From d54cb2b5ff672c182af24dbfb86178349fb0437f Mon Sep 17 00:00:00 2001
From: Carlos Polop <carlospolop@gmail.com>
Date: Wed, 26 Feb 2025 16:50:45 +0100
Subject: [PATCH] virtual desktops

---
 src/SUMMARY.md                                |   3 +-
 .../az-virtual-desktop-post-exploitation.md   |  24 ++++
 .../az-virtual-desktop-privesc.md             |  25 ++--
 ...az-virtual-machines-and-network-privesc.md |  12 ++
 .../az-services/az-virtual-desktop.md         | 128 +++++++++++-------
 5 files changed, 135 insertions(+), 57 deletions(-)
 create mode 100644 src/pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index 17ab8f63d..54f1ce76a 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -454,7 +454,7 @@
     - [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
   - [Az - Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/README.md)
     - [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md)
-    - [Az - CosmosDB](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
+    - [Az - CosmosDB Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-cosmosDB-post-exploitation.md)
     - [Az - File Share Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md)
     - [Az - Function Apps Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md)
     - [Az - Key Vault Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md)
@@ -465,6 +465,7 @@
     - [Az - Service Bus Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md)
     - [Az - Table Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md)
     - [Az - SQL Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md)
+    - [Az - Virtual Desktop Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md)
     - [Az - VMs & Network Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md)
   - [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md)
     - [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md)
diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md
new file mode 100644
index 000000000..c3085107e
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-virtual-desktop-post-exploitation.md
@@ -0,0 +1,24 @@
+# Az - VMs & Network Post Exploitation
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Virtual Desktop
+
+For more info about Virtual Desktop check the following page:
+
+{{#ref}}
+../az-services/az-virtual-desktop.md
+{{#endref}}
+
+### Common techniques
+
+- Overwrite a **MSIX package from the storage account** to get RCE in any VM using that app.
+- In a remoteapp it’s possible to change the **path of the binary to execute**.
+- **Escape from apps** to a shell to get RCE.
+- Any post exploitation attack & persistence from **Azure VMs.**
+- It’s possible to **configure a script to be executed** in pool to apply custom configurations
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+
+
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
index 9500e4756..beaa3cd3e 100644
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md
@@ -4,6 +4,13 @@
 
 ## Azure Virtual Desktop Privesc
 
+For more info about Azure Virtual Desktop check:
+
+{{#ref}}
+../az-services/az-virtual-desktop.md
+{{#endref}}
+
+
 ### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
 You can retrieve the registration token used to register virtual machines within an host pool.
 
@@ -11,9 +18,13 @@ You can retrieve the registration token used to register virtual machines within
 az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
 ```
 
-### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
+### Microsoft.Authorization/roleAssignments/read, Microsoft.Authorization/roleAssignments/write
+
+> [!WARNING]
+> An attacker with these permissions could do things much more dangerous than this one.
+
+With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop:
 
-With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop.
 ```bash
 az rest --method PUT \
   --uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
@@ -25,14 +36,8 @@ az rest --method PUT \
   }'
 ```
 
-Additionally you can change the virtual machine user and password to access it
-```bash
-az vm user update \
-  --resource-group <RESOURCE_GROUP_NAME> \
-  --name <VM_NAME> \
-  --username <USERNAME> \
-  --password <NEW_PASSWORD>
-```
+Note that in order for a user to be able to access a Desktop or an app, he also needs the role `Virtual Machine User Login` or `Virtual Machine Administrator Login` over the VM.
+
 
 {{#include ../../../banners/hacktricks-training.md}}
 
diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
index f4b466aec..fac4726ca 100644
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
@@ -375,6 +375,18 @@ Then the attacker needs to have **compromised somehow the VM** to steal tokens f
 https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm
 {{#endref}}
 
+### "Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write"
+
+These permissions allow to change the virtual machine user and password to access it:
+
+```bash
+az vm user update \
+  --resource-group <RESOURCE_GROUP_NAME> \
+  --name <VM_NAME> \
+  --username <USERNAME> \
+  --password <NEW_PASSWORD>
+```
+
 ### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
 
 According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), this permission lets you manage the OS of your resource via Windows Admin Center as an administrator. So it looks like this gives access to the WAC to control the VMs...
diff --git a/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md b/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
index 3cd678a91..9e15689c6 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-virtual-desktop.md
@@ -9,57 +9,101 @@ Virtual Desktop is a **desktop and app virtualization service**. It enables to d
 ### Host Pools
 
 Host pools in Azure Virtual Desktop are collections of Azure virtual machines configured as session hosts, providing virtual desktops and apps to users. There are two main types: 
- - **Personal host pools**, where each virtual machine is dedicated to a single user, with its environments
- - **Pooled host pools**, where multiple users share resources on any available session host. It has a configurable session limit and a session host configuration lets Azure Virtual Desktop automate the creation of session hosts based on a configuration
 
-Every host pool has a **registration token** is used to register virtual machines within an host pool.
+- **Personal host pools**, where each virtual machine is dedicated to a single user.
+  - It can be configured so the **admin can assign** specific users to VMs or having this done **automatically**.
+  - This is ideal for people with intensive workloads as each person will have its own VM. Moreover, they will be able to store files and configure settings in the OS disk and these will persist as **each user has its own VM (host)**.
 
-### Application groups & Workspace
-Application groups **control user access** to either a full desktop or specific sets of applications available on session hosts within a host pool. There are two types:
- - **Desktop application groups**, which give users access to a complete Windows desktop (available with both personal and pooled host pools) 
- - **RemoteApp groups**, which allow users to access individual published applications (available only with pooled host pools). 
-A host pool can have one Desktop application group but multiple RemoteApp groups. Users can be assigned to multiple application groups across different host pools. If a user is assigned both desktop and RemoteApp groups within the same host pool, they only see resources from the preferred group type set by administrators.
+- **Pooled host pools**, where multiple **users share resources** on available session hosts.
+  - It’s possible to configure a **maximum number of users** (sessions) per host.
+  - It’s possible to **add VMs manually** using a registration keys, or **allow Azure to automatically scale** the number of hosts without having the option of adding VMs using the registration key. It’s not possible to automatically scale VMs for personal pools.
+  - To persist files in users sessions, it’s needed to use **FSlogix**.
 
-A **workspace** is a **collection of application groups**, allowing users to access the desktops and application groups assigned to them. Each application group must be linked to a workspace, and it can only belong to one workspace at a time.
+### Session Hosts
+
+These are the **VMs that users will connect to.** 
+
+- If automated scaling was selected, a template will be created with the **characteristics of the hosts** that need to be created for the pool.
+- If not, when creating the Host pool it’s possible to indicate the **characteristics and the number of VMs** you want to create and Azure will create and add them for you.
+
+The main features to **configure the VMs** are:
+
+- The **prefix** name of the new VMs
+- The **VM type**: This can be “Azure virtual machine” (to use Azure VMs) or “Azure Local virtual machine” which allow hosts to be deployed on-premises or at the edge.
+- The location, zones, VM security options, image, CPU, memory, Disk size…
+- The **VNet, security group and ports** to expose to the internet
+- It’s possible to set credentials to automatically **join an AD domain**, or use Entra ID directory
+  - If Entra ID, It’s possible to automatically **enroll the new VM in Intune**
+- It’s needed to set an **administrator username and password** unless Azure will scale the hosts, in that case a **secret must be configured with the username and another one with the password**
+- It’s possible to **configure a script to be executed** for custom configuration
+
+### Application Groups
+
+**Application groups** control user access to either a full desktop or specific sets of applications available on session hosts within a host pool.
+
+There are two types of application groups:
+
+- **Desktop application groups**, which give users access to a complete Windows desktops and attached apps.
+- **RemoteApp groups**, which allow users to access individual applications.
+  - It’s not possible to assign this kind of application group to a Personal Pool.
+  - It’s needed to indicate the path to the binary to execute inside the VM.
+
+A Pooled Pool can have **one Desktop application** group and **multiple RemoteApp groups** and users can be assigned to multiple application groups across different host pools.
+
+When a user is **granted access** it’s given the role **`Desktop Virtualization User`** over the application group.
+
+### Workspaces & Connections
+
+A **workspace** is a collection of application groups.
+
+In order to **connect** to the Desktop or apps assigned it’s possible to do so from [https://windows365.microsoft.com/ent#/devices](https://windows365.microsoft.com/ent#/devices)
+And there are other methods described on [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client)
+
+When a user access his account he is going to be **presented separated by workspaces everything he has access to**. Therefore, it’s needed to add **each application group to one workspace** in order for the defined accesses to be visible.
+
+In order for a user to be able to access a Desktop or an app, he also needs the role **`Virtual Machine User Login`** or **`Virtual Machine Administrator Login`** over the VM.
+
+### Managed Identities
+
+It’s not possible to assign managed identities to host pools so the created VMs inside a pool will have them.
+However, it’s possible to **assign system and user managed identities to the VMs** and then access the tokens from the metadata. Actually, after launching the host pools form the web, the 2 generated VMs have the system assigned managed identity enabled (although it doesn’t have any permissions).
 
-### Key Features
- - **Flexible VM Creation**: Create Azure virtual machines directly or add Azure Local virtual machines later.
- - **Security Features**: Enable Trusted Launch (secure boot, vTPM, integrity monitoring) for advanced VM security (a virtual network is needed). Can integrate Azure Firewall and control traffic via Network Security Groups.
- - **Domain Join**: Support for Active Directory domain joins with customizable configurations.
- - **Diagnostics & Monitoring**: Enable Diagnostic Settings to stream logs and metrics to Log Analytics, storage accounts, or event hubs for monitoring.
- - **Custom image templates**: Create and manage them to use when adding session hosts. Easily add common customizations or your own custom scripts. 
- - **Workspace Registration**: Easily register default desktop application groups to new or existing workspaces for simplified user access management.
 
 ### Enumeration
 
 ```bash
 az extension add --name desktopvirtualization
 
-# List HostPool of a Resource group
-az desktopvirtualization hostpool list --resource-group <Resource_Group>
+# List HostPools
+az desktopvirtualization hostpool list
+
+# List Workspaces 
+az desktopvirtualization workspace list
 
 # List Application Groups
-az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
-# List Application Groups By Subscription 
-az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
+az desktopvirtualization applicationgroup list 
+
 # List Applications in a Application Group
 az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
+
+# Check if Desktops are enabled
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
+
 # List Assigned Users to the Application Group
 az rest \
   --method GET \
   --url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
 | jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'
 
+# List hosts
+az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
 
-# List Workspace in a resource group
-az desktopvirtualization workspace list --resource-group <Resource_Group>
-# List Workspace in a subscription
-az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"
-
-# List App Attach Package By Resource Group
+# List App Attach packages
 az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
-# List App Attach Package By Subscription 
-az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
+
+# List user sessions
+az rest --method GET --url "https://management.azure.com/ssubscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostpools/{hostPoolName}/sessionhosts/{hostPoolHostName}/userSessions?api-version=2024-04-03"
+
 
 # List Desktops
 az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
@@ -69,37 +113,29 @@ az rest --method GET --url "https://management.azure.com/subscriptions/{subscrip
 
 # List private endpoint connections associated with hostpool.
 az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
+
 # List private endpoint connections associated By Workspace.
 az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"
 
 # List the private link resources available for a hostpool.
 az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
+
 # List the private link resources available for this workspace.
 az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"
-
-# List sessionHosts/virtual machines.
-az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
-
-# List start menu items in the given application group.
-az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"
-
-# List userSessions.
-az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
-# List userSessions By Host Pool
-az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"
-
 ```
 
-### Connection
-
-To connect to the virtual desktop via web you can access through https://client.wvd.microsoft.com/arm/webclient/ (most common), or https://client.wvd.microsoft.com/webclient/index.html (classic)
-There are other methods that are described here [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows)
-
 ## Privesc
 
 {{#ref}}
 ../az-privilege-escalation/az-virtual-desktop-privesc.md
 {{#endref}}
 
+## Post Exploitation & Persistence
+
+{{#ref}}
+../az-post-exploitation/az-virtual-desktop-post-exploitation.md
+{{#endref}}
+
+
 {{#include ../../../banners/hacktricks-training.md}}