref}}
../az-privilege-escalation/az-virtual-desktop-privesc.md
{{#endref}}
## Post Exploitation & Persistence
{{#ref}}
../az-post-exploitation/az-virtual-desktop-post-exploitation.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}