From c8c09b0abb91c6c21069ab47eee8ede1aec107ef Mon Sep 17 00:00:00 2001
From: Jimmy <jimmy@testers-MacBook-Pro.local>
Date: Tue, 25 Feb 2025 12:37:08 +0100
Subject: [PATCH] vitualdesktop

---
 src/SUMMARY.md                                |   2 +
 .../az-virtual-desktop-privesc.md             |  38 +++++++
 .../az-services/az-virtual-desktop.md         | 102 ++++++++++++++++++
 3 files changed, 142 insertions(+)
 create mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
 create mode 100644 src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index f01c6fd03..407b58b19 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -431,6 +431,7 @@
     - [Az - Static Web Applications](pentesting-cloud/azure-security/az-services/az-static-web-apps.md)
     - [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md)
     - [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md)
+    - [Az - Virtual Desktop](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop.md)
     - [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md)
       - [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md)
   - [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md)
@@ -485,6 +486,7 @@
     - [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md)
     - [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
     - [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md)
+    - [Az - Virtual Desktop Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md)
     - [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
   - [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
     - [Az - Automation Accounts Persistence](pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md)
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
new file mode 100644
index 000000000..9500e4756
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
@@ -0,0 +1,38 @@
+# Az - Virtual Desktop Privesx
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Virtual Desktop Privesc
+
+### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
+You can retrieve the registration token used to register virtual machines within an host pool.
+
+```bash
+az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
+```
+
+### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
+
+With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop.
+```bash
+az rest --method PUT \
+  --uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
+  --body '{
+    "properties": {
+      "roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
+      "principalId": "<USER_OBJECT_ID>"
+    }
+  }'
+```
+
+Additionally you can change the virtual machine user and password to access it
+```bash
+az vm user update \
+  --resource-group <RESOURCE_GROUP_NAME> \
+  --name <VM_NAME> \
+  --username <USERNAME> \
+  --password <NEW_PASSWORD>
+```
+
+{{#include ../../../banners/hacktricks-training.md}}
+
diff --git a/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md b/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
new file mode 100644
index 000000000..5aa89230b
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
@@ -0,0 +1,102 @@
+# Az - Virtual Desktop
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Azure Virtual Desktop
+
+Virtual Desktop is a **desktop and app virtualization service**. It enables to deliver full Windows desktops, including Windows 11, Windows 10, or Windows Server to users remotely, either as individual desktops or through individual applications. It supports single-session setups for personal use and multi-session environments Users can connect from virtually any device using native apps or a web browser.
+
+### Host Pools
+
+Host pools in Azure Virtual Desktop are collections of Azure virtual machines configured as session hosts, providing virtual desktops and apps to users. There are two main types: 
+ - **Personal host pools**, where each virtual machine is dedicated to a single user, with its environments
+ - **Pooled host pools**, where multiple users share resources on any available session host. It has a configurable session limit and a session host configuration lets Azure Virtual Desktop automate the creation of session hosts based on a configuration
+
+Every host pool has a **registration token** is used to register virtual machines within an host pool.
+
+### Application groups & Workspace
+Application groups **control user access** to either a full desktop or specific sets of applications available on session hosts within a host pool. There are two types:
+ - **Desktop application groups**, which give users access to a complete Windows desktop (available with both personal and pooled host pools) 
+ - **RemoteApp groups**, which allow users to access individual published applications (available only with pooled host pools). 
+A host pool can have one Desktop application group but multiple RemoteApp groups. Users can be assigned to multiple application groups across different host pools. If a user is assigned both desktop and RemoteApp groups within the same host pool, they only see resources from the preferred group type set by administrators.
+
+A **workspace** is a **collection of application groups**, allowing users to access the desktops and application groups assigned to them. Each application group must be linked to a workspace, and it can only belong to one workspace at a time.
+
+### Key Features
+ - **Flexible VM Creation**: Create Azure virtual machines directly or add Azure Local virtual machines later.
+ - **Security Features**: Enable Trusted Launch (secure boot, vTPM, integrity monitoring) for advanced VM security (a virtual network is needed). Can integrate Azure Firewall and control traffic via Network Security Groups.
+ - **Domain Join**: Support for Active Directory domain joins with customizable configurations.
+ - **Diagnostics & Monitoring**: Enable Diagnostic Settings to stream logs and metrics to Log Analytics, storage accounts, or event hubs for monitoring.
+ - **Custom image templates**: Create and manage them to use when adding session hosts. Easily add common customizations or your own custom scripts. 
+ - **Workspace Registration**: Easily register default desktop application groups to new or existing workspaces for simplified user access management.
+
+### Enumeration
+
+```bash
+az extension add --name desktopvirtualization
+
+# List HostPool of a Resource group
+az desktopvirtualization hostpool list --resource-group <Resource_Group>
+
+# List Application Groups
+az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
+# List Application Groups By Subscription 
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
+# List Applications in a Application Group
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
+# List Assigned Users to the Application Group
+az rest \
+  --method GET \
+  --url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
+| jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'
+
+
+# List Workspace in a resource group
+az desktopvirtualization workspace list --resource-group <Resource_Group>
+# List Workspace in a subscription
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"
+
+# List App Attach Package By Resource Group
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
+# List App Attach Package By Subscription 
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
+
+# List Desktops
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
+
+# List MSIX Packages
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/msixPackages?api-version=2024-04-03"
+
+# List private endpoint connections associated with hostpool.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
+# List private endpoint connections associated By Workspace.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"
+
+# List the private link resources available for a hostpool.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
+# List the private link resources available for this workspace.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"
+
+# List sessionHosts/virtual machines.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
+
+# List start menu items in the given application group.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"
+
+# List userSessions.
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
+# List userSessions By Host Pool
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"
+
+```
+
+### Connection
+
+## Privesc
+
+{{#ref}}
+../az-privilege-escalation/az-virtual-desktop-privesc.md
+{{#endref}}
+
+{{#include ../../../banners/hacktricks-training.md}}
+